From 0e8be55089ed96b8d594bba487d8ad61be93d3cc Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 12 May 2021 19:45:22 +0200 Subject: [PATCH] Disable tunneled mode when use_tls_for_live_migration With recent version of libvirt, nova-compute don't come up correct when tls-everywhere (use_tls_for_live_migration) is set. The enable_live_migration_tunnelled condition did not consider tls-livemigration and got disabled. Nova-compute fails to start with: 2021-05-12 12:49:09.278 7 ERROR oslo_service.service nova.exception.Invalid: Setting both 'live_migration_tunnelled' and 'live_migration_with_native_tls' at the same time is invalid. If you have the relevant libvirt and QEMU versions, and TLS configured in your environment, pick 'live_migration_with_native_tls'._ This change enhance the enable_live_migration_tunnelled condition to not configure tunnelled mode when use_tls_for_live_migration is true. Conflicts: - deployment/nova/nova-compute-container-puppet.yaml NOTE(dvd): - 91837d4fa7325e909b5f5a655336015688edb47c Add new parameters to configure nova-compute direct rbd image download - addcee106e2f0de09f785dbfde57d1185404c39c Add ability to configure glance multiple cinder stores Closes-Bug: #1928554 Related-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1959808 Change-Id: I1a6f5d3a98d185415b772fa6a94d6f4329dc59a0 (cherry picked from commit 3a472cbbe844dd7e15e4889e5f02845461413169) (cherry picked from commit 4b1da5cd5ba440241351e52b627cde0477e93057) (cherry picked from commit 86de3c350141e1e05e5d77a742fc7c3dbb8a574c) --- .../nova/nova-compute-container-puppet.yaml | 34 ++++++++++++++----- .../nova/nova-libvirt-container-puppet.yaml | 4 --- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index bb476b47c5..2a5c31d407 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -532,6 +532,15 @@ parameters: default: 0 tags: - role_specific + EnableInternalTLS: + type: boolean + default: false + UseTLSTransportForLiveMigration: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + set the libvirt URI's transport to tls and configure the + relevant keys for libvirt. # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in future release. @@ -730,16 +739,23 @@ resources: conditions: enable_instance_ha: {equals: [{get_param: EnableInstanceHA}, true]} + use_tls_for_live_migration: + and: + - {get_param: EnableInternalTLS} + - {get_param: UseTLSTransportForLiveMigration} + enable_live_migration_tunnelled: - or: - - and: - - equals: [{get_param: NovaNfsEnabled}, true] - - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] - - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] - - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, true] - - and: - - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, ''] - - equals: [{get_param: NovaEnableRbdBackend}, true] + and: + - or: + - and: + - {get_param: NovaNfsEnabled} + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, true] + - and: + - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, ''] + - {get_param: NovaEnableRbdBackend} + - not: use_tls_for_live_migration libvirt_file_backed_memory_enabled: not: diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 544daa1b48..68a431a86d 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -279,12 +279,8 @@ conditions: use_tls_for_live_migration: and: - - equals: - {get_param: EnableInternalTLS} - - true - - equals: - {get_param: UseTLSTransportForLiveMigration} - - true libvirt_specific_ca_unset: equals: