openstack/puppet-nova
Code Issues Proposed changes
Files
73f4c6615414b2931d674ab46c49133cafc5bbfe
puppet-nova/manifests/migration/libvirt.pp
Juan Antonio Osorio Robles 71b6c8c5f7 Use newer configuration options for libvirt's live migration URI 
The live_migration_uri option that was being used in case TLS is used in
live migration doesn't permit the usage of a host other than the one
detected automatically by nova. This is problematic for cases like TLS
where the address needs to match the certificate's SubjectAltName entry.
So instead, this patch takes into use the two recommended options:

* live_migration_inbound_addr
* live_migration_scheme

These will be used by nova to determine the URI.

On the other hand, libvirt_migration_uri is set to be deprecated at some
point. But, a way to add the query parameters to the query is
needed before this happens.

Change-Id: I0a1684397ebefaa8dc00237e0b7952e9296381fa
2017-04-04 13:11:11 +03:00

318 lines
11 KiB
Puppet
Raw Blame History

# == Class: nova::migration::libvirt
#
# Sets libvirt config that is required for migration
#
# === Parameters:
#
# [*transport*]
# (optional) Transport to use for live-migration.
# Valid options are 'tcp', 'tls', and 'ssh'.
# Defaults to 'tcp'
#
# [*auth*]
# (optional) Use this authentication scheme for remote libvirt connections.
# Valid options are none and sasl.
# Defaults to 'none'
#
# [*listen_address*]
# (optional) Bind libvirtd tcp/tls socket to the given address.
# Defaults to undef (bind to all addresses)
#
# [*live_migration_inbound_addr*]
# (optional) The IP address or hostname to be used as the target for live
# migration traffic. If left unset, and if TLS is enabled, this module will
# default the 'live_migration_uri' to 'qemu+tls://%s/system' to be compatible
# with the previous behavior of this module. However, the usage of
# 'live_migration_uri' is not recommended as it's scheduled for removal.
# Defaults to $::os_service_default
#
# [*live_migration_tunnelled*]
# (optional) Whether to use tunnelled migration, where migration data is
# transported over the libvirtd connection.
# If True, we use the VIR_MIGRATE_TUNNELLED migration flag, avoiding the
# need to configure the network to allow direct hypervisor to hypervisor
# communication.
# If False, use the native transport.
# If not set, Nova will choose a sensible default based on, for example
# the availability of native encryption support in the hypervisor.
# Defaults to $::os_service_default
#
# [*live_migration_completion_timeout*]
# (optional) Time to wait, in seconds, for migration to successfully complete
# transferring data before aborting the operation. Value is per GiB of guest
# RAM + disk to be transferred, with lower bound of a minimum of 2 GiB. Set
# to 0 to disable timeouts.
# Defaults to $::os_service_default
#
# [*live_migration_progress_timeout*]
# (optional) Time to wait, in seconds, for migration to make forward progress
# in transferring data before aborting the operation. Set to 0 to disable
# timeouts.
# Defaults to $::os_service_default
#
# [*override_uuid*]
# (optional) Set uuid not equal to output from dmidecode (boolean)
# Defaults to false
#
# [*configure_libvirt*]
# (optional) Whether or not configure libvirt bits.
# Defaults to true.
#
# [*configure_nova*]
# (optional) Whether or not configure libvirt bits.
# Defaults to true.
#
# [*client_user*]
# (optional) Remote user to connect as.
# Only applies to ssh transport.
# Defaults to undef (root)
#
# [*client_port*]
# (optional) Remote port to connect to.
# Defaults to undef (default port for the transport)
#
# [*client_extraparams*]
# (optional) Hash of additional params to append to the live-migraition uri
# See https://libvirt.org/guide/html/Application_Development_Guide-Architecture-Remote_URIs.html
# Defaults to {}
#
# DEPRECATED PARAMETERS
#
# [*use_tls*]
# (optional) Use tls for remote connections to libvirt
# Defaults to false
# Deprecated by transport paramater.
#
class nova::migration::libvirt(
$transport = undef,
$auth = 'none',
$listen_address = undef,
$live_migration_inbound_addr = $::os_service_default,
$live_migration_tunnelled = $::os_service_default,
$live_migration_completion_timeout = $::os_service_default,
$live_migration_progress_timeout = $::os_service_default,
$override_uuid = false,
$configure_libvirt = true,
$configure_nova = true,
$client_user = undef,
$client_port = undef,
$client_extraparams = {},
# DEPRECATED PARAMETERS
$use_tls = false,
){
include ::nova::deps
if $transport {
$transport_real = $transport
} elsif $use_tls {
warning(
'The use_tls parameter is now deprecated and will be removed in the Queens cycle. Please set transport=tls instead.'
)
$transport_real = 'tls'
} else {
$transport_real = 'tcp'
}
validate_re($transport_real, ['^tcp$', '^tls$', '^ssh$'], 'Valid options for transport are tcp, tls, ssh.')
validate_re($auth, [ '^sasl$', '^none$' ], 'Valid options for auth are none and sasl.')
if $transport_real == 'tls' {
$listen_tls = '1'
$listen_tcp = '0'
} elsif $transport_real == 'tcp' {
$listen_tls = '0'
$listen_tcp = '1'
} else {
$listen_tls = '0'
$listen_tcp = '0'
}
if $configure_nova {
if $transport_real == 'ssh' {
if $client_user {
$prefix = "${client_user}@"
} else {
$prefix = ''
}
} else {
$prefix = ''
}
if $client_port {
$postfix = ":${client_port}"
} else {
$postfix = ''
}
if $client_extraparams != {} {
$extra_params_before_python_escape = join(uriescape(join_keys_to_values($client_extraparams, '=')), '&')
# Must escape % as nova interprets it incorrecly.
$extra_params = sprintf('?%s', regsubst($extra_params_before_python_escape, '%', '%%', 'G'))
} else {
$extra_params =''
}
if is_service_default($live_migration_inbound_addr) {
$live_migration_uri = "qemu+${transport_real}://${prefix}%s${postfix}/system${extra_params}"
$live_migration_scheme = $::os_service_default
} else {
$live_migration_uri = $::os_service_default
$live_migration_scheme = $transport_real
}
nova_config {
'libvirt/live_migration_uri': value => $live_migration_uri;
'libvirt/live_migration_tunnelled': value => $live_migration_tunnelled;
'libvirt/live_migration_completion_timeout': value => $live_migration_completion_timeout;
'libvirt/live_migration_progress_timeout': value => $live_migration_progress_timeout;
'libvirt/live_migration_inbound_addr': value => $live_migration_inbound_addr;
'libvirt/live_migration_scheme': value => $live_migration_scheme;
}
}
if $configure_libvirt {
Anchor['nova::config::begin']
-> File_line<| tag == 'libvirt-file_line'|>
-> Anchor['nova::config::end']
File_line<| tag == 'libvirt-file_line' |>
~> Service['libvirt']
if $override_uuid {
if ! $::libvirt_uuid {
$host_uuid = generate('/bin/cat', '/proc/sys/kernel/random/uuid')
file { '/etc/libvirt/libvirt_uuid':
content => $host_uuid,
require => Package['libvirt'],
}
} else {
$host_uuid = $::libvirt_uuid
}
augeas { 'libvirt-conf-uuid':
context => '/files/etc/libvirt/libvirtd.conf',
changes => [
"set host_uuid ${host_uuid}",
],
notify => Service['libvirt'],
require => Package['libvirt'],
}
}
case $::osfamily {
'RedHat': {
file_line { '/etc/libvirt/libvirtd.conf listen_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "listen_tls = ${listen_tls}",
match => 'listen_tls =',
tag => 'libvirt-file_line',
}
file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => "listen_tcp = ${listen_tcp}",
match => 'listen_tcp =',
tag => 'libvirt-file_line',
}
if $transport_real == 'tls' {
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tls = \"${auth}\"",
match => 'auth_tls =',
tag => 'libvirt-file_line',
}
} elsif $transport_real == 'tcp' {
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tcp = \"${auth}\"",
match => 'auth_tcp =',
tag => 'libvirt-file_line',
}
}
if $listen_address {
file_line { '/etc/libvirt/libvirtd.conf listen_address':
path => '/etc/libvirt/libvirtd.conf',
line => "listen_addr = \"${listen_address}\"",
match => 'listen_addr =',
tag => 'libvirt-file_line',
}
}
if $transport_real != 'ssh' {
file_line { '/etc/sysconfig/libvirtd libvirtd args':
path => '/etc/sysconfig/libvirtd',
line => 'LIBVIRTD_ARGS="--listen"',
match => 'LIBVIRTD_ARGS=',
tag => 'libvirt-file_line',
}
}
}
'Debian': {
file_line { '/etc/libvirt/libvirtd.conf listen_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "listen_tls = ${listen_tls}",
match => 'listen_tls =',
tag => 'libvirt-file_line',
}
file_line { '/etc/libvirt/libvirtd.conf listen_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => "listen_tcp = ${listen_tcp}",
match => 'listen_tcp =',
tag => 'libvirt-file_line',
}
if $transport_real == 'tls' {
file_line { '/etc/libvirt/libvirtd.conf auth_tls':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tls = \"${auth}\"",
match => 'auth_tls =',
tag => 'libvirt-file_line',
}
} elsif $transport_real == 'tcp' {
file_line { '/etc/libvirt/libvirtd.conf auth_tcp':
path => '/etc/libvirt/libvirtd.conf',
line => "auth_tcp = \"${auth}\"",
match => 'auth_tcp =',
tag => 'libvirt-file_line',
}
}
if $listen_address {
file_line { '/etc/libvirt/libvirtd.conf listen_address':
path => '/etc/libvirt/libvirtd.conf',
line => "listen_addr = \"${listen_address}\"",
match => 'listen_addr =',
tag => 'libvirt-file_line',
}
}
if $transport_real != 'ssh' {
if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemmajrelease, '16') >= 0 {
# If systemd is being used then libvirtd is already being launched correctly and
# adding -d causes a second consecutive start to fail which causes puppet to fail.
$libvirtd_opts = 'libvirtd_opts="-l"'
} else {
$libvirtd_opts = 'libvirtd_opts="-d -l"'
}
file_line { "/etc/default/${::nova::compute::libvirt::libvirt_service_name} libvirtd opts":
path => "/etc/default/${::nova::compute::libvirt::libvirt_service_name}",
line => $libvirtd_opts,
match => 'libvirtd_opts=',
tag => 'libvirt-file_line',
}
}
}
default: {
warning("Unsupported osfamily: ${::osfamily}, make sure you are configuring this yourself")
}
}
}
}
View Git Blame Copy Permalink