Improve security of the Nova migration
Several improvements have been made: - SSH is now the default protocol for Nova migration. - A specific user for migration is required, instead of nova Change-Id: I21d131b7dab735ee9c5a033a3108490f5bdfb8cb
This commit is contained in:
parent
f5716c9454
commit
ea2b19038d
@ -752,7 +752,7 @@ Nova Options
|
||||
Overcommitment ratio for virtual to physical RAM. Specify 1.0 to disable RAM overcommitment.
|
||||
|
||||
**CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL**
|
||||
Protocol used for instance migration. Valid options are: tcp and ssh. Note that by default, the Compute user is created with the /sbin/nologin shell so that the SSH protocol will not work. To make the SSH protocol work, you must configure the Compute user on compute hosts manually. ['tcp', 'ssh']
|
||||
Protocol used for instance migration. Valid options are: ssh and tcp. Note that the tcp protocol is not encrypted, so it is insecure. ['ssh', 'tcp']
|
||||
|
||||
**CONFIG_NOVA_PCI_ALIAS**
|
||||
Enter the PCI passthrough array of hash in JSON style for controller eg.
|
||||
|
@ -134,7 +134,7 @@ def initConfig(controller):
|
||||
"migration"),
|
||||
"OPTION_LIST": ['tcp', 'ssh'],
|
||||
"VALIDATORS": [validators.validate_options],
|
||||
"DEFAULT_VALUE": 'tcp',
|
||||
"DEFAULT_VALUE": 'ssh',
|
||||
"MASK_INPUT": False,
|
||||
"LOOSE_VALIDATION": True,
|
||||
"CONF_NAME": "CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL",
|
||||
@ -346,7 +346,7 @@ def create_compute_manifest(config, messages):
|
||||
key = "%s.%s" % (host_key_type, hostname)
|
||||
ssh_keys_details.setdefault(key, {})
|
||||
ssh_keys_details[key]['ensure'] = 'present'
|
||||
ssh_keys_details[key]['host_aliases'] = aliases + addrs
|
||||
ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs
|
||||
ssh_keys_details[key]['key'] = host_key_data
|
||||
ssh_keys_details[key]['type'] = host_key_type
|
||||
|
||||
|
@ -10,20 +10,46 @@ class packstack::nova::compute ()
|
||||
|
||||
# Install the private key to be used for live migration. This needs to be
|
||||
# configured into libvirt/live_migration_uri in nova.conf.
|
||||
file { '/etc/nova/ssh':
|
||||
ensure => directory,
|
||||
owner => root,
|
||||
group => root,
|
||||
mode => '0700',
|
||||
require => Package['nova-common'],
|
||||
}
|
||||
$migrate_transport = hiera('CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL')
|
||||
if $migrate_transport == 'ssh' {
|
||||
ensure_packages(['openstack-nova-migration'], {'ensure' => 'present'})
|
||||
|
||||
file { '/etc/nova/ssh/nova_migration_key':
|
||||
content => hiera('NOVA_MIGRATION_KEY_SECRET'),
|
||||
mode => '0600',
|
||||
owner => root,
|
||||
group => root,
|
||||
require => File['/etc/nova/ssh'],
|
||||
file { '/etc/nova/migration/identity':
|
||||
content => hiera('NOVA_MIGRATION_KEY_SECRET'),
|
||||
mode => '0600',
|
||||
owner => root,
|
||||
group => root,
|
||||
require => Package['openstack-nova-migration'],
|
||||
}
|
||||
|
||||
$key_type = hiera('NOVA_MIGRATION_KEY_TYPE')
|
||||
$key_content = hiera('NOVA_MIGRATION_KEY_PUBLIC')
|
||||
|
||||
file { '/etc/nova/migration/authorized_keys':
|
||||
content => "${key_type} ${key_content}",
|
||||
mode => '0640',
|
||||
owner => root,
|
||||
group => nova_migration,
|
||||
require => Package['openstack-nova-migration'],
|
||||
}
|
||||
|
||||
augeas{'Match block for user nova_migration':
|
||||
context => '/files/etc/ssh/sshd_config',
|
||||
changes => [
|
||||
'set Match[User nova_migration]/Condition/User nova_migration',
|
||||
'set Match[Condition/User = "nova_migration"]/Settings/AllowTcpForwarding no',
|
||||
'set Match[Condition/User = "nova_migration"]/Settings/AuthorizedKeysFile /etc/nova/migration/authorized_keys',
|
||||
'set Match[Condition/User = "nova_migration"]/Settings/ForceCommand /bin/nova-migration-wrapper',
|
||||
'set Match[Condition/User = "nova_migration"]/Settings/PasswordAuthentication no',
|
||||
'set Match[Condition/User = "nova_migration"]/Settings/X11Forwarding no',
|
||||
],
|
||||
onlyif => 'match Match[Condition/User = "nova_migration"] size == 0',
|
||||
notify => Service['sshd']
|
||||
}
|
||||
|
||||
service {'sshd':
|
||||
ensure => running,
|
||||
}
|
||||
}
|
||||
|
||||
nova_config{
|
||||
|
@ -30,8 +30,7 @@ class packstack::nova::compute::libvirt ()
|
||||
$migrate_transport = hiera('CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL')
|
||||
if $migrate_transport == 'ssh' {
|
||||
$client_extraparams = {
|
||||
no_verify => 1,
|
||||
keyfile => '/etc/nova/ssh/nova_migration_key',
|
||||
keyfile => '/etc/nova/migration/identity',
|
||||
}
|
||||
} else {
|
||||
$client_extraparams = {}
|
||||
@ -39,7 +38,7 @@ class packstack::nova::compute::libvirt ()
|
||||
|
||||
class { '::nova::migration::libvirt':
|
||||
transport => $migrate_transport,
|
||||
client_user => 'nova',
|
||||
client_user => 'nova_migration',
|
||||
client_extraparams => $client_extraparams,
|
||||
require => Class['::nova::compute::libvirt']
|
||||
}
|
||||
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
security:
|
||||
- Improving security of the Nova migration configuration.
|
||||
Now, ssh is the default option for Nova migration, and
|
||||
a specific migration user is used.
|
Loading…
Reference in New Issue
Block a user