openstack/puppet-nova
Code Issues Proposed changes

Make libvirt migration security configurable

Browse Source 
Adding flags to choose between tls/tcp connections as well as
sasl/none authentication when configuring libvirt migration.

This allows to deploy proper libvirt security in combination with
the nova::compute class.

Change-Id: Ib479a1f4cd2df0d55347ed71fb8f0ab69aaeceef
This commit is contained in:
David Gurtner
2015-04-09 01:25:32 +02:00
parent 517b7b800c
commit 1383cee7d4
4 changed files with 137 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
manifests/compute/libvirt.pp
View File

@@ -135,7 +135,7 @@ class nova::compute::libvirt (
if $vncserver_listen != '0.0.0.0' and $vncserver_listen != '::0' { if $vncserver_listen != '0.0.0.0' and $vncserver_listen != '::0' {
fail('For migration support to work, you MUST set vncserver_listen to \'0.0.0.0\' or \'::0\'') fail('For migration support to work, you MUST set vncserver_listen to \'0.0.0.0\' or \'::0\'')
} else { } else {
class { '::nova::migration::libvirt': } include ::nova::migration::libvirt
} }
} }

59
manifests/migration/libvirt.pp
View File

@@ -2,7 +2,33 @@
# #
# Sets libvirt config that is required for migration # Sets libvirt config that is required for migration
# #
class nova::migration::libvirt { # === Parameters:
#
# [*use_tls*]
# (optional) Use tls for remote connections to libvirt
# Defaults to false
#
# [*auth*]
# (optional) Use this authentication scheme for remote libvirt connections.
# Valid options are none and sasl.
# Defaults to 'none'
#
class nova::migration::libvirt(
$use_tls = false,
$auth = 'none',
){
if $use_tls {
$listen_tls = '1'
$listen_tcp = '0'
nova_config {
'libvirt/live_migration_uri': value => 'qemu+tls://%s/system';
}
} else {
$listen_tls = '0'
$listen_tcp = '1'
}
validate_re($auth, [ '^sasl$', '^none$' ], 'Valid options for auth are none and sasl.')
Package['libvirt'] -> File_line<| path == '/etc/libvirt/libvirtd.conf' |> Package['libvirt'] -> File_line<| path == '/etc/libvirt/libvirtd.conf' |>
@@ -10,24 +36,33 @@ class nova::migration::libvirt {
'RedHat': { 'RedHat': {
file_line { '/etc/libvirt/libvirtd.conf listen_tls': file_line { '/etc/libvirt/libvirtd.conf listen_tls':
path => '/etc/libvirt/libvirtd.conf', path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tls = 0', line => "listen_tls = ${listen_tls}",
match => 'listen_tls =', match => 'listen_tls =',
notify => Service['libvirt'], notify => Service['libvirt'],
} }
file_line { '/etc/libvirt/libvirtd.conf listen_tcp': file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
path => '/etc/libvirt/libvirtd.conf', path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tcp = 1', line => "listen_tcp = ${listen_tcp}",
match => 'listen_tcp =', match => 'listen_tcp =',
notify => Service['libvirt'], notify => Service['libvirt'],
} }
if $use_tls {
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tls = \"${auth}\"",
match => 'auth_tls =',
notify => Service['libvirt'],
}
} else {
file_line { '/etc/libvirt/libvirtd.conf auth_tcp': file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf', path => '/etc/libvirt/libvirtd.conf',
line => 'auth_tcp = "none"', line => "auth_tcp = \"${auth}\"",
match => 'auth_tcp =', match => 'auth_tcp =',
notify => Service['libvirt'], notify => Service['libvirt'],
} }
}
file_line { '/etc/sysconfig/libvirtd libvirtd args': file_line { '/etc/sysconfig/libvirtd libvirtd args':
path => '/etc/sysconfig/libvirtd', path => '/etc/sysconfig/libvirtd',
@@ -42,24 +77,34 @@ class nova::migration::libvirt {
'Debian': { 'Debian': {
file_line { '/etc/libvirt/libvirtd.conf listen_tls': file_line { '/etc/libvirt/libvirtd.conf listen_tls':
path => '/etc/libvirt/libvirtd.conf', path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tls = 0', line => "listen_tls = ${listen_tls}",
match => 'listen_tls =', match => 'listen_tls =',
notify => Service['libvirt'], notify => Service['libvirt'],
} }
file_line { '/etc/libvirt/libvirtd.conf listen_tcp': file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
path => '/etc/libvirt/libvirtd.conf', path => '/etc/libvirt/libvirtd.conf',
line => 'listen_tcp = 1', line => "listen_tcp = ${listen_tcp}",
match => 'listen_tcp =', match => 'listen_tcp =',
notify => Service['libvirt'], notify => Service['libvirt'],
} }
if $use_tls {
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tls = \"${auth}\"",
match => 'auth_tls =',
notify => Service['libvirt'],
}
} else {
file_line { '/etc/libvirt/libvirtd.conf auth_tcp': file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf', path => '/etc/libvirt/libvirtd.conf',
line => 'auth_tcp = "none"', line => "auth_tcp = \"${auth}\"",
match => 'auth_tcp =', match => 'auth_tcp =',
notify => Service['libvirt'], notify => Service['libvirt'],
} }
}
file_line { "/etc/default/${::nova::compute::libvirt::libvirt_service_name} libvirtd opts": file_line { "/etc/default/${::nova::compute::libvirt::libvirt_service_name} libvirtd opts":
path => "/etc/default/${::nova::compute::libvirt::libvirt_service_name}", path => "/etc/default/${::nova::compute::libvirt::libvirt_service_name}",
line => 'libvirtd_opts="-d -l"', line => 'libvirtd_opts="-d -l"',

28
spec/classes/nova_compute_libvirt_spec.rb
View File

@@ -90,6 +90,10 @@ describe 'nova::compute::libvirt' do
it { is_expected.to contain_class('nova::migration::libvirt')} it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')} it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')}
it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') } it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end end
context 'with vncserver_listen set to ::0' do context 'with vncserver_listen set to ::0' do
@@ -101,6 +105,10 @@ describe 'nova::compute::libvirt' do
it { is_expected.to contain_class('nova::migration::libvirt')} it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')} it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')}
it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') } it { is_expected.to contain_file_line('/etc/default/libvirt-bin libvirtd opts').with(:line => 'libvirtd_opts="-d -l"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end end
context 'with vncserver_listen not set to 0.0.0.0' do context 'with vncserver_listen not set to 0.0.0.0' do
@@ -215,6 +223,26 @@ describe 'nova::compute::libvirt' do
it { is_expected.to contain_class('nova::migration::libvirt')} it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')} it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('0.0.0.0')}
it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end
context 'with vncserver_listen set to ::0' do
let :params do
{ :vncserver_listen => '::0',
:migration_support => true }
end
it { is_expected.to contain_class('nova::migration::libvirt')}
it { is_expected.to contain_nova_config('DEFAULT/vncserver_listen').with_value('::0')}
it { is_expected.to contain_file_line('/etc/sysconfig/libvirtd libvirtd args').with(:line => 'LIBVIRTD_ARGS="--listen"') }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end end
context 'with vncserver_listen not set to 0.0.0.0' do context 'with vncserver_listen not set to 0.0.0.0' do

52
spec/classes/nova_migration_libvirt_spec.rb
View File

@@ -31,12 +31,56 @@ describe 'nova::migration::libvirt' do
shared_examples_for 'nova migration with libvirt' do shared_examples_for 'nova migration with libvirt' do
it 'configure libvirtd.conf' do context 'with default params' do
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => 'listen_tls = 0') it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 0") }
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => 'listen_tcp = 1') it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 1") }
is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => 'auth_tcp = "none"') it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"none\"") }
end end
context 'with tls enabled' do
let :params do
{
:use_tls => true,
}
end
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 1") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 0") }
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
end
context 'with auth set to sasl' do
let :params do
{
:auth => 'sasl',
}
end
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls')}
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp').with(:line => "auth_tcp = \"sasl\"") }
end
context 'with auth set to sasl and tls enabled' do
let :params do
{
:auth => 'sasl',
:use_tls => true
}
end
it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"sasl\"") }
it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
end
context 'with auth set to an invalid setting' do
let :params do
{
:auth => 'inexistent_auth',
}
end
it { expect { is_expected.to contain_class('nova::compute::libvirt') }.to \
raise_error(Puppet::Error, /Valid options for auth are none and sasl./) }
end
end end
context 'on Debian platforms' do context 'on Debian platforms' do