Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 1 | # lib/nova_plugins/hypervisor-libvirt |
| 2 | # Configure the libvirt hypervisor |
| 3 | |
| 4 | # Enable with: |
| 5 | # VIRT_DRIVER=libvirt |
| 6 | |
| 7 | # Dependencies: |
| 8 | # ``functions`` file |
| 9 | # ``nova`` configuration |
Stephan Renatus | e578eff | 2013-11-19 13:31:04 +0100 | [diff] [blame] | 10 | # ``STACK_USER`` has to be defined |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 11 | |
| 12 | # install_nova_hypervisor - install any external requirements |
| 13 | # configure_nova_hypervisor - make configuration changes, including those to other services |
| 14 | # start_nova_hypervisor - start any external services |
| 15 | # stop_nova_hypervisor - stop any external services |
| 16 | # cleanup_nova_hypervisor - remove transient data and cache |
| 17 | |
| 18 | # Save trace setting |
| 19 | MY_XTRACE=$(set +o | grep xtrace) |
| 20 | set +o xtrace |
| 21 | |
| 22 | |
| 23 | # Defaults |
| 24 | # -------- |
| 25 | |
Russell Bryant | 5705db6 | 2014-02-01 20:06:42 -0500 | [diff] [blame] | 26 | # File injection is disabled by default in Nova. This will turn it back on. |
| 27 | ENABLE_FILE_INJECTION=${ENABLE_FILE_INJECTION:-False} |
Sean Dague | dd30460 | 2014-03-11 16:38:57 -0400 | [diff] [blame] | 28 | # if we should turn on massive libvirt debugging |
| 29 | DEBUG_LIBVIRT=$(trueorfalse False $DEBUG_LIBVIRT) |
Russell Bryant | 5705db6 | 2014-02-01 20:06:42 -0500 | [diff] [blame] | 30 | |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 31 | |
| 32 | # Entry Points |
| 33 | # ------------ |
| 34 | |
| 35 | # clean_nova_hypervisor - Clean up an installation |
Ian Wienand | aee18c7 | 2014-02-21 15:35:08 +1100 | [diff] [blame] | 36 | function cleanup_nova_hypervisor { |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 37 | # This function intentionally left blank |
| 38 | : |
| 39 | } |
| 40 | |
| 41 | # configure_nova_hypervisor - Set config files, create data dirs, etc |
Ian Wienand | aee18c7 | 2014-02-21 15:35:08 +1100 | [diff] [blame] | 42 | function configure_nova_hypervisor { |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 43 | if is_service_enabled neutron && is_neutron_ovs_base_plugin && ! sudo grep -q '^cgroup_device_acl' $QEMU_CONF; then |
| 44 | # Add /dev/net/tun to cgroup_device_acls, needed for type=ethernet interfaces |
| 45 | cat <<EOF | sudo tee -a $QEMU_CONF |
| 46 | cgroup_device_acl = [ |
| 47 | "/dev/null", "/dev/full", "/dev/zero", |
| 48 | "/dev/random", "/dev/urandom", |
| 49 | "/dev/ptmx", "/dev/kvm", "/dev/kqemu", |
| 50 | "/dev/rtc", "/dev/hpet","/dev/net/tun", |
| 51 | ] |
| 52 | EOF |
| 53 | fi |
| 54 | |
| 55 | if is_ubuntu; then |
| 56 | LIBVIRT_DAEMON=libvirt-bin |
| 57 | else |
| 58 | LIBVIRT_DAEMON=libvirtd |
| 59 | fi |
| 60 | |
| 61 | if is_fedora || is_suse; then |
| 62 | if is_fedora && [[ $DISTRO =~ (rhel6) || "$os_RELEASE" -le "17" ]]; then |
Ian Wienand | b8e2502 | 2014-02-21 16:14:29 +1100 | [diff] [blame] | 63 | cat <<EOF | sudo tee /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 64 | [libvirt Management Access] |
| 65 | Identity=unix-group:$LIBVIRT_GROUP |
| 66 | Action=org.libvirt.unix.manage |
| 67 | ResultAny=yes |
| 68 | ResultInactive=yes |
| 69 | ResultActive=yes |
Ian Wienand | b8e2502 | 2014-02-21 16:14:29 +1100 | [diff] [blame] | 70 | EOF |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 71 | elif is_suse && [[ $os_RELEASE = 12.2 || "$os_VENDOR" = "SUSE LINUX" ]]; then |
| 72 | # openSUSE < 12.3 or SLE |
| 73 | # Work around the fact that polkit-default-privs overrules pklas |
| 74 | # with 'unix-group:$group'. |
Ian Wienand | b8e2502 | 2014-02-21 16:14:29 +1100 | [diff] [blame] | 75 | cat <<EOF | sudo tee /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 76 | [libvirt Management Access] |
Stephan Renatus | e578eff | 2013-11-19 13:31:04 +0100 | [diff] [blame] | 77 | Identity=unix-user:$STACK_USER |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 78 | Action=org.libvirt.unix.manage |
| 79 | ResultAny=yes |
| 80 | ResultInactive=yes |
| 81 | ResultActive=yes |
Ian Wienand | b8e2502 | 2014-02-21 16:14:29 +1100 | [diff] [blame] | 82 | EOF |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 83 | else |
| 84 | # Starting with fedora 18 and opensuse-12.3 enable stack-user to |
| 85 | # virsh -c qemu:///system by creating a policy-kit rule for |
| 86 | # stack-user using the new Javascript syntax |
| 87 | rules_dir=/etc/polkit-1/rules.d |
| 88 | sudo mkdir -p $rules_dir |
Ian Wienand | b8e2502 | 2014-02-21 16:14:29 +1100 | [diff] [blame] | 89 | cat <<EOF | sudo tee $rules_dir/50-libvirt-$STACK_USER.rules |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 90 | polkit.addRule(function(action, subject) { |
Sean Dague | 101b424 | 2013-10-22 08:47:11 -0400 | [diff] [blame] | 91 | if (action.id == 'org.libvirt.unix.manage' && |
Attila Fazekas | a42650f | 2014-02-27 13:08:30 +0100 | [diff] [blame] | 92 | subject.user == '$STACK_USER') { |
Sean Dague | 101b424 | 2013-10-22 08:47:11 -0400 | [diff] [blame] | 93 | return polkit.Result.YES; |
| 94 | } |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 95 | }); |
Ian Wienand | b8e2502 | 2014-02-21 16:14:29 +1100 | [diff] [blame] | 96 | EOF |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 97 | unset rules_dir |
| 98 | fi |
| 99 | fi |
| 100 | |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 101 | # The user that nova runs as needs to be member of **libvirtd** group otherwise |
| 102 | # nova-compute will be unable to use libvirt. |
| 103 | if ! getent group $LIBVIRT_GROUP >/dev/null; then |
| 104 | sudo groupadd $LIBVIRT_GROUP |
| 105 | fi |
| 106 | add_user_to_group $STACK_USER $LIBVIRT_GROUP |
| 107 | |
Sean Dague | 1334908 | 2014-03-10 11:27:23 -0400 | [diff] [blame] | 108 | # Enable server side traces for libvirtd |
Sean Dague | dd30460 | 2014-03-11 16:38:57 -0400 | [diff] [blame] | 109 | if [[ "$DEBUG_LIBVIRT" = "True" ]] ; then |
| 110 | local log_filters="1:libvirt 1:qemu 1:conf 1:security 3:event 3:json 3:file 1:util" |
| 111 | local log_outputs="1:file:/var/log/libvirt/libvirtd.log" |
| 112 | if ! grep -q "log_filters=\"$log_filters\"" /etc/libvirt/libvirtd.conf; then |
| 113 | echo "log_filters=\"$log_filters\"" | sudo tee -a /etc/libvirt/libvirtd.conf |
| 114 | fi |
| 115 | if ! grep -q "log_outputs=\"$log_outputs\"" /etc/libvirt/libvirtd.conf; then |
| 116 | echo "log_outputs=\"$log_outputs\"" | sudo tee -a /etc/libvirt/libvirtd.conf |
| 117 | fi |
Sean Dague | 1334908 | 2014-03-10 11:27:23 -0400 | [diff] [blame] | 118 | fi |
| 119 | |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 120 | # libvirt detects various settings on startup, as we potentially changed |
| 121 | # the system configuration (modules, filesystems), we need to restart |
| 122 | # libvirt to detect those changes. |
| 123 | restart_service $LIBVIRT_DAEMON |
| 124 | |
| 125 | iniset $NOVA_CONF DEFAULT libvirt_type "$LIBVIRT_TYPE" |
| 126 | iniset $NOVA_CONF DEFAULT libvirt_cpu_mode "none" |
| 127 | iniset $NOVA_CONF DEFAULT use_usb_tablet "False" |
Sean Dague | 6bf1f1f | 2014-02-01 17:05:18 -0500 | [diff] [blame] | 128 | iniset $NOVA_CONF DEFAULT default_ephemeral_format "ext4" |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 129 | iniset $NOVA_CONF DEFAULT compute_driver "libvirt.LibvirtDriver" |
| 130 | LIBVIRT_FIREWALL_DRIVER=${LIBVIRT_FIREWALL_DRIVER:-"nova.virt.libvirt.firewall.IptablesFirewallDriver"} |
| 131 | iniset $NOVA_CONF DEFAULT firewall_driver "$LIBVIRT_FIREWALL_DRIVER" |
| 132 | # Power architecture currently does not support graphical consoles. |
| 133 | if is_arch "ppc64"; then |
| 134 | iniset $NOVA_CONF DEFAULT vnc_enabled "false" |
| 135 | fi |
Russell Bryant | 5705db6 | 2014-02-01 20:06:42 -0500 | [diff] [blame] | 136 | |
| 137 | ENABLE_FILE_INJECTION=$(trueorfalse False $ENABLE_FILE_INJECTION) |
| 138 | if [[ "$ENABLE_FILE_INJECTION" = "True" ]] ; then |
| 139 | # When libguestfs is available for file injection, enable using |
| 140 | # libguestfs to inspect the image and figure out the proper |
| 141 | # partition to inject into. |
| 142 | iniset $NOVA_CONF libvirt inject_partition '-1' |
| 143 | iniset $NOVA_CONF libvirt inject_key 'true' |
| 144 | else |
| 145 | # File injection is being disabled by default in the near future - |
| 146 | # disable it here for now to avoid surprises later. |
| 147 | iniset $NOVA_CONF libvirt inject_partition '-2' |
| 148 | fi |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 149 | } |
| 150 | |
| 151 | # install_nova_hypervisor() - Install external components |
Ian Wienand | aee18c7 | 2014-02-21 15:35:08 +1100 | [diff] [blame] | 152 | function install_nova_hypervisor { |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 153 | if is_ubuntu; then |
| 154 | install_package kvm |
| 155 | install_package libvirt-bin |
| 156 | install_package python-libvirt |
Eric Windisch | 2018501 | 2014-02-03 12:14:08 -0500 | [diff] [blame] | 157 | install_package python-guestfs |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 158 | elif is_fedora || is_suse; then |
| 159 | install_package kvm |
| 160 | install_package libvirt |
| 161 | install_package libvirt-python |
Eric Windisch | 2018501 | 2014-02-03 12:14:08 -0500 | [diff] [blame] | 162 | install_package python-libguestfs |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 163 | fi |
| 164 | |
| 165 | # Install and configure **LXC** if specified. LXC is another approach to |
| 166 | # splitting a system into many smaller parts. LXC uses cgroups and chroot |
| 167 | # to simulate multiple systems. |
| 168 | if [[ "$LIBVIRT_TYPE" == "lxc" ]]; then |
| 169 | if is_ubuntu; then |
| 170 | if [[ "$DISTRO" > natty ]]; then |
| 171 | install_package cgroup-lite |
| 172 | fi |
| 173 | else |
| 174 | ### FIXME(dtroyer): figure this out |
| 175 | echo "RPM-based cgroup not implemented yet" |
| 176 | yum_install libcgroup-tools |
| 177 | fi |
| 178 | fi |
| 179 | } |
| 180 | |
| 181 | # start_nova_hypervisor - Start any required external services |
Ian Wienand | aee18c7 | 2014-02-21 15:35:08 +1100 | [diff] [blame] | 182 | function start_nova_hypervisor { |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 183 | # This function intentionally left blank |
| 184 | : |
| 185 | } |
| 186 | |
| 187 | # stop_nova_hypervisor - Stop any external services |
Ian Wienand | aee18c7 | 2014-02-21 15:35:08 +1100 | [diff] [blame] | 188 | function stop_nova_hypervisor { |
Dean Troyer | 8c032d1 | 2013-09-23 13:53:13 -0500 | [diff] [blame] | 189 | # This function intentionally left blank |
| 190 | : |
| 191 | } |
| 192 | |
| 193 | |
| 194 | # Restore xtrace |
| 195 | $MY_XTRACE |
| 196 | |
| 197 | # Local variables: |
| 198 | # mode: shell-script |
| 199 | # End: |