From db1976c0c7252da9ba142fd141a974c9df8870f3 Mon Sep 17 00:00:00 2001 From: Rajesh Tailor Date: Tue, 12 Jun 2018 12:02:32 +0530 Subject: [PATCH] Enable secure TUNNELLED mode for NFS This is the follow up patch for change Ie4fe217bd119b638f42c682d21572547f02f17b2 which allows configuring NFS backend for Nova. To provide enhanced security improvement for migration, this change enables TUNNELLED mode for migration, in case of NFS shared storage. Change-Id: Id0cfc945814e6aa5a5c85643514cf206f42e50f4 Implements: bp tripleo-nova-nfs --- puppet/services/nova-compute.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 2b2e67468f..8c64745236 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -145,6 +145,11 @@ parameters: description: Max number of consecutive build failures before the nova-compute will disable itself. type: string +conditions: + enable_live_migration_tunnelled: + or: + - equals: [{get_param: NovaNfsEnabled}, true] + - equals: [{get_param: NovaEnableRbdBackend}, true] resources: NovaBase: @@ -228,7 +233,11 @@ outputs: # In future versions of QEMU (2.6, mostly), danpb's native # encryption work will obsolete the need to use TUNNELLED transport # mode. - nova::migration::live_migration_tunnelled: {get_param: NovaEnableRbdBackend} + nova::migration::live_migration_tunnelled: + if: + - enable_live_migration_tunnelled + - true + - false nova::compute::neutron::libvirt_vif_driver: {get_param: NovaComputeLibvirtVifDriver} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples