Merge "Rework hypervisor utilization monitoring"
diff --git a/README.rst b/README.rst
index c5606e8..6d9c848 100644
--- a/README.rst
+++ b/README.rst
@@ -920,6 +920,33 @@
 You can read more about injecting the administrator password here:
     https://docs.openstack.org/nova/queens/admin/admin-password-injection.html
 
+Enable libvirt control channel over TLS
+---------------------
+
+By default TLS is disabled.
+
+Enable TLS transport.
+
+  compute:
+    libvirt:
+      tls:
+        enabled: True
+
+You able to set custom certificates in pillar:
+
+  nova:
+    compute:
+      libvirt:
+        tls:
+          key: (certificate content)
+          cert: (certificate content)
+          cacert: (certificate content)
+          client:
+            key: (certificate content)
+            cert: (certificate content)
+
+You can read more about live migration over TLS here:
+    https://wiki.libvirt.org/page/TLSCreateServerCerts
 
 Documentation and Bugs
 ======================
diff --git a/nova/compute.sls b/nova/compute.sls
index 33d30de..5a13581 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -138,6 +138,74 @@
 {%- endif %}
 {%- endif %}
 
+{%- if compute.libvirt.get('tls',{}).get('enabled',False)  %}
+{%- set ca_file=compute.libvirt.tls.get('ca_file') %}
+{%- set key_file=compute.libvirt.tls.get('key_file') %}
+{%- set cert_file=compute.libvirt.tls.get('cert_file') %}
+{%- set client_key_file=compute.libvirt.tls.client.get('key_file') %}
+{%- set client_cert_file=compute.libvirt.tls.client.get('cert_file') %}
+
+libvirt_ca_nova_compute:
+{%- if compute.libvirt.tls.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: nova:compute:libvirt:tls:cacert
+    - mode: 444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ ca_file }}
+{%- endif %}
+
+libvirt_public_cert:
+{%- if compute.libvirt.tls.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: nova:compute:libvirt:tls:cert
+    - mode: 440
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ cert_file }}
+{%- endif %}
+
+libvirt_private_key:
+{%- if compute.libvirt.tls.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: nova:compute:libvirt:tls:key
+    - mode: 400
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ key_file }}
+{%- endif %}
+
+libvirt_client_public_cert:
+{%- if compute.libvirt.tls.client.cert is defined %}
+  file.managed:
+    - name: {{ client_cert_file }}
+    - contents_pillar: nova:compute:libvirt:tls:client:cert
+    - mode: 440
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ client_cert_file }}
+{%- endif %}
+
+libvirt_client_key:
+{%- if compute.libvirt.tls.client.key is defined %}
+  file.managed:
+    - name: {{ client_key_file }}
+    - contents_pillar: nova:compute:libvirt:tls:client:key
+    - mode: 400
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ client_key_file }}
+{%- endif %}
+{%- endif %}
+
 nova_compute_services:
   service.running:
   - enable: true
diff --git a/nova/controller.sls b/nova/controller.sls
index d8ea1b9..528e0b0 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -260,7 +260,7 @@
 
 nova_cell1_create:
   cmd.run:
-  - name: nova-manage cell_v2 create_cell --name=cell1
+  - name: nova-manage cell_v2 create_cell --name=cell1 --verbose
   {%- if grains.get('noservices') %}
   - onlyif: /bin/false
   {%- endif %}
@@ -364,7 +364,7 @@
 
 nova_controller_discover_hosts:
   cmd.run:
-  - name: nova-manage cell_v2 discover_hosts
+  - name: nova-manage cell_v2 discover_hosts --verbose
   {%- if grains.get('noservices') %}
   - onlyif: /bin/false
   {%- endif %}
diff --git a/nova/files/pike/libvirtd.conf.Debian b/nova/files/pike/libvirtd.conf.Debian
index 6f4afb9..0f6b341 100644
--- a/nova/files/pike/libvirtd.conf.Debian
+++ b/nova/files/pike/libvirtd.conf.Debian
@@ -22,11 +22,17 @@
 # This is enabled by default, uncomment this to disable it
 #listen_tls = 0
 
-
+{%- if compute.libvirt.tls.get('enabled', False) %}
+listen_tcp = 0
+listen_tls = 1
+key_file = {{compute.libvirt.tls.key_file|yaml_squote}}
+cert_file = {{compute.libvirt.tls.cert_file|yaml_squote}}
+ca_file = {{compute.libvirt.tls.ca_file|yaml_squote}}
+{% else %}
 listen_tls = 0
 listen_tcp = 1
 auth_tcp = "none"
-
+{% endif %}
 
 # Listen for unencrypted TCP connections on the public TCP/IP port.
 # NB, must pass the --listen flag to the libvirtd process for this to
diff --git a/nova/files/pike/nova-compute.conf.Debian b/nova/files/pike/nova-compute.conf.Debian
index e604d72..5427ce6 100644
--- a/nova/files/pike/nova-compute.conf.Debian
+++ b/nova/files/pike/nova-compute.conf.Debian
@@ -6009,10 +6009,14 @@
 {%- endif %}
 {%- endif %}
 
+{%- if compute.libvirt.tls.get('enabled', False) %}
+live_migration_scheme="tls"
+{%- else %}
 {%- if compute.get('libvirt', {}).uri is defined %}
 connection_uri={{ compute.libvirt.uri }}
 {%- endif %}
-#
+{%- endif %}
+
 # The ID of the image to boot from to rescue data from a corrupted instance.
 #
 # If the rescue REST API operation doesn't provide an ID of an image to
diff --git a/nova/files/queens/libvirtd.conf.Debian b/nova/files/queens/libvirtd.conf.Debian
index 6f4afb9..0f6b341 100644
--- a/nova/files/queens/libvirtd.conf.Debian
+++ b/nova/files/queens/libvirtd.conf.Debian
@@ -22,11 +22,17 @@
 # This is enabled by default, uncomment this to disable it
 #listen_tls = 0
 
-
+{%- if compute.libvirt.tls.get('enabled', False) %}
+listen_tcp = 0
+listen_tls = 1
+key_file = {{compute.libvirt.tls.key_file|yaml_squote}}
+cert_file = {{compute.libvirt.tls.cert_file|yaml_squote}}
+ca_file = {{compute.libvirt.tls.ca_file|yaml_squote}}
+{% else %}
 listen_tls = 0
 listen_tcp = 1
 auth_tcp = "none"
-
+{% endif %}
 
 # Listen for unencrypted TCP connections on the public TCP/IP port.
 # NB, must pass the --listen flag to the libvirtd process for this to
diff --git a/nova/files/queens/nova-compute.conf.Debian b/nova/files/queens/nova-compute.conf.Debian
index ba41a41..10e9cc8 100644
--- a/nova/files/queens/nova-compute.conf.Debian
+++ b/nova/files/queens/nova-compute.conf.Debian
@@ -3357,7 +3357,7 @@
 {%- endif %}
 
 {%- set _data = compute.message_queue %}
-{%- include "oslo_templates/files/queens/oslo/_messaging_default.conf" %}
+{%- include "oslo_templates/files/queens/oslo/messaging/_default.conf" %}
 
 [api]
 #
@@ -3712,9 +3712,9 @@
 
 [api_database]
 {%- set _data = {} %}
-{%- do _data.update(controller.database) %}
+{%- do _data.update(compute.database) %}
 {%- do _data.update({'name': 'nova_api'}) %}
-{%- if _data.ssl is defined and 'cacert_file' not in _data.get('ssl', {}).keys() %}{% do _data['ssl'].update({'cacert_file': controller.cacert_file}) %}{% endif %}
+{%- if _data.ssl is defined and 'cacert_file' not in _data.get('ssl', {}).keys() %}{% do _data['ssl'].update({'cacert_file': compute.cacert_file}) %}{% endif %}
 {%- include "oslo_templates/files/queens/oslo/_database.conf" %}
 
 {%- if compute.get('barbican', {}).get('enabled', False) %}
@@ -6253,9 +6253,13 @@
 {%- endif %}
 {%- endif %}
 
+{%- if compute.libvirt.tls.get('enabled', False) %}
+live_migration_scheme="tls"
+{%- else %}
 {%- if compute.get('libvirt', {}).uri is defined %}
 connection_uri={{ compute.libvirt.uri }}
 {%- endif %}
+{%- endif %}
 
 #
 # The ID of the image to boot from to rescue data from a corrupted
diff --git a/nova/files/queens/nova-controller.conf.Debian b/nova/files/queens/nova-controller.conf.Debian
index 50e03d6..8883c82 100644
--- a/nova/files/queens/nova-controller.conf.Debian
+++ b/nova/files/queens/nova-controller.conf.Debian
@@ -3191,6 +3191,7 @@
 # requests.
 #  (string value)
 #osapi_compute_listen = 0.0.0.0
+osapi_compute_listen = {{ controller.bind.private_address }}
 
 #
 # Port on which the OpenStack API will listen.
@@ -7695,6 +7696,7 @@
 # * metadata_proxy_shared_secret
 #  (boolean value)
 #service_metadata_proxy = false
+service_metadata_proxy=True
 
 #
 # This option holds the shared secret string used to validate proxy
@@ -7708,6 +7710,9 @@
 # * service_metadata_proxy
 #  (string value)
 #metadata_proxy_shared_secret =
+{%- if controller.get('networking', 'default') != "contrail" %}
+metadata_proxy_shared_secret = {{ controller.metadata.password }}
+{%- endif %}
 
 # PEM encoded Certificate Authority to use when verifying HTTPs
 # connections. (string value)
diff --git a/nova/map.jinja b/nova/map.jinja
index 1ab5e4c..f5b55ec 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -127,6 +127,14 @@
   libvirt:
     inject_partition: '-2'
     inject_password: False
+    tls:
+      enabled: False
+      key_file: '/etc/pki/libvirt/private/serverkey.pem'
+      cert_file: '/etc/pki/libvirt/servercert.pem'
+      ca_file: '/etc/pki/CA/cacert.pem'
+      client:
+        key_file: '/etc/pki/libvirt/private/clientkey.pem'
+        cert_file: '/etc/pki/libvirt/clientcert.pem'
   instances_path: "$state_path/instances"
   notification: false
   availability_zone:
@@ -163,6 +171,14 @@
   libvirt:
     inject_partition: '-2'
     inject_password: False
+    tls:
+      enabled: False
+      key_file: '/etc/pki/libvirt/private/serverkey.pem'
+      cert_file: '/etc/pki/libvirt/servercert.pem'
+      ca_file: '/etc/pki/CA/cacert.pem'
+      client:
+        key_file: '/etc/pki/libvirt/private/clientkey.pem'
+        cert_file: '/etc/pki/libvirt/clientcert.pem'
   notification: false
   availability_zone:
   identity: