Disable tunneled mode when use_tls_for_live_migration

With recent version of libvirt, nova-compute don't come up correct when tls-everywhere (use_tls_for_live_migration) is set. The enable_live_migration_tunnelled condition did not consider tls-livemigration and got disabled. Nova-compute fails to start with: 2021-05-12 12:49:09.278 7 ERROR oslo_service.service nova.exception.Invalid: Setting both 'live_migration_tunnelled' and 'live_migration_with_native_tls' at the same time is invalid. If you have the relevant libvirt and QEMU versions, and TLS configured in your environment, pick 'live_migration_with_native_tls'._ This change enhance the enable_live_migration_tunnelled condition to not configure tunnelled mode when use_tls_for_live_migration is true. Closes-Bug: #1928554 Related-bug: https://bugzilla.redhat.com/show_bug.cgi?id=1959808 Change-Id: I1a6f5d3a98d185415b772fa6a94d6f4329dc59a0 (cherry picked from commit 3a472cb)
openstack-archive · May 17, 2021 · 4b1da5c · 4b1da5c
1 parent eb7a600
commit 4b1da5c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 14 deletions.
diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml
@@ -763,7 +763,15 @@ parameters:
     default: {}
     tags:
       - role_specific
-
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  UseTLSTransportForLiveMigration:
+    type: boolean
+    default: true
+    description: If set to true and if EnableInternalTLS is enabled, it will
+                 set the libvirt URI's transport to tls and configure the
+                 relevant keys for libvirt.
 
   # DEPRECATED: the following options are deprecated and are currently maintained
   # for backwards compatibility. They will be removed in future release.
@@ -991,17 +999,23 @@ conditions:
       - not: {equals: [{get_param: NovaComputeStartupDelay}, 0]}
       - not: enable_instance_ha
 
+  use_tls_for_live_migration:
+    and:
+      - {get_param: EnableInternalTLS}
+      - {get_param: UseTLSTransportForLiveMigration}
 
   enable_live_migration_tunnelled:
-    or:
-      - and:
-        - equals: [{get_param: NovaNfsEnabled}, true]
-        - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
-      - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
-      - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, true]
-      - and:
-        - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, '']
-        - equals: [{get_param: NovaEnableRbdBackend}, true]
+    and:
+      - or:
+          - and:
+            - {get_param: NovaNfsEnabled}
+            - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
+          - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
+          - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, true]
+          - and:
+            - equals: [{get_param: [RoleParameters, NovaEnableRbdBackend]}, '']
+            - {get_param: NovaEnableRbdBackend}
+      - not: use_tls_for_live_migration
 
   libvirt_file_backed_memory_enabled:
     not:

diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml
@@ -286,12 +286,8 @@ conditions:
 
   use_tls_for_live_migration:
     and:
-    - equals:
       - {get_param: EnableInternalTLS}
-      - true
-    - equals:
       - {get_param: UseTLSTransportForLiveMigration}
-      - true
 
   libvirt_specific_ca_unset:
     equals: