Restrict nova migration ssh tunnel
This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293 (cherry picked from commitf8ca94a5b7
) (cherry picked from commitfd20b306b0
)
This commit is contained in:
parent
1ef971dd4f
commit
eed662fbcf
|
@ -51,20 +51,26 @@
|
||||||
# Expects a hash with keys 'private_key' and 'public_key'.
|
# Expects a hash with keys 'private_key' and 'public_key'.
|
||||||
# Defaults to {}
|
# Defaults to {}
|
||||||
#
|
#
|
||||||
|
# [*migration_ssh_localaddrs*]
|
||||||
|
# (Optional) Restrict ssh migration to clients connecting via this list of
|
||||||
|
# IPs.
|
||||||
|
# Defaults to [] (no restriction)
|
||||||
|
#
|
||||||
# [*libvirt_tls*]
|
# [*libvirt_tls*]
|
||||||
# (Optional) Whether or not libvird TLS service is enabled.
|
# (Optional) Whether or not libvird TLS service is enabled.
|
||||||
# Defaults to false
|
# Defaults to false
|
||||||
|
|
||||||
class tripleo::profile::base::nova (
|
class tripleo::profile::base::nova (
|
||||||
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
$bootstrap_node = hiera('bootstrap_nodeid', undef),
|
||||||
$libvirt_enabled = false,
|
$libvirt_enabled = false,
|
||||||
$manage_migration = false,
|
$manage_migration = false,
|
||||||
$nova_compute_enabled = false,
|
$nova_compute_enabled = false,
|
||||||
$step = hiera('step'),
|
$step = hiera('step'),
|
||||||
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
|
$rabbit_hosts = hiera('rabbitmq_node_ips', undef),
|
||||||
$rabbit_port = hiera('nova::rabbit_port', 5672),
|
$rabbit_port = hiera('nova::rabbit_port', 5672),
|
||||||
$migration_ssh_key = {},
|
$migration_ssh_key = {},
|
||||||
$libvirt_tls = false
|
$migration_ssh_localaddrs = [],
|
||||||
|
$libvirt_tls = false
|
||||||
) {
|
) {
|
||||||
if $::hostname == downcase($bootstrap_node) {
|
if $::hostname == downcase($bootstrap_node) {
|
||||||
$sync_db = true
|
$sync_db = true
|
||||||
|
@ -80,15 +86,19 @@ class tripleo::profile::base::nova (
|
||||||
|
|
||||||
if $step >= 4 or ($step >= 3 and $sync_db) {
|
if $step >= 4 or ($step >= 3 and $sync_db) {
|
||||||
$rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}")
|
$rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}")
|
||||||
|
class { '::nova' :
|
||||||
|
rabbit_hosts => $rabbit_endpoints,
|
||||||
|
}
|
||||||
include ::nova::config
|
include ::nova::config
|
||||||
class { '::nova::cache':
|
class { '::nova::cache':
|
||||||
enabled => true,
|
enabled => true,
|
||||||
backend => 'oslo_cache.memcache_pool',
|
backend => 'oslo_cache.memcache_pool',
|
||||||
memcache_servers => $memcache_servers,
|
memcache_servers => $memcache_servers,
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if $step >= 4 and $manage_migration {
|
if $step >= 4 {
|
||||||
|
if $manage_migration {
|
||||||
# Libvirt setup (live-migration)
|
# Libvirt setup (live-migration)
|
||||||
if $libvirt_tls {
|
if $libvirt_tls {
|
||||||
class { '::nova::migration::libvirt':
|
class { '::nova::migration::libvirt':
|
||||||
|
@ -102,44 +112,77 @@ class tripleo::profile::base::nova (
|
||||||
transport => 'ssh',
|
transport => 'ssh',
|
||||||
configure_libvirt => $libvirt_enabled,
|
configure_libvirt => $libvirt_enabled,
|
||||||
configure_nova => $nova_compute_enabled,
|
configure_nova => $nova_compute_enabled,
|
||||||
client_user => 'nova',
|
client_user => 'nova_migration',
|
||||||
client_extraparams => {
|
client_extraparams => {
|
||||||
'keyfile' => '/var/lib/nova/.ssh/id_rsa'
|
'keyfile' => '/etc/nova/migration/identity'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if $migration_ssh_key != {} {
|
$services_enabled = hiera('service_names', [])
|
||||||
|
if !empty($migration_ssh_key) and 'sshd' in $services_enabled {
|
||||||
# Nova SSH tunnel setup (cold-migration)
|
# Nova SSH tunnel setup (cold-migration)
|
||||||
|
|
||||||
#TODO: Remove me when https://review.rdoproject.org/r/#/c/4008 lands
|
# Server side
|
||||||
user { 'nova':
|
if !empty($migration_ssh_localaddrs) {
|
||||||
ensure => present,
|
$allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,','))
|
||||||
shell => '/bin/bash',
|
$deny_type = 'LocalAddress'
|
||||||
|
$deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!'))
|
||||||
|
|
||||||
|
ssh::server::match_block { 'nova_migration deny':
|
||||||
|
name => $deny_name,
|
||||||
|
type => $deny_type,
|
||||||
|
order => 2,
|
||||||
|
options => {
|
||||||
|
'DenyUsers' => 'nova_migration'
|
||||||
|
},
|
||||||
|
notify => Service['sshd']
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$allow_type = 'User'
|
||||||
|
}
|
||||||
|
$allow_name = 'nova_migration'
|
||||||
|
|
||||||
|
ssh::server::match_block { 'nova_migration allow':
|
||||||
|
name => $allow_name,
|
||||||
|
type => $allow_type,
|
||||||
|
order => 1,
|
||||||
|
options => {
|
||||||
|
'ForceCommand' => '/bin/nova-migration-wrapper',
|
||||||
|
'PasswordAuthentication' => 'no',
|
||||||
|
'AllowTcpForwarding' => 'no',
|
||||||
|
'X11Forwarding' => 'no',
|
||||||
|
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
|
||||||
|
},
|
||||||
|
notify => Service['sshd']
|
||||||
}
|
}
|
||||||
|
|
||||||
$private_key_parts = split($migration_ssh_key['public_key'], ' ')
|
file { '/etc/nova/migration/authorized_keys':
|
||||||
$nova_public_key = {
|
content => $migration_ssh_key['public_key'],
|
||||||
'type' => $private_key_parts[0],
|
mode => '0640',
|
||||||
key => $private_key_parts[1]
|
owner => 'root',
|
||||||
|
group => 'nova_migration',
|
||||||
|
require => Package['openstack-nova-migration'],
|
||||||
}
|
}
|
||||||
$nova_private_key = {
|
|
||||||
'type' => $private_key_parts[0],
|
# Client side
|
||||||
key => $migration_ssh_key['private_key']
|
file { '/etc/nova/migration/identity':
|
||||||
|
content => $migration_ssh_key['private_key'],
|
||||||
|
mode => '0600',
|
||||||
|
owner => 'nova',
|
||||||
|
group => 'nova',
|
||||||
|
require => Package['openstack-nova-migration'],
|
||||||
}
|
}
|
||||||
|
$migration_pkg_ensure = installed
|
||||||
} else {
|
} else {
|
||||||
$nova_public_key = undef
|
$migration_pkg_ensure = absent
|
||||||
$nova_private_key = undef
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$nova_public_key = undef
|
$migration_pkg_ensure = absent
|
||||||
$nova_private_key = undef
|
|
||||||
}
|
}
|
||||||
|
package {'openstack-nova-migration':
|
||||||
class { '::nova' :
|
ensure => $migration_pkg_ensure
|
||||||
rabbit_hosts => $rabbit_endpoints,
|
|
||||||
nova_public_key => $nova_public_key,
|
|
||||||
nova_private_key => $nova_private_key,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Restrict nova migration ssh tunnel
|
||||||
|
* The ssh authorized_keys file is only writeable by root.
|
||||||
|
* Creates a new user for migration instead of using root/nova.
|
||||||
|
* Disables SSH forwarding for this user.
|
||||||
|
* Restricts the networks that this user can connect from.
|
||||||
|
* Uses an ssh wrapper command to whitelist the commands that this user can run over ssh.
|
||||||
|
Adds new parameter "tripleo::profile::base::nova::migration_ssh_localaddrs" to specify which incoming IPs are allow for SSH tunnel connections.
|
|
@ -22,7 +22,7 @@ describe 'tripleo::profile::base::nova' do
|
||||||
context 'with step less than 3' do
|
context 'with step less than 3' do
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 1,
|
:step => 1,
|
||||||
:rabbit_hosts => [ '127.0.0.1' ],
|
:rabbit_hosts => [ '127.0.0.1' ],
|
||||||
} }
|
} }
|
||||||
|
|
||||||
it {
|
it {
|
||||||
|
@ -37,13 +37,13 @@ describe 'tripleo::profile::base::nova' do
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 3,
|
:step => 3,
|
||||||
:bootstrap_node => 'node.example.com',
|
:bootstrap_node => 'node.example.com',
|
||||||
:rabbit_hosts => [ '127.0.0.1' ],
|
:rabbit_hosts => [ '127.0.0.1' ],
|
||||||
} }
|
} }
|
||||||
|
|
||||||
it {
|
it {
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||||
is_expected.to contain_class('nova').with(
|
is_expected.to contain_class('nova').with(
|
||||||
:rabbit_hosts => ['127.0.0.1:5672']
|
:rabbit_hosts => ['127.0.0.1:5672']
|
||||||
|
|
||||||
)
|
)
|
||||||
is_expected.to contain_class('nova::config')
|
is_expected.to contain_class('nova::config')
|
||||||
|
@ -59,7 +59,7 @@ describe 'tripleo::profile::base::nova' do
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 3,
|
:step => 3,
|
||||||
:bootstrap_node => 'other.example.com',
|
:bootstrap_node => 'other.example.com',
|
||||||
:rabbit_hosts => [ '127.0.0.1' ],
|
:rabbit_hosts => [ '127.0.0.1' ],
|
||||||
} }
|
} }
|
||||||
|
|
||||||
it {
|
it {
|
||||||
|
@ -74,7 +74,7 @@ describe 'tripleo::profile::base::nova' do
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 4,
|
:step => 4,
|
||||||
:bootstrap_node => 'other.example.com',
|
:bootstrap_node => 'other.example.com',
|
||||||
:rabbit_hosts => [ '127.0.0.1' ],
|
:rabbit_hosts => [ '127.0.0.1' ],
|
||||||
} }
|
} }
|
||||||
|
|
||||||
it {
|
it {
|
||||||
|
@ -87,6 +87,9 @@ describe 'tripleo::profile::base::nova' do
|
||||||
is_expected.to contain_class('nova::config')
|
is_expected.to contain_class('nova::config')
|
||||||
is_expected.to contain_class('nova::cache')
|
is_expected.to contain_class('nova::cache')
|
||||||
is_expected.to_not contain_class('nova::migration::libvirt')
|
is_expected.to_not contain_class('nova::migration::libvirt')
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'absent'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -100,7 +103,7 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:manage_migration => true,
|
:manage_migration => true,
|
||||||
:nova_compute_enabled => true,
|
:nova_compute_enabled => true,
|
||||||
:bootstrap_node => 'node.example.com',
|
:bootstrap_node => 'node.example.com',
|
||||||
:rabbit_hosts => [ '127.0.0.1' ],
|
:rabbit_hosts => [ '127.0.0.1' ],
|
||||||
} }
|
} }
|
||||||
|
|
||||||
it {
|
it {
|
||||||
|
@ -117,6 +120,9 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:configure_libvirt => params[:libvirt_enabled],
|
:configure_libvirt => params[:libvirt_enabled],
|
||||||
:configure_nova => params[:nova_compute_enabled]
|
:configure_nova => params[:nova_compute_enabled]
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'absent'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -148,13 +154,22 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:configure_libvirt => params[:libvirt_enabled],
|
:configure_libvirt => params[:libvirt_enabled],
|
||||||
:configure_nova => params[:nova_compute_enabled],
|
:configure_nova => params[:nova_compute_enabled],
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'absent'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with step 4 with libvirt and migration ssh key' do
|
context 'with step 4 with libvirt and migration ssh key' do
|
||||||
let(:pre_condition) {
|
let(:pre_condition) do
|
||||||
'include ::nova::compute::libvirt::services'
|
<<-eof
|
||||||
}
|
include ::nova::compute::libvirt::services
|
||||||
|
class { '::ssh::server':
|
||||||
|
storeconfigs_enabled => false,
|
||||||
|
options => {}
|
||||||
|
}
|
||||||
|
eof
|
||||||
|
end
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 4,
|
:step => 4,
|
||||||
:libvirt_enabled => true,
|
:libvirt_enabled => true,
|
||||||
|
@ -169,8 +184,8 @@ describe 'tripleo::profile::base::nova' do
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||||
is_expected.to contain_class('nova').with(
|
is_expected.to contain_class('nova').with(
|
||||||
:rabbit_hosts => /.+/,
|
:rabbit_hosts => /.+/,
|
||||||
:nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'},
|
:nova_public_key => nil,
|
||||||
:nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'}
|
:nova_private_key => nil,
|
||||||
)
|
)
|
||||||
is_expected.to contain_class('nova::config')
|
is_expected.to contain_class('nova::config')
|
||||||
is_expected.to contain_class('nova::cache')
|
is_expected.to contain_class('nova::cache')
|
||||||
|
@ -179,13 +194,117 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:configure_libvirt => params[:libvirt_enabled],
|
:configure_libvirt => params[:libvirt_enabled],
|
||||||
:configure_nova => params[:nova_compute_enabled]
|
:configure_nova => params[:nova_compute_enabled]
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
|
||||||
|
:type => 'User',
|
||||||
|
:name => 'nova_migration',
|
||||||
|
:options => {
|
||||||
|
'ForceCommand' => '/bin/nova-migration-wrapper',
|
||||||
|
'PasswordAuthentication' => 'no',
|
||||||
|
'AllowTcpForwarding' => 'no',
|
||||||
|
'X11Forwarding' => 'no',
|
||||||
|
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
|
||||||
|
}
|
||||||
|
)
|
||||||
|
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
|
:content => 'ssh-rsa bar',
|
||||||
|
:mode => '0640',
|
||||||
|
:owner => 'root',
|
||||||
|
:group => 'nova_migration',
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||||
|
:content => 'foo',
|
||||||
|
:mode => '0600',
|
||||||
|
:owner => 'nova',
|
||||||
|
:group => 'nova',
|
||||||
|
)
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'installed'
|
||||||
|
)
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with step 4 with libvirt and migration ssh key and migration_ssh_localaddrs' do
|
||||||
|
let(:pre_condition) do
|
||||||
|
<<-eof
|
||||||
|
include ::nova::compute::libvirt::services
|
||||||
|
class { '::ssh::server':
|
||||||
|
storeconfigs_enabled => false,
|
||||||
|
options => {}
|
||||||
|
}
|
||||||
|
eof
|
||||||
|
end
|
||||||
|
let(:params) { {
|
||||||
|
:step => 4,
|
||||||
|
:libvirt_enabled => true,
|
||||||
|
:manage_migration => true,
|
||||||
|
:nova_compute_enabled => true,
|
||||||
|
:bootstrap_node => 'node.example.com',
|
||||||
|
:rabbit_hosts => [ '127.0.0.1' ],
|
||||||
|
:migration_ssh_key => { 'private_key' => 'foo', 'public_key' => 'ssh-rsa bar'},
|
||||||
|
:migration_ssh_localaddrs => ['127.0.0.1', '127.0.0.2']
|
||||||
|
} }
|
||||||
|
|
||||||
|
it {
|
||||||
|
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||||
|
is_expected.to contain_class('nova').with(
|
||||||
|
:rabbit_hosts => /.+/,
|
||||||
|
:nova_public_key => nil,
|
||||||
|
:nova_private_key => nil,
|
||||||
|
)
|
||||||
|
is_expected.to contain_class('nova::config')
|
||||||
|
is_expected.to contain_class('nova::cache')
|
||||||
|
is_expected.to contain_class('nova::migration::libvirt').with(
|
||||||
|
:transport => 'ssh',
|
||||||
|
:configure_libvirt => params[:libvirt_enabled],
|
||||||
|
:configure_nova => params[:nova_compute_enabled]
|
||||||
|
)
|
||||||
|
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
|
||||||
|
:type => 'LocalAddress 127.0.0.1,127.0.0.2 User',
|
||||||
|
:name => 'nova_migration',
|
||||||
|
:options => {
|
||||||
|
'ForceCommand' => '/bin/nova-migration-wrapper',
|
||||||
|
'PasswordAuthentication' => 'no',
|
||||||
|
'AllowTcpForwarding' => 'no',
|
||||||
|
'X11Forwarding' => 'no',
|
||||||
|
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
|
||||||
|
}
|
||||||
|
)
|
||||||
|
is_expected.to contain_ssh__server__match_block('nova_migration deny').with(
|
||||||
|
:type => 'LocalAddress',
|
||||||
|
:name => '!127.0.0.1,!127.0.0.2',
|
||||||
|
:options => {
|
||||||
|
'DenyUsers' => 'nova_migration'
|
||||||
|
}
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
|
:content => 'ssh-rsa bar',
|
||||||
|
:mode => '0640',
|
||||||
|
:owner => 'root',
|
||||||
|
:group => 'nova_migration',
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||||
|
:content => 'foo',
|
||||||
|
:mode => '0600',
|
||||||
|
:owner => 'nova',
|
||||||
|
:group => 'nova',
|
||||||
|
)
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'installed'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with step 4 with libvirt TLS and migration ssh key' do
|
context 'with step 4 with libvirt TLS and migration ssh key' do
|
||||||
let(:pre_condition) {
|
let(:pre_condition) do
|
||||||
'include ::nova::compute::libvirt::services'
|
<<-eof
|
||||||
}
|
include ::nova::compute::libvirt::services
|
||||||
|
class { '::ssh::server':
|
||||||
|
storeconfigs_enabled => false,
|
||||||
|
options => {}
|
||||||
|
}
|
||||||
|
eof
|
||||||
|
end
|
||||||
let(:params) { {
|
let(:params) { {
|
||||||
:step => 4,
|
:step => 4,
|
||||||
:libvirt_enabled => true,
|
:libvirt_enabled => true,
|
||||||
|
@ -201,9 +320,8 @@ describe 'tripleo::profile::base::nova' do
|
||||||
is_expected.to contain_class('tripleo::profile::base::nova')
|
is_expected.to contain_class('tripleo::profile::base::nova')
|
||||||
is_expected.to contain_class('nova').with(
|
is_expected.to contain_class('nova').with(
|
||||||
:rabbit_hosts => /.+/,
|
:rabbit_hosts => /.+/,
|
||||||
:notification_transport_url => /.+/,
|
:nova_public_key => nil,
|
||||||
:nova_public_key => {'key' => 'bar', 'type' => 'ssh-rsa'},
|
:nova_private_key => nil,
|
||||||
:nova_private_key => {'key' => 'foo', 'type' => 'ssh-rsa'}
|
|
||||||
)
|
)
|
||||||
is_expected.to contain_class('nova::config')
|
is_expected.to contain_class('nova::config')
|
||||||
is_expected.to contain_class('nova::cache')
|
is_expected.to contain_class('nova::cache')
|
||||||
|
@ -212,6 +330,33 @@ describe 'tripleo::profile::base::nova' do
|
||||||
:configure_libvirt => params[:libvirt_enabled],
|
:configure_libvirt => params[:libvirt_enabled],
|
||||||
:configure_nova => params[:nova_compute_enabled]
|
:configure_nova => params[:nova_compute_enabled]
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_ssh__server__match_block('nova_migration allow').with(
|
||||||
|
:type => 'User',
|
||||||
|
:name => 'nova_migration',
|
||||||
|
:options => {
|
||||||
|
'ForceCommand' => '/bin/nova-migration-wrapper',
|
||||||
|
'PasswordAuthentication' => 'no',
|
||||||
|
'AllowTcpForwarding' => 'no',
|
||||||
|
'X11Forwarding' => 'no',
|
||||||
|
'AuthorizedKeysFile' => '/etc/nova/migration/authorized_keys'
|
||||||
|
}
|
||||||
|
)
|
||||||
|
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
|
||||||
|
:content => 'ssh-rsa bar',
|
||||||
|
:mode => '0640',
|
||||||
|
:owner => 'root',
|
||||||
|
:group => 'nova_migration',
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/nova/migration/identity').with(
|
||||||
|
:content => 'foo',
|
||||||
|
:mode => '0600',
|
||||||
|
:owner => 'nova',
|
||||||
|
:group => 'nova',
|
||||||
|
)
|
||||||
|
is_expected.to contain_package('openstack-nova-migration').with(
|
||||||
|
:ensure => 'installed'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -7,3 +7,4 @@ memcached_node_ips_v6:
|
||||||
- '::1'
|
- '::1'
|
||||||
memcached_node_ips:
|
memcached_node_ips:
|
||||||
- '127.0.0.1'
|
- '127.0.0.1'
|
||||||
|
service_names: ['sshd']
|
||||||
|
|
Loading…
Reference in New Issue