libvirt: support SASL authentication

Adds support for SASL authentication of libvirt TCP and TLS connections when using a compute host libvirt daemon. In line with the dependent Kolla Ansible patch, we enable SASL by default, and use DIGEST-MD5 with TCP and SCRAM-SHA-256 with TLS. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/833022 Depends-On: stackhpc/ansible-role-libvirt-host#52 Story: 2009858 Task: 44735 Change-Id: Id3972c24022aeb6421494c3cccdc8e7cbce802e6 (cherry picked from commit f4493e4)
jovial · Apr 27, 2022 · 375c69b · 375c69b
1 parent 498ba4e
commit 375c69b
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 4 deletions.
diff --git a/ansible/compute-libvirt-host.yml b/ansible/compute-libvirt-host.yml
@@ -20,6 +20,9 @@
       vars:
         libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}"
         libvirt_host_qemu_conf: "{{ compute_qemu_conf }}"
+        libvirt_host_enable_sasl_support: "{{ compute_libvirt_enable_sasl | bool }}"
+        libvirt_host_sasl_authname: nova
+        libvirt_host_sasl_password: "{{ compute_libvirt_sasl_password }}"
         libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}"
         libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509"
         libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}"

diff --git a/ansible/group_vars/all/compute b/ansible/group_vars/all/compute
@@ -143,7 +143,8 @@ compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_
 # A dict of default configuration options to write to
 # /etc/libvirt/libvirtd.conf.
 compute_libvirt_conf_default:
-  auth_tcp: "none"
+  auth_tcp: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
+  auth_tls: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
   log_level: "{{ compute_libvirtd_log_level }}"
 
 # A dict of additional configuration options to write to
@@ -173,6 +174,12 @@ compute_qemu_conf_extra: {}
 # compute_qemu_conf_extra.
 compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}"
 
+# Whether to enable libvirt SASL authentication. Default is true.
+compute_libvirt_enable_sasl: true
+
+# libvirt SASL password. Default is unset.
+compute_libvirt_sasl_password:
+
 # Whether to enable a libvirt TLS listener. Default is false.
 compute_libvirt_enable_tls: false
 

diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
@@ -556,9 +556,9 @@ kolla_enable_zun: "no"
 ###############################################################################
 # Passwords and credentials.
 
-# Dictionary containing default custom passwords to add or override in the
+# Dictionary containing base custom passwords to add or override in the
 # Kolla passwords file.
-kolla_ansible_default_custom_passwords:
+kolla_ansible_base_custom_passwords:
   # SSH key authorized in hosts deployed by Bifrost.
   bifrost_ssh_key:
     private_key: "{{ lookup('file', ssh_private_key_path) }}"
@@ -569,6 +569,19 @@ kolla_ansible_default_custom_passwords:
     private_key: "{{ lookup('file', ssh_private_key_path) }}"
     public_key: "{{ lookup('file', ssh_public_key_path) }}"
 
+# Dictionary containing libvirt custom passwords to add or override in the
+# Kolla passwords file.
+kolla_ansible_libvirt_custom_passwords:
+  libvirt_sasl_password: "{{ compute_libvirt_sasl_password }}"
+
+# Dictionary containing default custom passwords to add or override in the
+# Kolla passwords file.
+kolla_ansible_default_custom_passwords: >-
+  {{ kolla_ansible_base_custom_passwords |
+     combine(kolla_ansible_libvirt_custom_passwords
+             if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool
+             else {}) }}
+
 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
 kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"

diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -236,6 +236,8 @@ kolla_nova_compute_ironic_host:
 
 kolla_libvirt_tls:
 
+kolla_libvirt_enable_sasl:
+
 ###############################################################################
 # Extra free-form configuraton.
 

diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -391,6 +391,9 @@ enable_chrony: "{% raw %}{% if ansible_os_family == 'RedHat' and ansible_distrib
 libvirt_tls: {{ kolla_libvirt_tls | bool }}
 {% endif %}
 
+{% if kolla_libvirt_enable_sasl is not none %}
+libvirt_enable_sasl: {{ kolla_libvirt_enable_sasl | bool }}
+{% endif %}
 #################
 # Hyper-V options
 #################

diff --git a/requirements.yml b/requirements.yml
@@ -23,7 +23,7 @@
 - src: stackhpc.grafana-conf
   version: 1.1.0
 - src: stackhpc.libvirt-host
-  version: v1.10.0
+  version: v1.11.0
 - src: stackhpc.libvirt-vm
   version: v1.13.0
 - src: stackhpc.mellanox-switch