Libvirt SASL support

Configure libvirt SASL authentication. Requires a secret with LibvirtPassword key set. Depends-On: openstack-k8s-operators/dataplane-operator#831 Related: OSPRH-6172
openstack-k8s-operators · Apr 16, 2024 · fc2defb · fc2defb
1 parent 9a6b6a7
commit fc2defb
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 8 deletions.
diff --git a/roles/edpm_libvirt/defaults/main.yml b/roles/edpm_libvirt/defaults/main.yml
@@ -62,7 +62,11 @@ edpm_libvirt_packages:
   # ceph-common is needed for ceph support to provide the ceph client lib
   # for qemu and the ceph udev rules
   - ceph-common
+  # for SASL auth
+  - cyrus-sasl-scram
 edpm_libvirt_ceph_path: /var/lib/openstack/config/ceph
+edpm_libvirt_password_path: /var/lib/openstack/configs/{{ edpm_service_name | default('libvirt') }}/LibvirtPassword
+edpm_libvirt_sasl_auth_enabled: "{{ edpm_libvirt_password_path is exists | bool }}"
 
 # certs
 edpm_libvirt_tls_certs_enabled: "{{ edpm_tls_certs_enabled | default(False) }}"

diff --git a/roles/edpm_libvirt/meta/argument_specs.yml b/roles/edpm_libvirt/meta/argument_specs.yml
@@ -64,3 +64,9 @@ argument_specs:
         type: str
         description: The vhost user socket directory group name.
         default: ''
+      edpm_libvirt_sasl_auth_enabled:
+        type: bool
+        default: false
+        description: |
+          Boolean to specify whether SASL auth is enabled.
+          Defaults to true when secret is provided with LibvirtPassword key set.
diff --git a/roles/edpm_libvirt/molecule/default/converge.yml b/roles/edpm_libvirt/molecule/default/converge.yml
@@ -18,3 +18,4 @@
       vars:
         edpm_libvirt_tls_cert_src_dir: /tmp/pki
         edpm_libvirt_tls_certs_enabled: true
+        edpm_libvirt_password_path: /tmp/libvirtpw
diff --git a/roles/edpm_libvirt/molecule/default/prepare.yml b/roles/edpm_libvirt/molecule/default/prepare.yml
@@ -18,6 +18,7 @@
   hosts: all
   vars:
     edpm_libvirt_tls_cert_src_dir: /tmp/pki
+    edpm_libvirt_password_path: /tmp/libvirtpw
   pre_tasks:
     - name: set basic user fact
       set_fact:
@@ -192,6 +193,11 @@
         csr_content: "{{ csr.csr }}"
         provider: ownca
 
+    - name: Create password secret
+      ansible.builtin.copy:
+        dest: "{{ edpm_libvirt_password_path }}"
+        content: "correct horse battery staple"
+
     # FIXME(sean-k-mooney): this is a hack to work around the fact that we dont
     # currently manage the hostname on the DUT via boostrap or a dedicated role
     # in the molecule test. This is needed to ensure the hostname is resolvable

diff --git a/roles/edpm_libvirt/molecule/default/verify.yml b/roles/edpm_libvirt/molecule/default/verify.yml
@@ -130,3 +130,33 @@
 
     - name: ensure ceph secret is configured
       ansible.builtin.include_tasks: "test-helpers/verify_ceph_secret.yaml"
+
+    - name: Load /etc/libvirt/auth.conf
+      become: true
+      ansible.builtin.slurp:
+        src: /etc/libvirt/auth.conf
+      register: libvirt_auth_conf
+    - name: Assert that libvirt auth password is set
+      assert:
+        that:
+          - "'password=correct horse battery staple' in libvirt_auth_conf.content | b64decode | split('\n')"
+
+    - name: Get sasl users
+      become: true
+      ansible.builtin.command:
+        cmd: sasldblistusers2 -f /etc/libvirt/passwd.db
+      register: saslusers
+    - name: Assert that libvirt sasl user exists
+      assert:
+        that:
+          - "'migration@overcloud: userPassword' in saslusers.stdout_lines"
+
+    - name: Load /etc/libvirt/virtproxyd.conf
+      become: true
+      ansible.builtin.slurp:
+        src: /etc/libvirt/virtproxyd.conf
+      register: virtproxyd_conf
+    - name: Assert that sasl auth is configured
+      assert:
+        that:
+          - "'auth_tls=\"sasl\"' in virtproxyd_conf.content | b64decode | split('\n')"
diff --git a/roles/edpm_libvirt/tasks/configure.yml b/roles/edpm_libvirt/tasks/configure.yml
@@ -1,5 +1,11 @@
 ---
 
+- name: Get libvirt password
+  ansible.builtin.set_fact:
+    sasl_password: "{{ lookup('file', edpm_libvirt_password_path, lstrip=false, rstrip=false) }}"
+  no_log: true
+  when: edpm_libvirt_sasl_auth_enabled|bool
+
 - name: Create libvirt config dir
   tags:
     - configure
@@ -27,21 +33,41 @@
   become: true
   ansible.builtin.template:
     src: "{{ item.src }}"
-    dest: "/etc/libvirt/{{ item.dest }}"
-    mode: "0640"
+    dest: "/etc/{{ item.dest }}"
+    mode: "{{ item.mode | default('0640') }}"
     # FIXME: update to libvirt user/group
     owner: "root"
     group: "root"
   loop:
-    - {"src": "virtlogd.conf", "dest": "virtlogd.conf"}
-    - {"src": "virtnodedevd.conf", "dest": "virtnodedevd.conf"}
-    - {"src": "virtproxyd.conf", "dest": "virtproxyd.conf"}
-    - {"src": "virtqemud.conf", "dest": "virtqemud.conf"}
-    - {"src": "qemu.conf.j2", "dest": "qemu.conf"}
-    - {"src": "virtsecretd.conf", "dest": "virtsecretd.conf"}
+    - {"src": "virtlogd.conf", "dest": "libvirt/virtlogd.conf"}
+    - {"src": "virtnodedevd.conf", "dest": "libvirt/virtnodedevd.conf"}
+    - {"src": "virtproxyd.conf", "dest": "libvirt/virtproxyd.conf"}
+    - {"src": "virtqemud.conf", "dest": "libvirt/virtqemud.conf"}
+    - {"src": "qemu.conf.j2", "dest": "libvirt/qemu.conf"}
+    - {"src": "virtsecretd.conf", "dest": "libvirt/virtsecretd.conf"}
+    - {"src": "auth.conf", "dest": "libvirt/auth.conf", "mode": "0600"}
+    - {"src": "sasl_libvirt.conf", "dest": "sasl2/libvirt.conf"}
   notify:
     - Restart libvirt
 
+- name: Configure libvirt sasl credentials
+  tags:
+    - configure
+    - libvirt
+  become: true
+  block:
+    - name: Add libvirt sasl password
+      ansible.builtin.command:
+        cmd: saslpasswd2 -f /etc/libvirt/passwd.db -p -a libvirt -u overcloud migration
+        stdin: "{{ sasl_password }}"
+      changed_when: true
+      when: edpm_libvirt_sasl_auth_enabled|bool
+    - name: Remove libvirt sasl credentials
+      ansible.builtin.file:
+        path: /etc/libvirt/passwd.db
+        state: absent
+      when: not edpm_libvirt_sasl_auth_enabled|bool
+
 - name: Create libvirt socket activation drop-in directories
   tags:
     - configure

diff --git a/roles/edpm_libvirt/templates/auth.conf b/roles/edpm_libvirt/templates/auth.conf
@@ -0,0 +1,8 @@
+{% if edpm_libvirt_sasl_auth_enabled|bool %}
+[credentials-overcloud]
+authname=migration@overcloud
+password={{ sasl_password }}
+
+[auth-libvirt-default]
+credentials=overcloud
+{% endif %}
diff --git a/roles/edpm_libvirt/templates/sasl_libvirt.conf b/roles/edpm_libvirt/templates/sasl_libvirt.conf
@@ -0,0 +1,2 @@
+mech_list: scram-sha-256
+sasldb_path: /etc/libvirt/passwd.db
diff --git a/roles/edpm_libvirt/templates/virtproxyd.conf b/roles/edpm_libvirt/templates/virtproxyd.conf
@@ -2,5 +2,10 @@ unix_sock_ro_perms="0444"
 unix_sock_rw_perms="0770"
 auth_unix_ro="none"
 auth_unix_rw="none"
+auth_tls={% if edpm_libvirt_sasl_auth_enabled|bool %}
+"sasl"
+{% else %}
+"none"
+{% endif %}
 log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
 log_outputs="2:journald"