Merge "Support for Ocata-Pike live-migration over ssh"

docker/services/nova-compute.yaml

@@ -63,7 +63,6 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
-      MigrationSshPort: {get_param: DockerNovaMigrationSshdPort}
 
 outputs:
   role_data:

docker/services/nova-libvirt.yaml

@@ -105,7 +105,6 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
-      MigrationSshPort: {get_param: DockerNovaMigrationSshdPort}
 
 outputs:
   role_data:

docker/services/nova-migration-target.yaml

@@ -41,6 +41,29 @@ parameters:
     description: Port that dockerized nova migration target sshd service
                  binds to.
     type: number
+  MigrationSshKey:
+    type: json
+    description: >
+      SSH key for migration.
+      Expects a dictionary with keys 'public_key' and 'private_key'.
+      Values should be identical to SSH public/private key files.
+    default:
+      public_key: ''
+      private_key: ''
+  MigrationSshPort:
+    default: 2022
+    description: Target port for migration over ssh
+    type: number
+
+conditions:
+
+  # During Ocata->Pike upgrade initially configure the ssh service on port 22
+  # to proxy migration commands to the containerized sshd on port 2022.
+  # When the upgrade converges we can switch migrations over to port 2022.
+  enable_migration_proxy:
+    equals:
+      - {get_param: MigrationSshPort}
+      - 22
 
 resources:
 
@@ -74,10 +97,15 @@ outputs:
         map_merge:
           - get_attr: [SshdBase, role_data, config_settings]
           - get_attr: [NovaMigrationTargetBase, role_data, config_settings]
-          - tripleo.nova_migration_target.firewall_rules:
-              '113 nova_migration_target':
-                dport:
-                  - {get_param: DockerNovaMigrationSshdPort}
+          # NB this prevents the baremetal ssh from listening on port 2022
+          # It doesn't affect the sshd port in the container as we override it below on the sshd cli
+          - tripleo::profile::base::sshd::port: 22
+          - if:
+            - enable_migration_proxy
+            - tripleo::profile::base::nova::migration::proxy::ssh_private_key: {get_param: [ MigrationSshKey, private_key ]}
+              tripleo::profile::base::nova::migration::proxy::target_port: {get_param: DockerNovaMigrationSshdPort}
+              tripleo::profile::base::nova::migration::proxy::target_host: "%{hiera('live_migration_ssh_inbound_addr')}"
+            - {}
       step_config: &step_config
         list_join:
           - "\n"

docker/services/sshd.yaml

@@ -0,0 +1,72 @@
+heat_template_version: pike
+
+description: >
+  Configure sshd_config
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  MigrationSshPort:
+    default: 2022
+    description: Target port for migration over ssh
+    type: number
+
+conditions:
+
+  # During Ocata->Pike upgrade initially configure the ssh service on port 22
+  # to proxy migration commands to the containerized sshd on port 2022.
+  # When the upgrade converges we can switch migrations over to port 2022.
+  enable_migration_proxy:
+    equals:
+      - {get_param: MigrationSshPort}
+      - 22
+
+resources:
+   SshdBase:
+    type: ../../puppet/services/sshd.yaml
+    properties:
+      EndpointMap: {get_param: EndpointMap}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+outputs:
+  role_data:
+    description: Role data for the ssh
+    value:
+      service_name: sshd
+      config_settings: {get_attr: [SshdBase, role_data, config_settings]}
+      step_config:
+        list_join:
+          - "\n"
+          - - get_attr: [SshdBase, role_data, step_config]
+            - if:
+              - enable_migration_proxy
+              - |
+                include tripleo::profile::base::nova::migration::proxy
+              - ''

environments/docker-services-tls-everywhere.yaml

@@ -49,6 +49,7 @@ resource_registry:
   OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
   OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml
   OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml
+  OS::TripleO::Services::Sshd: ../docker/services/sshd.yaml
   OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
   OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml

environments/docker.yaml

@@ -33,6 +33,7 @@ resource_registry:
   OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml
   OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml
   OS::TripleO::Services::Memcached: ../docker/services/memcached.yaml
+  OS::TripleO::Services::Sshd: ../docker/services/sshd.yaml
   OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
   OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml

environments/major-upgrade-composable-steps-docker.yaml

@@ -9,3 +9,4 @@ parameter_defaults:
     set -eu
     # Ocata to Pike, put any needed host-level workarounds here
     yum install -y ansible-pacemaker
+  MigrationSshPort: 22

environments/major-upgrade-composable-steps.yaml

@@ -14,3 +14,4 @@ parameter_defaults:
     rm -f /usr/libexec/os-apply-config/templates/etc/puppet/hiera.yaml
     rm -f /usr/libexec/os-refresh-config/configure.d/40-hiera-datafiles
     rm -f /etc/puppet/hieradata/*.yaml
+  MigrationSshPort: 22

environments/major-upgrade-converge-docker.yaml

@@ -8,3 +8,4 @@ parameter_defaults:
   UpgradeLevelNovaCompute: ''
   UpgradeInitCommonCommand: ''
   UpgradeInitCommand: ''
+  MigrationSshPort: 2022

environments/major-upgrade-converge.yaml

@@ -8,3 +8,4 @@ parameter_defaults:
   UpgradeLevelNovaCompute: ''
   UpgradeInitCommonCommand: ''
   UpgradeInitCommand: ''
+  MigrationSshPort: 2022

puppet/services/nova-compute.yaml

@@ -108,7 +108,7 @@ parameters:
       public_key: ''
       private_key: ''
   MigrationSshPort:
-    default: 22
+    default: 2022
     description: Target port for migration over ssh
     type: number
 

puppet/services/nova-libvirt.yaml

@@ -94,7 +94,7 @@ parameters:
       public_key: ''
       private_key: ''
   MigrationSshPort:
-    default: 22
+    default: 2022
     description: Target port for migration over ssh
     type: number
 

puppet/services/nova-migration-target.yaml

@@ -39,6 +39,10 @@ parameters:
     default:
       public_key: ''
       private_key: ''
+  MigrationSshPort:
+    default: 2022
+    description: Target port for migration over ssh
+    type: number
 
 outputs:
   role_data:
@@ -53,5 +57,12 @@ outputs:
           - "%{hiera('live_migration_ssh_inbound_addr')}"
         live_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
         cold_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaColdMigrationNetwork]}
+        tripleo::profile::base::sshd::port:
+          - 22
+          - {get_param: MigrationSshPort}
+        tripleo.nova_migration_target.firewall_rules:
+          '113 nova_migration_target':
+            dport:
+              - {get_param: MigrationSshPort}
       step_config: |
         include tripleo::profile::base::nova::migration::target

tools/yaml-validate.py

@@ -123,6 +123,22 @@ PREFERRED_CAMEL_CASE = {
     'haproxy': 'HAProxy',
 }
 
+# Overrides for docker/puppet validation
+# <filename>: True explicitly enables validation
+# <filename>: False explicitly disables validation
+#
+# If a filename is not found in the overrides then the top level directory is
+# used to determine which validation method to use.
+VALIDATE_PUPPET_OVERRIDE = {
+  # docker/service/sshd.yaml is a variation of the puppet sshd service
+  './docker/services/sshd.yaml': True,
+  # qdr aliases rabbitmq service to provide alternative messaging backend
+  './puppet/services/qdr.yaml': False,
+}
+VALIDATE_DOCKER_OVERRIDE = {
+  # docker/service/sshd.yaml is a variation of the puppet sshd service
+  './docker/services/sshd.yaml': False,
+}
 
 def exit_usage():
     print('Usage %s <yaml file or directory>' % sys.argv[0])
@@ -472,12 +488,14 @@ def validate(filename, param_map):
                     )
                 )
 
-        # qdr aliases rabbitmq service to provide alternative messaging backend
-        if (filename.startswith('./puppet/services/') and
-                filename not in ['./puppet/services/qdr.yaml']):
+        if VALIDATE_PUPPET_OVERRIDE.get(filename, False) or (
+                filename.startswith('./puppet/services/') and
+                VALIDATE_PUPPET_OVERRIDE.get(filename, True)):
             retval = validate_service(filename, tpl)
 
-        if filename.startswith('./docker/services/'):
+        if VALIDATE_DOCKER_OVERRIDE.get(filename, False) or (
+                filename.startswith('./docker/services/') and
+                VALIDATE_DOCKER_OVERRIDE.get(filename, True)):
             retval = validate_docker_service(filename, tpl)
 
         if filename.endswith('hyperconverged-ceph.yaml'):