Merge "[VMware] inital commit"
diff --git a/README.rst b/README.rst
index d56412f..8ff3b85 100644
--- a/README.rst
+++ b/README.rst
@@ -966,6 +966,7 @@
Enable transport + authentication for VNC over TLS
---------------------
+# Only for Queens. Communication between noVNC proxy service and QEMU
By default communication between nova-novncproxy and qemu service is unsecure.
@@ -977,31 +978,62 @@
controller:
novncproxy:
+ # This section responsible for communication between noVNC proxy and client machine
tls:
enabled: True
+ # This section responsible for communication between nova-novncproxy and qemu service
+ vencrypt:
+ tls:
+ enabled: True
You able to set custom certificates in pillar:
- nova:
- compute:
- qemu:
- vnc:
- tls:
- cacert (certificate content)
- cert (certificate content)
- key (certificate content)
+nova:
+ compute:
+ qemu:
+ vnc:
+ tls:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+nova:
+ controller:
+ novncproxy:
+ tls:
+ server:
+ cert (certificate content)
+ key (certificate content)
+ vencrypt:
+ tls:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+
+You can read more about it here:
+ https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+
+Enable communication between noVNC proxy and client machine over TLS
+---------------------
+
+By default communication between noVNC proxy and client machine is unsecure.
+
+ controller:
+ novncproxy:
+ tls:
+ enabled: True
nova:
controller:
novncproxy:
tls:
- cacert (certificate content)
- cert (certificate content)
- key (certificate content)
- allfile (certificate content)
+ server:
+ cert (certificate content)
+ key (certificate content)
You can read more about it here:
- https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+ https://docs.openstack.org/mitaka/config-reference/dashboard/configure.html
Documentation and Bugs
======================
diff --git a/nova/compute.sls b/nova/compute.sls
index 044c6eb..1b8c149 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -105,7 +105,7 @@
{{ service_name }}_logging_conf:
file.managed:
- name: /etc/nova/logging/logging-{{ service_name }}.conf
- - source: salt://nova/files/logging.conf
+ - source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- user: nova
- group: nova
@@ -117,7 +117,7 @@
- makedirs: True
- defaults:
service_name: {{ service_name }}
- values: {{ compute }}
+ _data: {{ compute.logging }}
- watch_in:
- service: nova_compute_services
diff --git a/nova/controller.sls b/nova/controller.sls
index cf20158..2ea0510 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -64,18 +64,19 @@
- user: user_nova
{%- endif %}
-{%- if controller.novncproxy.tls.get('enabled', False) %}
+# Only for Queens. Communication between noVNC proxy service and QEMU
+{%- if controller.version not in ['mitaka', 'newton', 'ocata', 'pike'] %}
+{%- if controller.novncproxy.vencrypt.tls.get('enabled', False) %}
-{%- set ca_file=controller.novncproxy.tls.get('ca_file') %}
-{%- set key_file=controller.novncproxy.tls.get('key_file') %}
-{%- set cert_file=controller.novncproxy.tls.get('cert_file') %}
-{%- set all_file=controller.novncproxy.tls.get('all_file') %}
+{%- set ca_file=controller.novncproxy.vencrypt.tls.get('ca_file') %}
+{%- set key_file=controller.novncproxy.vencrypt.tls.get('key_file') %}
+{%- set cert_file=controller.novncproxy.vencrypt.tls.get('cert_file') %}
-novncproxy_ca_nova_compute:
-{%- if controller.novncproxy.tls.cacert is defined %}
+novncproxy_vencrypt_ca:
+{%- if controller.novncproxy.vencrypt.tls.cacert is defined %}
file.managed:
- name: {{ ca_file }}
- - contents_pillar: nova:controller:novncproxy:tls:cacert
+ - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cacert
- mode: 444
- makedirs: true
- watch_in:
@@ -85,11 +86,11 @@
- name: {{ ca_file }}
{%- endif %}
-novncproxy_public_cert:
-{%- if controller.novncproxy.tls.cert is defined %}
+novncproxy_vencrypt_public_cert:
+{%- if controller.novncproxy.vencrypt.tls.cert is defined %}
file.managed:
- name: {{ cert_file }}
- - contents_pillar: nova:controller:novncproxy:tls:cert
+ - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cert
- mode: 440
- makedirs: true
{%- else %}
@@ -97,30 +98,49 @@
- name: {{ cert_file }}
{%- endif %}
-novncproxy_private_key:
-{%- if controller.novncproxy.tls.key is defined %}
+novncproxy_vencrypt_private_key:
+{%- if controller.novncproxy.vencrypt.tls.key is defined %}
file.managed:
- name: {{ key_file }}
- - contents_pillar: nova:controller:novncproxy:tls:key
+ - contents_pillar: nova:controller:novncproxy:vencrypt:tls:key
- mode: 400
- makedirs: true
{%- else %}
file.exists:
- name: {{ key_file }}
{%- endif %}
+{%- endif %}
+{%- endif %}
-novncproxy_all_file:
-{%- if controller.novncproxy.tls.allfile is defined %}
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+{%- set key_file=controller.novncproxy.tls.server.get('key_file') %}
+{%- set cert_file=controller.novncproxy.tls.server.get('cert_file') %}
+
+novncproxy_server_public_cert:
+{%- if controller.novncproxy.tls.server.cert is defined %}
file.managed:
- - name: {{ all_file }}
- - contents_pillar: nova:controller:novncproxy:tls:allfile
+ - name: {{ cert_file }}
+ - contents_pillar: nova:controller:novncproxy:tls:server:cert
- mode: 440
- makedirs: true
+ - watch_in:
+ - service: nova_controller_services
+{%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+{%- endif %}
+
+novncproxy_server_private_key:
+{%- if controller.novncproxy.tls.server.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: nova:controller:novncproxy:tls:server:key
+ - mode: 400
+ - makedirs: true
{%- else %}
file.exists:
- - name: {{ all_file }}
+ - name: {{ key_file }}
{%- endif %}
-
{%- endif %}
{%- if controller.get('networking', 'default') == "contrail" and controller.version == "juno" %}
@@ -175,7 +195,7 @@
nova_general_logging_conf:
file.managed:
- name: /etc/nova/logging.conf
- - source: salt://nova/files/logging.conf
+ - source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- user: nova
- group: nova
@@ -186,7 +206,7 @@
{%- endif %}
- defaults:
service_name: nova
- values: {{ controller }}
+ _data: {{ controller.logging }}
- watch_in:
- service: nova_controller_services
@@ -205,7 +225,7 @@
{{ service_name }}_logging_conf:
file.managed:
- name: /etc/nova/logging/logging-{{ service_name }}.conf
- - source: salt://nova/files/logging.conf
+ - source: salt://oslo_templates/files/logging/_logging.conf
- template: jinja
- user: nova
- group: nova
@@ -217,7 +237,7 @@
- makedirs: True
- defaults:
service_name: {{ service_name }}
- values: {{ controller }}
+ _data: {{ controller.logging }}
- watch_in:
- service: nova_controller_services
{%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}
diff --git a/nova/files/logging.conf b/nova/files/logging.conf
deleted file mode 100644
index 9790fe2..0000000
--- a/nova/files/logging.conf
+++ /dev/null
@@ -1,99 +0,0 @@
-{%- set log_handlers = [] -%}
-{%- for log_handler_name, log_handler_attrs in values.logging.log_handlers.items() %}
- {%- if log_handler_attrs.get('enabled', False) %}
- {%- do log_handlers.append(log_handler_name) -%}
- {%- endif %}
-{%- endfor %}
-
-[loggers]
-keys = root, nova
-
-[handlers]
-keys = {{ log_handlers | join(", ") }}
-
-[formatters]
-keys = context, default{% if values.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}, fluentd{% endif %}
-
-[logger_root]
-level = {{ values.logging.get('loggers', {}).get('root', {}).get('level', 'WARNING') }}
-handlers = {{ log_handlers | join(", ") }}
-
-[logger_nova]
-level = {{ values.logging.get('loggers', {}).get('nova', {}).get('level', 'INFO') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = nova
-propagate = 0
-
-[logger_amqp]
-level = {{ values.logging.get('loggers', {}).get('amqp', {}).get('level', 'WARNING') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = amqp
-
-[logger_amqplib]
-level = {{ values.logging.get('loggers', {}).get('amqplib', {}).get('level', 'WARNING') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = amqplib
-
-[logger_sqlalchemy]
-level = {{ values.logging.get('loggers', {}).get('sqlalchemy', {}).get('level', 'WARNING') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = sqlalchemy
-# "level = INFO" logs SQL queries.
-# "level = DEBUG" logs SQL queries and results.
-# "level = WARNING" logs neither. (Recommended for production systems.)
-
-[logger_boto]
-level = {{ values.logging.get('loggers', {}).get('boto', {}).get('level', 'WARNING') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = boto
-
-# NOTE(mikal): suds is used by the vmware driver, removing this will
-# cause many extraneous log lines for their tempest runs. Refer to
-# https://review.openstack.org/#/c/219225/ for details.
-[logger_suds]
-level = {{ values.logging.get('loggers', {}).get('suds', {}).get('level', 'INFO') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = suds
-
-[logger_eventletwsgi]
-level = {{ values.logging.get('loggers', {}).get('eventletwsgi', {}).get('level', 'WARNING') }}
-handlers = {{ log_handlers | join(", ") }}
-qualname = eventlet.wsgi.server
-
-{% if values.logging.log_handlers.get('fluentd').get('enabled', False) -%}
-[handler_fluentd]
-class = fluent.handler.FluentHandler
-args = ('openstack.{{ service_name | replace("-", ".", 1) }}', 'localhost', 24224)
-formatter = fluentd
-{%- endif %}
-
-{% if values.logging.log_handlers.watchedfile.enabled -%}
-[handler_watchedfile]
-class = handlers.WatchedFileHandler
-args = ('/var/log/nova/{{ service_name }}.log',)
-formatter = context
-{%- endif %}
-
-{% if values.logging.log_handlers.get('ossyslog', {}).get('enabled', False) -%}
-{%- set ossyslog_args = values.logging.log_handlers.ossyslog.get('args', {}) -%}
-[handler_ossyslog]
-class = oslo_log.handlers.OSSysLogHandler
-# the OSSysLogHandler uses 'syslog' lib, where the LOG_* facilities are already *8
-# but in the context where the args are evaluated we have access only to Python's
-# handlers.SysLogHandler.LOG_* constants that _ARE_NOT_ multiplied by 8.
-# To not have a completely magic single int in the rendered template,
-# we multiply it here.
-args = ( 8 * handlers.SysLogHandler.{{ ossyslog_args.get('facility', 'LOG_USER') }}, )
-formatter = context
-{%- endif %}
-
-[formatter_context]
-class = oslo_log.formatters.ContextFormatter
-
-[formatter_default]
-format = %(message)s
-
-{% if values.logging.log_handlers.get('fluentd').get('enabled', False) -%}
-[formatter_fluentd]
-class = oslo_log.formatters.FluentFormatter
-{%- endif %}
diff --git a/nova/files/pike/nova-controller.conf.Debian b/nova/files/pike/nova-controller.conf.Debian
index 532524f..f6979f4 100644
--- a/nova/files/pike/nova-controller.conf.Debian
+++ b/nova/files/pike/nova-controller.conf.Debian
@@ -2525,6 +2525,11 @@
# Disallow non-encrypted connections. (boolean value)
#ssl_only=false
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+ssl_only=True
+cert={{controller.novncproxy.tls.server.cert_file|yaml_squote}}
+key={{controller.novncproxy.tls.server.key_file|yaml_squote}}
+{%- endif %}
# Set to True if source host is addressed with IPv6. (boolean value)
#source_is_ipv6=false
diff --git a/nova/files/queens/nova-controller.conf.Debian b/nova/files/queens/nova-controller.conf.Debian
index 498acbb..c413d87 100644
--- a/nova/files/queens/nova-controller.conf.Debian
+++ b/nova/files/queens/nova-controller.conf.Debian
@@ -3028,6 +3028,11 @@
# Disallow non-encrypted connections. (boolean value)
#ssl_only = false
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+ssl_only=True
+cert={{controller.novncproxy.tls.server.cert_file|yaml_squote}}
+key={{controller.novncproxy.tls.server.key_file|yaml_squote}}
+{%- endif %}
# Set to True if source host is addressed with IPv6. (boolean value)
#source_is_ipv6 = false
@@ -9573,11 +9578,11 @@
{%- else %}
vncserver_listen={{ controller.bind.get('novncproxy_address', '0.0.0.0') }}
{%- endif %}
-{%- if controller.novncproxy.tls.get('enabled', False) %}
+{%- if controller.novncproxy.vencrypt.tls.get('enabled', False) %}
auth_schemes=vencrypt
-vencrypt_client_key={{controller.novncproxy.tls.key_file|yaml_squote}}
-vencrypt_client_cert={{controller.novncproxy.tls.cert_file|yaml_squote}}
-vencrypt_ca_certs={{controller.novncproxy.tls.ca_file|yaml_squote}}
+vencrypt_client_key={{controller.novncproxy.vencrypt.tls.key_file|yaml_squote}}
+vencrypt_client_cert={{controller.novncproxy.vencrypt.tls.cert_file|yaml_squote}}
+vencrypt_ca_certs={{controller.novncproxy.vencrypt.tls.ca_file|yaml_squote}}
{%- endif %}
#
diff --git a/nova/map.jinja b/nova/map.jinja
index afdf48f..599a75a 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -47,6 +47,7 @@
'enabled': false
},
'logging': {
+ 'app_name': 'nova',
'log_appender': false,
'log_handlers': {
'watchedfile': {
@@ -57,9 +58,18 @@
'novncproxy': {
'tls': {
'enabled': false,
- 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
- 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
- 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ 'server': {
+ 'key_file': '/etc/pki/nova-novncproxy/server-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/server-cert.pem',
+ }
+ },
+ 'vencrypt': {
+ 'tls': {
+ 'enabled': false,
+ 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
+ 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ }
}
},
},
@@ -73,6 +83,7 @@
'enabled': false
},
'logging': {
+ 'app_name': 'nova',
'log_appender': false,
'log_handlers': {
'watchedfile': {
@@ -83,9 +94,18 @@
'novncproxy': {
'tls': {
'enabled': false,
- 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
- 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
- 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ 'server': {
+ 'key_file': '/etc/pki/nova-novncproxy/server-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/server-cert.pem',
+ }
+ },
+ 'vencrypt': {
+ 'tls': {
+ 'enabled': false,
+ 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
+ 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ }
}
},
},
@@ -177,6 +197,7 @@
zmq_linger: 30
rpc_response_timeout: 3600
logging:
+ app_name: 'nova'
log_appender: false
log_handlers:
watchedfile:
@@ -226,6 +247,7 @@
zmq_linger: 30
rpc_response_timeout: 3600
logging:
+ app_name: 'nova'
log_appender: false
log_handlers:
watchedfile: