diff --git a/manifests/migration/libvirt.pp b/manifests/migration/libvirt.pp index 70934a512..3e2cbd3b8 100644 --- a/manifests/migration/libvirt.pp +++ b/manifests/migration/libvirt.pp @@ -34,6 +34,16 @@ # the availability of native encryption support in the hypervisor. # Defaults to $::os_service_default # +# [*live_migration_with_native_tls*] +# (optional) This option will allow both migration stream (guest RAM plus +# device state) *and* disk stream to be transported over native TLS, i.e. +# TLS support built into QEMU. +# Prerequisite: TLS environment is configured correctly on all relevant +# Compute nodes. This means, Certificate Authority (CA), server, client +# certificates, their corresponding keys, and their file permisssions are +# in place, and are validated. +# Defaults to $::os_service_default +# # [*live_migration_completion_timeout*] # (optional) Time to wait, in seconds, for migration to successfully complete # transferring data before aborting the operation. Value is per GiB of guest @@ -73,6 +83,7 @@ class nova::migration::libvirt( $listen_address = undef, $live_migration_inbound_addr = $::os_service_default, $live_migration_tunnelled = $::os_service_default, + $live_migration_with_native_tls = $::os_service_default, $live_migration_completion_timeout = $::os_service_default, $override_uuid = false, $configure_libvirt = true, @@ -134,6 +145,7 @@ class nova::migration::libvirt( nova_config { 'libvirt/live_migration_uri': value => $live_migration_uri; 'libvirt/live_migration_tunnelled': value => $live_migration_tunnelled; + 'libvirt/live_migration_with_native_tls': value => $live_migration_with_native_tls; 'libvirt/live_migration_completion_timeout': value => $live_migration_completion_timeout; 'libvirt/live_migration_inbound_addr': value => $live_migration_inbound_addr; } diff --git a/releasenotes/notes/add_live_migration_with_native_tls-4293ca305e98cdc3.yaml b/releasenotes/notes/add_live_migration_with_native_tls-4293ca305e98cdc3.yaml new file mode 100644 index 000000000..ab016ddc9 --- /dev/null +++ b/releasenotes/notes/add_live_migration_with_native_tls-4293ca305e98cdc3.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + https://review.openstack.org/625216 introduces a new setting which needs + set to true if native TLS for migration and disks over NBD is being used. diff --git a/spec/classes/nova_migration_libvirt_spec.rb b/spec/classes/nova_migration_libvirt_spec.rb index 827f874bb..e2cf4bfa0 100644 --- a/spec/classes/nova_migration_libvirt_spec.rb +++ b/spec/classes/nova_migration_libvirt_spec.rb @@ -47,6 +47,7 @@ describe 'nova::migration::libvirt' do it { is_expected.not_to contain_libvirtd_config('auth_tls') } it { is_expected.to contain_libvirtd_config('auth_tcp').with_value("\"none\"") } it { is_expected.to contain_nova_config('libvirt/live_migration_tunnelled').with_value('') } + it { is_expected.to contain_nova_config('libvirt/live_migration_with_native_tls').with_value('') } it { is_expected.to contain_nova_config('libvirt/live_migration_completion_timeout').with_value('') } it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tcp://%s/system') } it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('')} @@ -97,6 +98,15 @@ describe 'nova::migration::libvirt' do it { is_expected.to contain_nova_config('libvirt/live_migration_inbound_addr').with_value('host1.example.com')} end + context 'with live_migration_with_native_tls flags set' do + let :params do + { + :live_migration_with_native_tls => true, + } + end + it { is_expected.to contain_nova_config('libvirt/live_migration_with_native_tls').with(:value => true) } + end + context 'with migration flags set' do let :params do {