From 341e935e4c4777c14690f116099728fc86cf49ef Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien.macchi@enovance.com>
Date: Tue, 30 Sep 2014 11:06:40 -0400
Subject: [PATCH] hypervisor: manage nova shell

To enable live-migration & resize feature, nova user needs to run
/bin/bash shell (need from libvirt).
By default packaging set /bin/nologin for some security reasons.
Let's bring more flexibility and let the end user to set another shell
for Nova on Hypervisor nodes.
Defaults to false to keep default packaging configuration.

Close #600
---
 manifests/compute/hypervisor.pp               | 18 +++++++++++++++++
 spec/classes/cloud_compute_hypervisor_spec.rb | 20 +++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/manifests/compute/hypervisor.pp b/manifests/compute/hypervisor.pp
index 8e2004e1..9604d7f5 100644
--- a/manifests/compute/hypervisor.pp
+++ b/manifests/compute/hypervisor.pp
@@ -49,6 +49,13 @@
 #   You may have side effects (SElinux for example).
 #   Defaults to '/var/lib/nova/instances'
 #
+# [*nova_shell*]
+#   (optional) Full path of shell to run for nova user.
+#   To disable live migration & resize, set it to '/bin/nologin' or false.
+#   Otherwise, set the value to '/bin/bash'.
+#   Need to be a valid shell path.
+#   Defaults to false
+#
 class cloud::compute::hypervisor(
   $server_proxyclient_address = '127.0.0.1',
   $libvirt_type               = 'kvm',
@@ -63,6 +70,7 @@ class cloud::compute::hypervisor(
   $vm_rbd                     = false,
   $volume_rbd                 = false,
   $manage_tso                 = true,
+  $nova_shell                 = false,
   # when using NFS storage backend
   $nfs_enabled                = false,
   $nfs_device                 = false,
@@ -165,6 +173,16 @@ Host *
 "
   }
 
+  if $nova_shell {
+    ensure_resource ('user', 'nova', {
+      'ensure'     => 'present',
+      'system'     => true,
+      'home'       => '/var/lib/nova',
+      'managehome' => false,
+      'shell'      => $nova_shell,
+    })
+  }
+
   class { 'nova::compute':
     enabled         => true,
     vnc_enabled     => false,
diff --git a/spec/classes/cloud_compute_hypervisor_spec.rb b/spec/classes/cloud_compute_hypervisor_spec.rb
index e5efd7bb..003be0a4 100644
--- a/spec/classes/cloud_compute_hypervisor_spec.rb
+++ b/spec/classes/cloud_compute_hypervisor_spec.rb
@@ -81,6 +81,7 @@ describe 'cloud::compute::hypervisor' do
         :ks_spice_public_host                 => '10.0.0.2',
         :vm_rbd                               => false,
         :volume_rbd                           => false,
+        :nova_shell                           => false,
         :ks_nova_public_host                  => '10.0.0.1' }
     end
 
@@ -224,6 +225,10 @@ describe 'cloud::compute::hypervisor' do
       is_expected.to contain_class('ceilometer::agent::compute')
     end
 
+    it 'do not configure nova shell' do
+      is_expected.not_to contain_user('nova')
+    end
+
     it 'should not configure nova-compute for RBD backend' do
       is_expected.not_to contain_nova_config('libvirt/rbd_user').with('value' => 'cinder')
       is_expected.not_to contain_nova_config('libvirt/images_type').with('value' => 'rbd')
@@ -320,6 +325,21 @@ describe 'cloud::compute::hypervisor' do
       end
     end
 
+    context 'when managing nova shell' do
+      before :each do
+        params.merge!( :nova_shell => '/bin/bash')
+      end
+      it 'ensure nova shell is configured by Puppet' do
+        is_expected.to contain_user('nova').with(
+          :ensure     => 'present',
+          :system     => true,
+          :home       => '/var/lib/nova',
+          :managehome => false,
+          :shell      => '/bin/bash'
+        )
+      end
+    end
+
     context 'with RBD backend for instances and volumes on Debian plaforms' do
       before :each do
         facts.merge!( :osfamily => 'Debian',