Merge "Disable tunnelled migration"

deployment/nova/nova-compute-container-puppet.yaml

@@ -806,18 +806,6 @@ conditions:
     and:
       - {get_param: EnableInternalTLS}
       - {get_param: UseTLSTransportForLiveMigration}
-  enable_live_migration_tunnelled:
-    and:
-      - or:
-          - and:
-            - {get_param: NovaNfsEnabled}
-            - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
-          - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
-          - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, true]
-          - and:
-            - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, '']
-            - {get_param: NovaEnableRbdBackend}
-      - not: use_tls_for_live_migration
   libvirt_file_backed_memory_enabled:
     not:
       or:
@@ -1129,18 +1117,8 @@ outputs:
                   - live_migration_optimization_set
                   - true
                   - false
-            # TUNNELLED mode provides a security improvement for migration, but
-            # can't be used in combination with block migration. So we only enable it
-            # when shared storage is available (Ceph RDB is currently the only option).
-            # See https://bugzilla.redhat.com/show_bug.cgi?id=1301986#c12
-            # In future versions of QEMU (2.6, mostly), danpb's native
-            # encryption work will obsolete the need to use TUNNELLED transport
-            # mode.
-            nova::migration::libvirt::live_migration_tunnelled:
-              if:
-              - enable_live_migration_tunnelled
-              - true
-              - false
+            # TUNNELLED mode is not compatible with post_copy.
+            nova::migration::libvirt::live_migration_tunnelled: false
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):