Merge "Rework hypervisor utilization monitoring"
diff --git a/README.rst b/README.rst
index c5606e8..6d9c848 100644
--- a/README.rst
+++ b/README.rst
@@ -920,6 +920,33 @@
You can read more about injecting the administrator password here:
https://docs.openstack.org/nova/queens/admin/admin-password-injection.html
+Enable libvirt control channel over TLS
+---------------------
+
+By default TLS is disabled.
+
+Enable TLS transport.
+
+ compute:
+ libvirt:
+ tls:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+ nova:
+ compute:
+ libvirt:
+ tls:
+ key: (certificate content)
+ cert: (certificate content)
+ cacert: (certificate content)
+ client:
+ key: (certificate content)
+ cert: (certificate content)
+
+You can read more about live migration over TLS here:
+ https://wiki.libvirt.org/page/TLSCreateServerCerts
Documentation and Bugs
======================
diff --git a/nova/compute.sls b/nova/compute.sls
index 33d30de..5a13581 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -138,6 +138,74 @@
{%- endif %}
{%- endif %}
+{%- if compute.libvirt.get('tls',{}).get('enabled',False) %}
+{%- set ca_file=compute.libvirt.tls.get('ca_file') %}
+{%- set key_file=compute.libvirt.tls.get('key_file') %}
+{%- set cert_file=compute.libvirt.tls.get('cert_file') %}
+{%- set client_key_file=compute.libvirt.tls.client.get('key_file') %}
+{%- set client_cert_file=compute.libvirt.tls.client.get('cert_file') %}
+
+libvirt_ca_nova_compute:
+{%- if compute.libvirt.tls.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: nova:compute:libvirt:tls:cacert
+ - mode: 444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+{%- endif %}
+
+libvirt_public_cert:
+{%- if compute.libvirt.tls.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: nova:compute:libvirt:tls:cert
+ - mode: 440
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+{%- endif %}
+
+libvirt_private_key:
+{%- if compute.libvirt.tls.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: nova:compute:libvirt:tls:key
+ - mode: 400
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ key_file }}
+{%- endif %}
+
+libvirt_client_public_cert:
+{%- if compute.libvirt.tls.client.cert is defined %}
+ file.managed:
+ - name: {{ client_cert_file }}
+ - contents_pillar: nova:compute:libvirt:tls:client:cert
+ - mode: 440
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ client_cert_file }}
+{%- endif %}
+
+libvirt_client_key:
+{%- if compute.libvirt.tls.client.key is defined %}
+ file.managed:
+ - name: {{ client_key_file }}
+ - contents_pillar: nova:compute:libvirt:tls:client:key
+ - mode: 400
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ client_key_file }}
+{%- endif %}
+{%- endif %}
+
nova_compute_services:
service.running:
- enable: true
diff --git a/nova/controller.sls b/nova/controller.sls
index d8ea1b9..528e0b0 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -260,7 +260,7 @@
nova_cell1_create:
cmd.run:
- - name: nova-manage cell_v2 create_cell --name=cell1
+ - name: nova-manage cell_v2 create_cell --name=cell1 --verbose
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
@@ -364,7 +364,7 @@
nova_controller_discover_hosts:
cmd.run:
- - name: nova-manage cell_v2 discover_hosts
+ - name: nova-manage cell_v2 discover_hosts --verbose
{%- if grains.get('noservices') %}
- onlyif: /bin/false
{%- endif %}
diff --git a/nova/files/pike/libvirtd.conf.Debian b/nova/files/pike/libvirtd.conf.Debian
index 6f4afb9..0f6b341 100644
--- a/nova/files/pike/libvirtd.conf.Debian
+++ b/nova/files/pike/libvirtd.conf.Debian
@@ -22,11 +22,17 @@
# This is enabled by default, uncomment this to disable it
#listen_tls = 0
-
+{%- if compute.libvirt.tls.get('enabled', False) %}
+listen_tcp = 0
+listen_tls = 1
+key_file = {{compute.libvirt.tls.key_file|yaml_squote}}
+cert_file = {{compute.libvirt.tls.cert_file|yaml_squote}}
+ca_file = {{compute.libvirt.tls.ca_file|yaml_squote}}
+{% else %}
listen_tls = 0
listen_tcp = 1
auth_tcp = "none"
-
+{% endif %}
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
diff --git a/nova/files/pike/nova-compute.conf.Debian b/nova/files/pike/nova-compute.conf.Debian
index e604d72..5427ce6 100644
--- a/nova/files/pike/nova-compute.conf.Debian
+++ b/nova/files/pike/nova-compute.conf.Debian
@@ -6009,10 +6009,14 @@
{%- endif %}
{%- endif %}
+{%- if compute.libvirt.tls.get('enabled', False) %}
+live_migration_scheme="tls"
+{%- else %}
{%- if compute.get('libvirt', {}).uri is defined %}
connection_uri={{ compute.libvirt.uri }}
{%- endif %}
-#
+{%- endif %}
+
# The ID of the image to boot from to rescue data from a corrupted instance.
#
# If the rescue REST API operation doesn't provide an ID of an image to
diff --git a/nova/files/queens/libvirtd.conf.Debian b/nova/files/queens/libvirtd.conf.Debian
index 6f4afb9..0f6b341 100644
--- a/nova/files/queens/libvirtd.conf.Debian
+++ b/nova/files/queens/libvirtd.conf.Debian
@@ -22,11 +22,17 @@
# This is enabled by default, uncomment this to disable it
#listen_tls = 0
-
+{%- if compute.libvirt.tls.get('enabled', False) %}
+listen_tcp = 0
+listen_tls = 1
+key_file = {{compute.libvirt.tls.key_file|yaml_squote}}
+cert_file = {{compute.libvirt.tls.cert_file|yaml_squote}}
+ca_file = {{compute.libvirt.tls.ca_file|yaml_squote}}
+{% else %}
listen_tls = 0
listen_tcp = 1
auth_tcp = "none"
-
+{% endif %}
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
diff --git a/nova/files/queens/nova-compute.conf.Debian b/nova/files/queens/nova-compute.conf.Debian
index ba41a41..10e9cc8 100644
--- a/nova/files/queens/nova-compute.conf.Debian
+++ b/nova/files/queens/nova-compute.conf.Debian
@@ -3357,7 +3357,7 @@
{%- endif %}
{%- set _data = compute.message_queue %}
-{%- include "oslo_templates/files/queens/oslo/_messaging_default.conf" %}
+{%- include "oslo_templates/files/queens/oslo/messaging/_default.conf" %}
[api]
#
@@ -3712,9 +3712,9 @@
[api_database]
{%- set _data = {} %}
-{%- do _data.update(controller.database) %}
+{%- do _data.update(compute.database) %}
{%- do _data.update({'name': 'nova_api'}) %}
-{%- if _data.ssl is defined and 'cacert_file' not in _data.get('ssl', {}).keys() %}{% do _data['ssl'].update({'cacert_file': controller.cacert_file}) %}{% endif %}
+{%- if _data.ssl is defined and 'cacert_file' not in _data.get('ssl', {}).keys() %}{% do _data['ssl'].update({'cacert_file': compute.cacert_file}) %}{% endif %}
{%- include "oslo_templates/files/queens/oslo/_database.conf" %}
{%- if compute.get('barbican', {}).get('enabled', False) %}
@@ -6253,9 +6253,13 @@
{%- endif %}
{%- endif %}
+{%- if compute.libvirt.tls.get('enabled', False) %}
+live_migration_scheme="tls"
+{%- else %}
{%- if compute.get('libvirt', {}).uri is defined %}
connection_uri={{ compute.libvirt.uri }}
{%- endif %}
+{%- endif %}
#
# The ID of the image to boot from to rescue data from a corrupted
diff --git a/nova/files/queens/nova-controller.conf.Debian b/nova/files/queens/nova-controller.conf.Debian
index 50e03d6..8883c82 100644
--- a/nova/files/queens/nova-controller.conf.Debian
+++ b/nova/files/queens/nova-controller.conf.Debian
@@ -3191,6 +3191,7 @@
# requests.
# (string value)
#osapi_compute_listen = 0.0.0.0
+osapi_compute_listen = {{ controller.bind.private_address }}
#
# Port on which the OpenStack API will listen.
@@ -7695,6 +7696,7 @@
# * metadata_proxy_shared_secret
# (boolean value)
#service_metadata_proxy = false
+service_metadata_proxy=True
#
# This option holds the shared secret string used to validate proxy
@@ -7708,6 +7710,9 @@
# * service_metadata_proxy
# (string value)
#metadata_proxy_shared_secret =
+{%- if controller.get('networking', 'default') != "contrail" %}
+metadata_proxy_shared_secret = {{ controller.metadata.password }}
+{%- endif %}
# PEM encoded Certificate Authority to use when verifying HTTPs
# connections. (string value)
diff --git a/nova/map.jinja b/nova/map.jinja
index 1ab5e4c..f5b55ec 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -127,6 +127,14 @@
libvirt:
inject_partition: '-2'
inject_password: False
+ tls:
+ enabled: False
+ key_file: '/etc/pki/libvirt/private/serverkey.pem'
+ cert_file: '/etc/pki/libvirt/servercert.pem'
+ ca_file: '/etc/pki/CA/cacert.pem'
+ client:
+ key_file: '/etc/pki/libvirt/private/clientkey.pem'
+ cert_file: '/etc/pki/libvirt/clientcert.pem'
instances_path: "$state_path/instances"
notification: false
availability_zone:
@@ -163,6 +171,14 @@
libvirt:
inject_partition: '-2'
inject_password: False
+ tls:
+ enabled: False
+ key_file: '/etc/pki/libvirt/private/serverkey.pem'
+ cert_file: '/etc/pki/libvirt/servercert.pem'
+ ca_file: '/etc/pki/CA/cacert.pem'
+ client:
+ key_file: '/etc/pki/libvirt/private/clientkey.pem'
+ cert_file: '/etc/pki/libvirt/clientcert.pem'
notification: false
availability_zone:
identity: