Merge pull request openstack-k8s-operators#513 from gibizer/libvirt-f…

…irewall-live-migration [edpm_libvirt]Open firewall for live migration traffic
raukadah · Dec 7, 2023 · 7e1cdab · 7e1cdab
2 parents 5a66b0b + 9b0e1b4
commit 7e1cdab
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 25 deletions.
diff --git a/roles/edpm_libvirt/molecule/default/test-helpers/verify_firewall.yaml b/roles/edpm_libvirt/molecule/default/test-helpers/verify_firewall.yaml
@@ -1,39 +1,70 @@
+- name: libvirt rule source file exists
+  become: true
+  ansible.builtin.stat:
+    path: "/var/lib/edpm-config/firewall/libvirt.yaml"
+  register: libvirt_rule_source_exists
+- name: Assert libvirt rule source file exists
+  ansible.builtin.assert:
+    that:
+      - libvirt_rule_source_exists.stat.exists
+    fail_msg: "libvirt rule source file does not exist"
+
 - name: verify vnc nftables firewall rules
   block:
-    - name: Check if nftables rule exists in /etc/nftables/edpm-rules.nft
+    - name: Check if vnc nftables rule exists in /etc/nftables/edpm-rules.nft
       become: true
       ansible.builtin.shell: grep -q "005 Allow vnc access on all networks." /etc/nftables/edpm-rules.nft
-      register: rule_exists
-    - name: Assert nftables rule exists in /etc/nftables/edpm-rules.nft
+      register: vnc_rule_exists
+    - name: Assert vnc nftables rule exists in /etc/nftables/edpm-rules.nft
       ansible.builtin.assert:
         that:
-          - rule_exists.rc == 0
+          - vnc_rule_exists.rc == 0
         fail_msg: "vnc rule does not exist in /etc/nftables/edpm-rules.nft"
     - name: vnc rule port range and protocol
       become: true
       ansible.builtin.shell: grep -q "EDPM_INPUT tcp dport { 5900-6923 }" /etc/nftables/edpm-rules.nft
-      register: rule_content_exists
+      register: vnc_rule_content_exists
     - name: Assert vnc rule port range and protocol
       ansible.builtin.assert:
         that:
-          - rule_content_exists.rc == 0
+          - vnc_rule_content_exists.rc == 0
         fail_msg: "vnc rule port range and protocol incorrect in /etc/nftables/edpm-rules.nft"
-    - name: vnc rule source file exists
-      become: true
-      ansible.builtin.stat:
-        path: "/var/lib/edpm-config/firewall/vnc.yaml"
-      register: rule_source_exists
-    - name: Assert vnc rule source file exists
-      ansible.builtin.assert:
-        that:
-          - rule_source_exists.stat.exists
-        fail_msg: "vnc rule source file does not exist"
     - name: Run nft list command and grep for VNC rule in EDPM_INPUT chain
       become: true
       ansible.builtin.shell: nft list table inet filter | awk '/chain EDPM_INPUT {/,/}/' | grep vnc
-      register: chain_exists
+      register: vnc_chain_exists
     - name: Assert that output from greping for VNC contains the correct rule
       assert:
         that:
           - item | regex_search('\s+tcp dport 5900-6923 ct state new counter packets \d+ bytes \d+ accept comment\s+')
-      loop: "{{ chain_exists.stdout_lines }}"
+      loop: "{{ vnc_chain_exists.stdout_lines }}"
+
+- name: verify live migration nftables firewall rules
+  block:
+    - name: Check if migration nftables rule exists in /etc/nftables/edpm-rules.nft
+      become: true
+      ansible.builtin.shell: grep -q "006 Allow libvirt live migration traffic" /etc/nftables/edpm-rules.nft
+      register: migration_rule_exists
+    - name: Assert migration nftables rule exists in /etc/nftables/edpm-rules.nft
+      ansible.builtin.assert:
+        that:
+          - migration_rule_exists.rc == 0
+        fail_msg: "migration rule does not exist in /etc/nftables/edpm-rules.nft"
+    - name: migration rule port range and protocol
+      become: true
+      ansible.builtin.shell: grep -q "EDPM_INPUT tcp dport { 61152-61215 }" /etc/nftables/edpm-rules.nft
+      register: migration_rule_content_exists
+    - name: Assert migration rule port range and protocol
+      ansible.builtin.assert:
+        that:
+          - migration_rule_content_exists.rc == 0
+        fail_msg: "migration rule port range and protocol incorrect in /etc/nftables/edpm-rules.nft"
+    - name: Run nft list command and grep for migration rule in EDPM_INPUT chain
+      become: true
+      ansible.builtin.shell: nft list table inet filter | awk '/chain EDPM_INPUT {/,/}/' | grep migration
+      register: migration_chain_exists
+    - name: Assert that output from grepping for migration contains the correct rule
+      assert:
+        that:
+          - item | regex_search('\s+tcp dport 61152-61215 ct state new counter packets \d+ bytes \d+ accept comment\s+')
+      loop: "{{ migration_chain_exists.stdout_lines }}"
diff --git a/roles/edpm_libvirt/molecule/default/verify.yml b/roles/edpm_libvirt/molecule/default/verify.yml
@@ -92,3 +92,12 @@
       ansible.builtin.assert:
         that:
           - "run_libvirt.rc != 0"
+
+    - name: Load /etc/libvirt/qemu.conf
+      ansible.builtin.shell: "grep migration_port /etc/libvirt/qemu.conf | tr '\n' ' '"
+      register: qemu_conf_migration_ports
+    - name: Assert that qemu.conf has a proper migration port range
+      assert:
+        that:
+          - "item  == 'migration_port_min = 61152 migration_port_max = 61215 '"
+      loop: "{{ qemu_conf_migration_ports.stdout_lines }}"
diff --git a/roles/edpm_libvirt/tasks/post-install.yml b/roles/edpm_libvirt/tasks/post-install.yml
@@ -90,23 +90,23 @@
         - found_confs.files is defined
         - found_confs.files | length > 0
 
-- name: Copy qemu vnc firewall config
+- name: Copy libvirt firewall config
   tags:
     - install
     - post-libvirt
   become: true
   ansible.builtin.template:
     src: "firewall.yaml"
-    dest: "/var/lib/edpm-config/firewall/vnc.yaml"
+    dest: "/var/lib/edpm-config/firewall/libvirt.yaml"
     mode: "0640"
-- name: Configure firewall for the vnc
+- name: Configure firewall for the libvirt
   tags:
     - install
     - post-libvirt
   ansible.builtin.include_role:
     name: osp.edpm.edpm_nftables
     tasks_from: "configure.yml"
-- name: Reload firewall for new vnc rule
+- name: Reload firewall for new libvirt rules
   tags:
     - install
     - post-libvirt

diff --git a/roles/edpm_libvirt/templates/firewall.yaml b/roles/edpm_libvirt/templates/firewall.yaml
@@ -5,3 +5,8 @@
     proto: tcp
     dport:
      - "5900-6923"
+- rule_name: 006 Allow libvirt live migration traffic
+  rule:
+    proto: tcp
+    dport:
+     - "61152-61215"
diff --git a/roles/edpm_libvirt/templates/qemu.conf b/roles/edpm_libvirt/templates/qemu.conf
@@ -4,6 +4,7 @@ vnc_tls = 0
 vnc_tls_x509_verify = 0
 default_tls_x509_verify = 1
 nbd_tls = 0
-# reasses if we need to set these when we add supprot for migration.
-#migration_port_min = 61152
-#migration_port_max = 61215
+# NOTE(gibi): In tripleo the default range was intentionally changed to avoid
+# port usage conflicts. See https://review.openstack.org/#/c/561784
+migration_port_min = 61152
+migration_port_max = 61215