Use newer configuration options for libvirt's live migration URI

The live_migration_uri option that was being used in case TLS is used in live migration doesn't permit the usage of a host other than the one detected automatically by nova. This is problematic for cases like TLS where the address needs to match the certificate's SubjectAltName entry. So instead, this patch takes into use the two recommended options: * live_migration_inbound_addr * live_migration_scheme These will be used by nova to determine the URI. On the other hand, libvirt_migration_uri is set to be deprecated at some point. But, a way to add the query parameters to the query is needed before this happens. Change-Id: I0a1684397ebefaa8dc00237e0b7952e9296381fa
2017-03-31 10:16:21 +03:00
parent d3b953cdd9
commit 71b6c8c5f7
3 changed files with 49 additions and 3 deletions
--- a/manifests/migration/libvirt.pp
+++ b/manifests/migration/libvirt.pp
@@ -18,6 +18,14 @@
 #   (optional) Bind libvirtd tcp/tls socket to the given address.
 #   Defaults to undef (bind to all addresses)
 #
+# [*live_migration_inbound_addr*]
+#   (optional) The IP address or hostname to be used as the target for live
+#   migration traffic. If left unset, and if TLS is enabled, this module will
+#   default the 'live_migration_uri' to 'qemu+tls://%s/system' to be compatible
+#   with the previous behavior of this module. However, the usage of
+#   'live_migration_uri' is not recommended as it's scheduled for removal.
+#   Defaults to $::os_service_default
+#
 # [*live_migration_tunnelled*]
 #   (optional) Whether to use tunnelled migration, where migration data is
 #   transported over the libvirtd connection.
@@ -79,6 +87,7 @@ class nova::migration::libvirt(
  $transport                         = undef,
  $auth                              = 'none',
  $listen_address                    = undef,
+  $live_migration_inbound_addr       = $::os_service_default,
  $live_migration_tunnelled          = $::os_service_default,
  $live_migration_completion_timeout = $::os_service_default,
  $live_migration_progress_timeout   = $::os_service_default,
@@ -120,7 +129,6 @@ class nova::migration::libvirt(
  }

  if $configure_nova {
-
    if $transport_real == 'ssh' {
      if $client_user {
        $prefix =  "${client_user}@"
@@ -145,13 +153,21 @@ class nova::migration::libvirt(
      $extra_params =''
    }

-    $live_migration_uri = "qemu+${transport_real}://${prefix}%s${postfix}/system${extra_params}"
+    if is_service_default($live_migration_inbound_addr) {
+      $live_migration_uri = "qemu+${transport_real}://${prefix}%s${postfix}/system${extra_params}"
+      $live_migration_scheme = $::os_service_default
+    } else {
+      $live_migration_uri = $::os_service_default
+      $live_migration_scheme = $transport_real
+    }

    nova_config {
      'libvirt/live_migration_uri':                value => $live_migration_uri;
      'libvirt/live_migration_tunnelled':          value => $live_migration_tunnelled;
      'libvirt/live_migration_completion_timeout': value => $live_migration_completion_timeout;
      'libvirt/live_migration_progress_timeout':   value => $live_migration_progress_timeout;
+      'libvirt/live_migration_inbound_addr':       value => $live_migration_inbound_addr;
+      'libvirt/live_migration_scheme':             value => $live_migration_scheme;
    }
  }

--- a/releasenotes/notes/add-live-migration-inbound-addr-and-scheme-b5f864ce3f0e58f9.yaml
+++ b/releasenotes/notes/add-live-migration-inbound-addr-and-scheme-b5f864ce3f0e58f9.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - The paremeter 'live_migration_inbound_addr' was introduced to the libvirt
+    live migration module. This sets the configuration option with the same
+    name in the nova configuration, in the 'libvirt' section.
+  - If TLS is enabled for libvirt's live migration, the module will set the
+    configuration option named 'live_migration_scheme' in the 'libvirt' section
+    to have the value 'tls'. This will be used by nova to form the scheme for
+    the live migration URI, e.g. 'qemu+tls://...'.
+  - Note that the usage of 'live_migratin_inbound_addr' doesn't permit adding
+    extra parameters to the live migration URI as of the writing of this.
--- a/spec/classes/nova_migration_libvirt_spec.rb
+++ b/spec/classes/nova_migration_libvirt_spec.rb
@@ -48,7 +48,8 @@ describe 'nova::migration::libvirt' do
      it { is_expected.to contain_nova_config('libvirt/live_migration_completion_timeout').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_nova_config('libvirt/live_migration_progress_timeout').with_value('<SERVICE DEFAULT>') }
      it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tcp://%s/system') }
-
+      it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_scheme').with_value('<SERVICE DEFAULT>')}
    end

    context 'with override_uuid enabled' do
@@ -79,6 +80,8 @@ describe 'nova::migration::libvirt' do
      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
      it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
      it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_scheme').with_value('<SERVICE DEFAULT>')}
    end

    context 'with tls enabled' do
@@ -94,6 +97,22 @@ describe 'nova::migration::libvirt' do
      it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
    end

+    context 'with tls enabled and inbound addr set' do
+      let :params do
+        {
+          :transport                   => 'tls',
+          :live_migration_inbound_addr => 'host1.example.com',
+        }
+      end
+      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tls').with(:line => "listen_tls = 1") }
+      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf listen_tcp').with(:line => "listen_tcp = 0") }
+      it { is_expected.to contain_file_line('/etc/libvirt/libvirtd.conf auth_tls').with(:line => "auth_tls = \"none\"") }
+      it { is_expected.not_to contain_file_line('/etc/libvirt/libvirtd.conf auth_tcp')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('<SERVICE DEFAULT>')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('host1.example.com')}
+      it { is_expected.to contain_nova_config('libvirt/live_migration_scheme').with_value('tls')}
+    end
+
    context 'with migration flags set' do
      let :params do
        {