Enable secure TUNNELLED mode for NFS

This is the follow up patch for change Ie4fe217bd119b638f42c682d21572547f02f17b2 which allows configuring NFS backend for Nova. To provide enhanced security improvement for migration, this change enables TUNNELLED mode for migration, in case of NFS shared storage. Change-Id: Id0cfc945814e6aa5a5c85643514cf206f42e50f4 Implements: bp tripleo-nova-nfs
2018-06-12 12:02:32 +05:30 · 2018-06-12 12:02:32 +05:30 · db1976c0c7
parent a151ed15e8
commit db1976c0c7
1 changed files with 10 additions and 1 deletions
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@ -145,6 +145,11 @@ parameters:
    description: Max number of consecutive build failures before the nova-compute will disable itself.
    type: string

+conditions:
+  enable_live_migration_tunnelled:
+    or:
+      - equals: [{get_param: NovaNfsEnabled}, true]
+      - equals: [{get_param: NovaEnableRbdBackend}, true]

 resources:
  NovaBase:
@ -228,7 +233,11 @@ outputs:
            # In future versions of QEMU (2.6, mostly), danpb's native
            # encryption work will obsolete the need to use TUNNELLED transport
            # mode.
-            nova::migration::live_migration_tunnelled: {get_param: NovaEnableRbdBackend}
+            nova::migration::live_migration_tunnelled:
+              if:
+              - enable_live_migration_tunnelled
+              - true
+              - false
            nova::compute::neutron::libvirt_vif_driver: {get_param: NovaComputeLibvirtVifDriver}
            # NOTE: bind IP is found in hiera replacing the network name with the
            # local node IP for the given network; replacement examples