From e1f06331535416e0db554c174ebad985df9c23db Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Tue, 28 Mar 2017 16:02:18 +0100 Subject: [PATCH] Configure migration SSH tunnel This patch configures SSH tunneling for nova cold-migration and reuses the tunnel for libvirt live-migration unless TLS has been enabled. Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec (cherry picked from commit ccbcd11276c7bc3ffc8f013d9a5b2d3944bf76cf) (cherry picked from commit 4e398a76dea38c0593b4965d4ec75ab1836d2369) --- manifests/profile/base/nova.pp | 75 +++++- ...cold_migration_setup-dc4ebd834920c27f.yaml | 4 + .../classes/tripleo_profile_base_nova_spec.rb | 230 ++++++++++++++++++ spec/fixtures/hieradata/default.yaml | 5 + spec/spec_helper.rb | 2 + 5 files changed, 305 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml create mode 100644 spec/classes/tripleo_profile_base_nova_spec.rb diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index 4626465ab..b6c19103a 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -45,6 +45,15 @@ # [*rabbit_port*] # IP port for rabbitmq service # Defaults to hiera('nova::rabbit_port', 5672) +# +# [*migration_ssh_key*] +# (Optional) SSH key pair for migration SSH tunnel. +# Expects a hash with keys 'private_key' and 'public_key'. +# Defaults to {} +# +# [*libvirt_tls*] +# (Optional) Whether or not libvird TLS service is enabled. +# Defaults to false class tripleo::profile::base::nova ( $bootstrap_node = hiera('bootstrap_nodeid', undef), @@ -54,6 +63,8 @@ class tripleo::profile::base::nova ( $step = hiera('step'), $rabbit_hosts = hiera('rabbitmq_node_ips', undef), $rabbit_port = hiera('nova::rabbit_port', 5672), + $migration_ssh_key = {}, + $libvirt_tls = false ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -67,26 +78,68 @@ class tripleo::profile::base::nova ( $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211') } - if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { + if $step >= 4 or ($step >= 3 and $sync_db) { $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") - class { '::nova' : - rabbit_hosts => $rabbit_endpoints, - } include ::nova::config class { '::nova::cache': enabled => true, backend => 'oslo_cache.memcache_pool', memcache_servers => $memcache_servers, } - } - if $step >= 4 { - if $manage_migration { - class { '::nova::migration::libvirt': - configure_libvirt => $libvirt_enabled, - configure_nova => $nova_compute_enabled, + if $step >= 4 and $manage_migration { + + # Libvirt setup (live-migration) + if $libvirt_tls { + class { '::nova::migration::libvirt': + transport => 'tls', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + } + } else { + # Reuse the cold-migration SSH tunnel when TLS is not enabled + class { '::nova::migration::libvirt': + transport => 'ssh', + configure_libvirt => $libvirt_enabled, + configure_nova => $nova_compute_enabled, + client_user => 'nova', + client_extraparams => { + 'keyfile' => '/var/lib/nova/.ssh/id_rsa' + } + } } + + if $migration_ssh_key != {} { + # Nova SSH tunnel setup (cold-migration) + + #TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands + user { 'nova': + ensure => present, + shell => '/bin/bash', + } + + $private_key_parts = split($migration_ssh_key['public_key'], ' ') + $nova_public_key = { + 'type' => $private_key_parts[0], + key => $private_key_parts[1] + } + $nova_private_key = { + 'type' => $private_key_parts[0], + key => $migration_ssh_key['private_key'] + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + } else { + $nova_public_key = undef + $nova_private_key = undef + } + + class { '::nova' : + rabbit_hosts => $rabbit_endpoints, + nova_public_key => $nova_public_key, + nova_private_key => $nova_private_key, } } - } diff --git a/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml b/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml new file mode 100644 index 000000000..00b779904 --- /dev/null +++ b/releasenotes/notes/cold_migration_setup-dc4ebd834920c27f.yaml @@ -0,0 +1,4 @@ +--- +features: + - Configure ssh tunneling for nova cold-migration. Re-use the tunnel for + libvirt live-migration unless TLS is enabled. diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb new file mode 100644 index 000000000..92511fb1c --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_spec.rb @@ -0,0 +1,230 @@ +# +# Copyright (C) 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova' do + shared_examples_for 'tripleo::profile::base::nova' do + + context 'with step less than 3' do + let(:params) { { + :step => 1, + :rabbit_hosts => [ '127.0.0.1' ], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to_not contain_class('nova') + is_expected.to_not contain_class('nova::config') + is_expected.to_not contain_class('nova::cache') + } + end + + context 'with step 3 on bootstrap node' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :rabbit_hosts => ['127.0.0.1:5672'] + + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::cache').with( + :enabled => true, + :backend => 'oslo_cache.memcache_pool', + :memcache_servers => ['127.0.0.1:11211'] + ) + } + end + + context 'with step 3 not on bootstrap node' do + let(:params) { { + :step => 3, + :bootstrap_node => 'other.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to_not contain_class('nova') + is_expected.to_not contain_class('nova::config') + is_expected.to_not contain_class('nova::cache') + } + end + + context 'with step 4' do + let(:params) { { + :step => 4, + :bootstrap_node => 'other.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :rabbit_hosts => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::cache') + is_expected.to_not contain_class('nova::migration::libvirt') + } + end + + context 'with step 4 with libvirt' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :rabbit_hosts => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + context 'with step 4 with libvirt TLS' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + :libvirt_tls => true, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :rabbit_hosts => /.+/, + :nova_public_key => nil, + :nova_private_key => nil, + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled], + ) + } + end + + context 'with step 4 with libvirt and migration ssh key' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :rabbit_hosts => /.+/, + :nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'}, + :nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'} + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'ssh', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + context 'with step 4 with libvirt TLS and migration ssh key' do + let(:pre_condition) { + 'include ::nova::compute::libvirt::services' + } + let(:params) { { + :step => 4, + :libvirt_enabled => true, + :manage_migration => true, + :nova_compute_enabled => true, + :bootstrap_node => 'node.example.com', + :rabbit_hosts => [ '127.0.0.1' ], + :libvirt_tls => true, + :migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'} + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova').with( + :rabbit_hosts => /.+/, + :notification_transport_url => /.+/, + :nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'}, + :nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'} + ) + is_expected.to contain_class('nova::config') + is_expected.to contain_class('nova::cache') + is_expected.to contain_class('nova::migration::libvirt').with( + :transport => 'tls', + :configure_libvirt => params[:libvirt_enabled], + :configure_nova => params[:nova_compute_enabled] + ) + } + end + + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::nova' + end + end +end diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index bce55fb9b..534942502 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -2,3 +2,8 @@ my_hash: network: '127.0.0.1' not_hash: string horizon::secret_key: 'secrete' +# memcache related items +memcached_node_ips_v6: + - '::1' +memcached_node_ips: + - '127.0.0.1' diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index b06b4361b..4fa8cc31b 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -19,6 +19,8 @@ RSpec.configure do |c| # custom global facts for all rspec tests add_custom_fact :concat_basedir, '/var/lib/puppet/concat' + # needed for testing Puppet Openstack modules + add_custom_fact :os_service_default, '' end at_exit { RSpec::Puppet::Coverage.report! }