From 5d28a7c89bbac4a15f7d8f7a64c3767ea988efbd Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Mon, 21 Mar 2022 12:17:41 +0000
Subject: [PATCH] masakari: support libvirt SASL in instance monitor

Since enabling libvirt SASL authentication, the masakari instance
monitor fails to connect to libvirt. We see the following error in logs:

    libvirt.libvirtError: authentication failed: Failed to start SASL
    negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs
    found)

This change adds support for SASL authentication in Masakari instance
monitor.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/834456
Closes-Bug: #1965754
Change-Id: I974046662b383a12ac6281b725523760a96657bd
---
 ansible/roles/masakari/defaults/main.yml       | 11 +++++++++++
 ansible/roles/masakari/tasks/config.yml        | 18 ++++++++++++++++++
 ansible/roles/masakari/templates/auth.conf.j2  |  6 ++++++
 .../templates/masakari-instancemonitor.json.j2 |  8 +++++++-
 ...masakari-libvirt-sasl-f368c31c0b5567b6.yaml |  6 ++++++
 5 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/masakari/templates/auth.conf.j2
 create mode 100644 releasenotes/notes/masakari-libvirt-sasl-f368c31c0b5567b6.yaml

diff --git a/ansible/roles/masakari/defaults/main.yml b/ansible/roles/masakari/defaults/main.yml
index 9dc133f791..dd5eb7ac21 100644
--- a/ansible/roles/masakari/defaults/main.yml
+++ b/ansible/roles/masakari/defaults/main.yml
@@ -149,3 +149,14 @@ masakari_ks_users:
     user: "{{ masakari_keystone_user }}"
     password: "{{ masakari_keystone_password }}"
     role: "admin"
+
+####################
+# libvirt
+####################
+# Whether to enable libvirt SASL authentication.
+libvirt_enable_sasl: true
+# Username for libvirt SASL.
+libvirt_sasl_authname: "nova"
+# List of enabled libvirt SASL authentication mechanisms.
+libvirt_sasl_mech_list:
+  - "{{ 'SCRAM-SHA-256' if libvirt_tls | bool else 'DIGEST-MD5' }}"
diff --git a/ansible/roles/masakari/tasks/config.yml b/ansible/roles/masakari/tasks/config.yml
index 95603d7f3b..e3a10d788b 100644
--- a/ansible/roles/masakari/tasks/config.yml
+++ b/ansible/roles/masakari/tasks/config.yml
@@ -137,3 +137,21 @@
     - service.enabled | bool
   notify:
     - Restart masakari-api container
+
+- name: Copying over libvirt SASL configuration
+  become: true
+  vars:
+    service_name: "{{ item.service }}"
+    service: "{{ masakari_services[service_name] }}"
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ node_config_directory }}/{{ service_name }}/{{ item.dest }}"
+    mode: "0660"
+  when:
+    - libvirt_enable_sasl | bool
+    - inventory_hostname in groups[service.group]
+    - service.enabled | bool
+  with_items:
+    - { src: "auth.conf.j2", dest: "auth.conf", service: "masakari-instancemonitor" }
+  notify:
+    - Restart {{ service_name }} container
diff --git a/ansible/roles/masakari/templates/auth.conf.j2 b/ansible/roles/masakari/templates/auth.conf.j2
new file mode 100644
index 0000000000..75576757ff
--- /dev/null
+++ b/ansible/roles/masakari/templates/auth.conf.j2
@@ -0,0 +1,6 @@
+[credentials-default]
+authname={{ libvirt_sasl_authname }}
+password={{ libvirt_sasl_password }}
+
+[auth-libvirt-default]
+credentials=default
diff --git a/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2 b/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2
index 6c04b1afd2..2197bc0a0e 100644
--- a/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2
+++ b/ansible/roles/masakari/templates/masakari-instancemonitor.json.j2
@@ -6,7 +6,13 @@
             "dest": "/etc/masakari-monitors/masakari-monitors.conf",
             "owner": "masakari",
             "perm": "0600"
-        }
+        }{% if libvirt_enable_sasl | bool %},
+        {
+            "source": "{{ container_config_directory }}/auth.conf",
+            "dest": "/var/lib/masakari/.config/libvirt/auth.conf",
+            "owner": "masakari",
+            "perm": "0600"
+        }{% endif %}
     ],
     "permissions": [
         {
diff --git a/releasenotes/notes/masakari-libvirt-sasl-f368c31c0b5567b6.yaml b/releasenotes/notes/masakari-libvirt-sasl-f368c31c0b5567b6.yaml
new file mode 100644
index 0000000000..c953dd6d75
--- /dev/null
+++ b/releasenotes/notes/masakari-libvirt-sasl-f368c31c0b5567b6.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue with Masakari instance monitor when libvirt SASL is enabled.
+    libvirt SASL was enabled by default in a recent change to Kolla Ansible.
+    `LP#1965754 <https://bugs.launchpad.net/kolla-ansible/+bug/1965754>`__