Merge "Improve security of the Nova migration"

2017-05-24 14:28:00 +00:00 · 2017-05-24 14:28:00 +00:00 · 6cd662370b
parent b08884d63e ea2b19038d
commit 6cd662370b
5 changed files with 49 additions and 19 deletions
--- a/docs/packstack.rst
+++ b/docs/packstack.rst
@ -749,7 +749,7 @@ Nova Options
    Overcommitment ratio for virtual to physical RAM. Specify 1.0 to disable RAM overcommitment.

 **CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL**
-    Protocol used for instance migration. Valid options are: tcp and ssh. Note that by default, the Compute user is created with the /sbin/nologin shell so that the SSH protocol will not work. To make the SSH protocol work, you must configure the Compute user on compute hosts manually. ['tcp', 'ssh']
+    Protocol used for instance migration. Valid options are: ssh and tcp. Note that the tcp protocol is not encrypted, so it is insecure. ['ssh', 'tcp']

 **CONFIG_NOVA_PCI_ALIAS**
    Enter the PCI passthrough array of hash in JSON style for controller eg.
--- a/packstack/plugins/nova_300.py
+++ b/packstack/plugins/nova_300.py
@ -134,7 +134,7 @@ def initConfig(controller):
                        "migration"),
             "OPTION_LIST": ['tcp', 'ssh'],
             "VALIDATORS": [validators.validate_options],
-             "DEFAULT_VALUE": 'tcp',
+             "DEFAULT_VALUE": 'ssh',
             "MASK_INPUT": False,
             "LOOSE_VALIDATION": True,
             "CONF_NAME": "CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL",
@ -346,7 +346,7 @@ def create_compute_manifest(config, messages):
            key = "%s.%s" % (host_key_type, hostname)
            ssh_keys_details.setdefault(key, {})
            ssh_keys_details[key]['ensure'] = 'present'
-            ssh_keys_details[key]['host_aliases'] = aliases + addrs
+            ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs
            ssh_keys_details[key]['key'] = host_key_data
            ssh_keys_details[key]['type'] = host_key_type

--- a/packstack/puppet/modules/packstack/manifests/nova/compute.pp
+++ b/packstack/puppet/modules/packstack/manifests/nova/compute.pp
@ -10,20 +10,46 @@ class packstack::nova::compute ()

    # Install the private key to be used for live migration.  This needs to be
    # configured into libvirt/live_migration_uri in nova.conf.
-    file { '/etc/nova/ssh':
-      ensure  => directory,
-      owner   => root,
-      group   => root,
-      mode    => '0700',
-      require => Package['nova-common'],
-    }
+    $migrate_transport = hiera('CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL')
+    if $migrate_transport == 'ssh' {
+      ensure_packages(['openstack-nova-migration'], {'ensure' => 'present'})

-    file { '/etc/nova/ssh/nova_migration_key':
-      content => hiera('NOVA_MIGRATION_KEY_SECRET'),
-      mode    => '0600',
-      owner   => root,
-      group   => root,
-      require => File['/etc/nova/ssh'],
+      file { '/etc/nova/migration/identity':
+        content => hiera('NOVA_MIGRATION_KEY_SECRET'),
+        mode    => '0600',
+        owner   => root,
+        group   => root,
+        require => Package['openstack-nova-migration'],
+      }
+    
+      $key_type = hiera('NOVA_MIGRATION_KEY_TYPE')
+      $key_content = hiera('NOVA_MIGRATION_KEY_PUBLIC')
+
+      file { '/etc/nova/migration/authorized_keys':
+        content => "${key_type} ${key_content}",
+        mode    => '0640',
+        owner   => root,
+        group   => nova_migration,
+        require => Package['openstack-nova-migration'],
+      }
+
+      augeas{'Match block for user nova_migration':
+        context => '/files/etc/ssh/sshd_config',
+        changes => [
+          'set Match[User nova_migration]/Condition/User nova_migration',
+          'set Match[Condition/User = "nova_migration"]/Settings/AllowTcpForwarding no',
+          'set Match[Condition/User = "nova_migration"]/Settings/AuthorizedKeysFile /etc/nova/migration/authorized_keys',
+          'set Match[Condition/User = "nova_migration"]/Settings/ForceCommand /bin/nova-migration-wrapper',
+          'set Match[Condition/User = "nova_migration"]/Settings/PasswordAuthentication no',
+          'set Match[Condition/User = "nova_migration"]/Settings/X11Forwarding no',
+         ],
+        onlyif => 'match Match[Condition/User = "nova_migration"] size == 0',
+        notify => Service['sshd']
+      }
+
+      service {'sshd':
+        ensure  => running,
+      }
    }

    nova_config{
--- a/packstack/puppet/modules/packstack/manifests/nova/compute/libvirt.pp
+++ b/packstack/puppet/modules/packstack/manifests/nova/compute/libvirt.pp
@ -30,8 +30,7 @@ class packstack::nova::compute::libvirt ()
    $migrate_transport = hiera('CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL')
    if $migrate_transport == 'ssh' {
      $client_extraparams = {
-        no_verify => 1,
-        keyfile   => '/etc/nova/ssh/nova_migration_key',
+        keyfile   => '/etc/nova/migration/identity',
      }
    } else {
      $client_extraparams = {}
@ -39,7 +38,7 @@ class packstack::nova::compute::libvirt ()

    class { '::nova::migration::libvirt':
      transport   => $migrate_transport,
-      client_user => 'nova',
+      client_user => 'nova_migration',
      client_extraparams => $client_extraparams,
      require => Class['::nova::compute::libvirt']
    }
--- a/releasenotes/notes/nova-migration-improvements-85b208c2b45a3fbe.yaml
+++ b/releasenotes/notes/nova-migration-improvements-85b208c2b45a3fbe.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - Improving security of the Nova migration configuration.
+    Now, ssh is the default option for Nova migration, and
+    a specific migration user is used.