Compare commits

...

281 Commits

Author SHA1 Message Date
Jeremy Stanley 1183167f19 Drop the devstack-single-node-centos-7 nodeset
OpenDev is preparing to remove centos-7 nodes on March 15[*]. This
change drops one nodeset definition which is the last remaining
reference on DevStack's master branch.

[*] https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/A2YIY5L7MVYSQMTVZU3L3OM7GLVVZPLK/

Change-Id: Icd487e1012263a9b0bc13b529d31ff2025108adf
(cherry picked from commit 73da7dfb93)
2024-03-04 18:53:45 +00:00
Sean Mooney 2bb18a4caa The AZ filter is deprecated and planned for removal this cycle
To facilitate that this change removes it form the default filter
list. By default nova has used placement for AZs so this filter
has not been requried since xena.

Change-Id: Ie5e216dd8c2a7ecf43cc6954ec4f73d4d67b5b3b
(cherry picked from commit ad029c0e8b)
(cherry picked from commit 0726a4f919)
2023-08-25 20:11:58 +00:00
Zuul 461089b238 Merge "git: git checkout for a commit hash combinated with depth argument" into stable/zed 2023-08-13 21:52:17 +00:00
jskunda 722465ec97 git: git checkout for a commit hash combinated with depth argument
This patch: https://review.opendev.org/c/openstack/devstack/+/882299
provides functionality, that commit hash can be passed as last arugment,
however when GIT_DEPTH is set, it fails, as in:

timeout -s SIGINT 0 git clone https://github.com/ovn-org/ovn.git ./ovn
--depth 1 --branch 03b95a4566a15f7544f4cdf35629dacede4dcf55
fatal: Remote branch 03b95a4566a15f7544f4cdf35629dacede4dcf55
not found in upstream origin

Closes-Bug: #2023020
Change-Id: I748354964a133e028e12458cc9014d6d014cbdb9
2023-08-02 15:42:57 +02:00
Alfredo Moralejo e62f4f25f3 Use RDO official CloudSIG mirrors for C9S deployments
Instead of using RDO Trunk repo server, CentOS official mirrors provide
a most reliable infrastructure and supports EMS which is required when
enabling FIPS in C9S.

In order to install the rdo-release rpm from repo.fedoraproject.org,
which does not support EMS, I'm using a workaround to wget, which works
with non-EMS servers because it uses gnutls instead of openssl, and
install it locally with rpm.

This is also consistent to CentOS 8 implementatioin.

Closes-Bug: #2020661
Closes-Bug: #2020434
Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
(cherry picked from commit b2ad00cb66)
2023-08-01 15:35:41 +00:00
Dan Smith b31d70a576 nova: Bump timeout-per-gb for BFV rebuild ops
This increases the timeout we use to wait for cinder to perform a
volume reimage. Since devstack is often running on a single machine
with non-production IO performance, we should bump this limit to avoid
hitting it before the rebuild completes.

Change-Id: Ie2663b951acb0c1a65597a39e032948764e6ae6a
(cherry picked from commit 58c80b2424)
(cherry picked from commit 6767465bc5)
2023-07-18 10:19:27 +02:00
Ihar Hrachyshka 94b49698a8 git: support git checkout for a commit hash
git_clone assumes a branch or a tag is passed as the last argument, and
it fails when a commit hash is passed, as in:

timeout -s SIGINT 0 git clone https://github.com/ovn-org/ovn.git
/opt/stack/ovn --branch 36e3ab9b47e93af0599a818e9d6b2930e49473f0
Cloning into '/opt/stack/ovn'...
fatal: Remote branch 36e3ab9b47e93af0599a818e9d6b2930e49473f0 not found
in upstream origin

Change-Id: Id1328d7cba418fa7c227ae9db4fe83c09fd06035
(cherry picked from commit e8915786e1)
2023-05-04 20:07:55 +00:00
yatinkarel 4181791e06 [ovs] Reload ovs kernel module always
Irrespective of build_modules is True
or False reload ovs modules always.

If ovs is installed from package before(like
with multi-node-bridge role), then installing
ovs from source requires openvswitch kernel
module to be reloaded.

The issue was not seen before jammy as there
module was reloaded when build_modules was set
to True.

Closes-Bug: #2015364
Change-Id: I1785b49b2ef72ca1f817f504d5ea56021410c052
(cherry picked from commit 42517968ff)
(cherry picked from commit f1d555d1e7)
2023-04-14 14:39:04 +00:00
Dan Smith b12cc4181c Try to reduce mysql memory usage
These are a few tweaks I applied to my own memory-constrained cloud
instances that seemed to help. I have lower performance requirements
so this may make things worse and not better, but it's worth seeing
what the impact is. I'll admit to not knowing the full impact of these
as they're mostly collected from various tutorials on lowering memory
usage.

Enable this for now on devstack-multinode

Change-Id: I7b223391d3de01e3e81b02076debd01d9d2f097c
(cherry picked from commit 7567359755)
2023-03-21 17:39:26 +01:00
Rajat Dhasmana 977b591ee1 Create multiattach volume type for tempest
Creating multiattach volume is a non-admin operation but creating
multiattach volume type is an admin operation.
Previously cinder allowed creating multiattach volumes without a
volume type but that support is being removed with[1].
The change requires updating tempest tests[2] but some tempest
tests are non-admin, which require admin priviledges to create the
multiattach volume type.
Based on the last discussion with tempest team[3], the proposed
solution is to create a multiattach volume type in devstack,
if ENABLE_VOLUME_MULTIATTACH is True, and use it in tempest
tests. Similar to how admins create multiattach volume types
for non-admin users.

This patch creates a multiattach volume type if
ENABLE_VOLUME_MULTIATTACH is True. Also we set the multiattach
type name as a tempest config option 'volume_type_multiattach'.

[1] https://review.opendev.org/c/openstack/cinder/+/874865
[2] https://review.opendev.org/c/openstack/tempest/+/875372
[3] https://meetings.opendev.org/irclogs/%23openstack-cinder/%23openstack-cinder.2023-03-13.log.html#t2023-03-13T18:47:56

Change-Id: Icd3690565bf7b27898cd206641e612da3993703d
(cherry picked from commit 1898a683be)
(cherry picked from commit 16594b7b2a)
Conflicts: lib/cinder
    conflicts due to nvme support being added in 2023.1
    https://review.opendev.org/c/openstack/devstack/+/814193
2023-03-15 19:30:33 +00:00
Ghanshyam Mann 30a7d790b6 Fix setting the tempest virtual env constraints env var
Devstack set the env var TOX_CONSTRAINTS_FILE/UPPER_CONSTRAINTS_FILE
which are used to use the constraints during Tempest virtual env installation.
Those env var are set to non-master constraint when we need to use non-master
constraints but when we need to use the master constraints we do not set/reset
them point to master constraints. This create the issue when running the grenade
job where we run Tempest on the old devstack as well as in the new devstack.
When tempest is installed on old devstack then old tempest is used and it sets
these env var to stable/<branch> constraints (this is the case when old devstack
(the stable branch is in EM phase) uses the old tempest not the master tempest),
all good till now. But the problem comes when in the same grenade script run
upgrade-tempest install the master tempest (when new devstack branches are in
the 'supported' phase and use the master tempest means) and are supposed to use
the master constraints. But the TOX_CONSTRAINTS_FILE/UPPER_CONSTRAINTS_FILE env
var set by old tempest is used by the tempest and due to a mismatch in constraints
it fails.

This happened when we tried to pin the stable/wallaby with Tempest 29.0.0
- https://review.opendev.org/c/openstack/devstack/+/871782

and table/xena grenade job failed (stable/xena use master tempest and supposed
to use master constraints)
- https://zuul.opendev.org/t/openstack/build/fb7b2a8b562c42bab4c741819f5e9732/log/controller/logs/grenade.sh_log.txt#16641

We should set/reset those constraint env var to master constraints if configuration
tell devstack to use the master constraints.

[1] https://github.com/openstack/devstack/blob/71c3c40c269a50303247855319d1d3a5d30f6773/lib/tempest#L124

Closes-Bug: #2003993
Change-Id: I5e938139b47f443a4c358415d0d4dcf6549cd085
(cherry picked from commit 7fe998109b)
2023-01-26 22:38:37 -06:00
yatinkarel 74dbd6ee8d [OVN] Ensure socket files are absent in init_ovn
Just like we remove db files let's also remove
socket files when initializing ovn. Those will
reappear once service fully restarts along with
db files. Without it we see random issue as
described in the below bug.

Closes-Bug: #2002629
Change-Id: I726a9cac9c805d017273aa79e844724f0d00cdf0
(cherry picked from commit 7fecba2f13)
2023-01-17 05:47:46 +00:00
Ghanshyam Mann 44c3ea4f1b [stable-only] Pin tox<4 in run-both.yaml playbook also
We pinned tox<4 in ensure-tox pre.yaml playbook
- https://review.opendev.org/q/I9a138af94dedc0d8ce5a0d519d75779415d3c30b

but did not realize that it is used in run-both.yaml playbook
also where we should pin too.

Depends-On: https://review.opendev.org/c/openstack/swift/+/869519

Change-Id: I4407f7036e3fd51ac79f68791151c3f9cd03bd01
2023-01-07 02:56:35 +00:00
Ghanshyam Mann 211cc4c036 Pin tox<4.0.0 for <=stable/zed branch testing
Tox 4.0.0 has some incompatible changes, epecially more
strict on allowlist_externals. Tempest recently changed
allowlist_externals not to be *[1] causing the failure
on jobs where lib/tempest failing to run the tempest
as command in virtual env.

----------
venv: commands[0]> tempest verify-config -uro /tmp/tmp.qH5KgJHTF4
venv: failed with tempest is not allowed, use allowlist_externals to allow it
------

We do not need to test/fix the <=stable/zed branches with tox 4.0.0
and pinning them with the compatible tox version of the time stable
brnaches were releaased is better way.

This commit proposes:
1. Pinning the tox<4.0.0 for <=stable/ze branches testing
2. Workaround to unblock the master gate by pinning it <4.0.0 but
we should make our testing compatible with tox 4.0.0 soon.

Depends-On: https://review.opendev.org/c/openstack/devstack/+/867067

Related-Bug: #1999183

[1] https://review.opendev.org/c/openstack/tempest/+/865314 devstack based job started failing to run tempest command on venv.

Change-Id: I9a138af94dedc0d8ce5a0d519d75779415d3c30b
(cherry picked from commit ba54baa425)
2022-12-09 02:54:44 +00:00
Martin Kopec e6bb5c9959 Stop running devstack-no-tls-proxy on stable branch
Let's run devstack-no-tls-proxy job only on master periodic.

Change-Id: I4c0a5144da2549fe988bbabe8536e9a9873e1cf7
2022-11-29 17:06:39 +01:00
Dr. Jens Harbott 49c1a34e7a Remove Fedora platform jobs from Zed branch
These jobs are not intended to run on stable branches; remove them
to avoid issues with updating the nodeset on the master branch:

- devstack-platform-fedora-latest
- devstack-platform-fedora-latest-virt-preview

Change-Id: I4044c20765ad96fb5304d145b2c18be9736de7f3
2022-10-07 08:12:45 +02:00
Martin Kopec aeae198c17 Stop installing Tempest at system wide for stable branch
As added in notes for INSTALL_TEMPEST variable, we need to set
this to False for a stable branch so that devstack does not
install Tempest system wide.

Change-Id: I8a79feedb676514dfe9c3125c9d8e66417547d52
2022-09-30 14:05:04 +02:00
Martin Kopec 88b9edf921 Cap stable/zed network, swift, volume api_extensions for tempest
This commit caps the network, volume and swift extensions on
Tempest's config option api_extensions.

Change-Id: I33d17c81a40861284087de337bc33b3d9e60f076
2022-09-29 17:42:58 +02:00
Martin Kopec 12752ea219 Cap max microversions for stable/zed
This commit cap the max microversions for compute, volume
and placement API for stable/zed.

Compute - https://opendev.org/openstack/nova/src/branch/stable/zed/nova/api/openstack/compute/rest_api_version_history.rst#microversion%202.93

Volume - https://opendev.org/openstack/cinder/src/branch/stable/zed/cinder/api/openstack/rest_api_version_history.rst#section-58

Placement - https://opendev.org/openstack/placement/src/branch/master/placement/rest_api_version_history.rst#support-for-the-any-traits-syntax-in-the-required-parameter

Change-Id: I43361fdf1a7e1da8dade305470c1c17fe0ce6454
2022-09-28 02:22:43 +02:00
Martin Kopec 100946429a Update branches for stable/zed
Step 4 of the Devstack release:
https://wiki.openstack.org/wiki/QA/releases

Change-Id: I8af6e1ca1bdfb0718b0bda83142fb2a91e61f9d5
2022-09-28 02:11:28 +02:00
OpenStack Release Bot 0e95a7221a Update TOX_CONSTRAINTS_FILE for stable/zed
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.

Until the requirements repository has as stable/zed branch, tests will
continue to use the upper-constraints list on master.

Change-Id: I7089a04cff68145388f12dab18c6cdd1a5a96336
2022-09-27 08:30:36 +00:00
OpenStack Release Bot ce2962ab48 Update .gitreview for stable/zed
Change-Id: I4fd09e5412f4e3b51a20f6d83271b3870d6f572e
2022-09-27 08:30:34 +00:00
Zuul 0b0e6a6474 Merge "[ci] Remove the implied-branches pragma" 2022-09-20 16:22:26 +00:00
Zuul b5c2e7b3fa Merge "Respect constraints on tempest venv consistently" 2022-08-30 22:53:05 +00:00
Slawek Kaplonski 3de92db663 Fix installation of OVS/OVN from sources
This patch changes user who runs ovsdb-server and ovn-nortd services
to root.
It also adds installation of the libssl dev package before compilation
of the openvswitch if TLS service is enabled.

Co-Authored-By: Fernando Royo <froyo@redhat.com>

Closes-Bug: #1987832
Change-Id: I83fc9250ae5b7c1686938a0dd25d66b40fc6c6aa
2022-08-26 13:00:03 +02:00
June Yi b9b6d6b862 Respect constraints on tempest venv consistently
In case of online mode, there is a procedure to recreate tempest venv.
For consistency of tempest venv during the entire stack.sh process,
add logic to consider the TEMPEST_VENV_UPPER_CONSTRAINTS option here.

Closes-bug: #1980483
Signed-off-by: June Yi <june.yi@samsung.com>
Change-Id: I0cea282152fd363af8671cab1b5f733ebe2bd4df
2022-08-25 19:59:34 +09:00
Zuul 995c906950 Merge "Clean up n-net remnants" 2022-08-24 17:50:52 +00:00
Zuul 8fa03a37ad Merge "Clean up neutron cleanup code" 2022-08-23 20:05:48 +00:00
Zuul c61380a136 Merge "Clean up use of get_field" 2022-08-23 18:08:05 +00:00
Zuul 3154eab0d7 Merge "Cinder: add creator role when barbican is enabled" 2022-08-23 16:57:32 +00:00
Dr. Jens Harbott e7d2623dca Clean up neutron cleanup code
neutron-ns-metadata-proxy was dropped from Neutron 5 years ago, no need
to keep trying to kill it.

Change-Id: I20b6d68dd8dde36057a2418bca0841bdea377b07
2022-08-23 18:08:19 +02:00
Alan Bishop ccd116d364 Cinder: add creator role when barbican is enabled
When barbican is enabled, add the "creator" role to cinder's service
user so that cinder can create secrets. Cinder needs to create
barbican secrets when migrating encryption keys from the legacy
ConfKeyManager to barbican. Cinder also needs to create barbican
secrets in order to support transferring encrypted volumes.

Implements: bp/transfer-encrypted-volume
Depends-On: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
Change-Id: Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
2022-08-22 19:52:00 -07:00
Dr. Jens Harbott ca5f919561 Clean up n-net remnants
In I90316208d1af42c1659d3bee386f95e38aaf2c56 support for nova-network
was removed, but some bits remained, fix this up.

Change-Id: Iba7e1785fd0bdf0a6e94e5e03438fc7634621e49
2022-08-21 10:52:41 +02:00
Eliad Cohen fdfc14451a Clean up use of get_field
Openstack client can return the id field for create/show commands using
`-f value -c id`. Cleaned up the use of grep 'id' with get_field

Change-Id: I2f4338f30c11e5139cda51c92524782b86f0aacc
2022-08-16 15:27:45 -04:00
Martin Kopec 90e5479f38 Remove forgotten LinuxMint occurrence
Right now we don't officialy support LinuxMint as our
documentation says [1], it seems LinuxMint is a relict
and got forgotten over time.

This patch removes LinuxMint from the code in order not to
confuse users.

[1] https://docs.openstack.org/devstack/latest/
Closes-Bug: #1983427

Change-Id: Ie1ced25f89389494b28a7b2e9bb1c4273e002dd5
2022-08-16 17:29:16 +02:00
Zuul 28ee346393 Merge "iniset: fix handling of values containg ampersand" 2022-08-10 14:21:00 +00:00
Zuul ea82effa19 Merge "Fix doc for adding sudo privileges to stack user" 2022-08-10 10:52:19 +00:00
Nobuhiro MIKI d266c87b1d iniset: fix handling of values containg ampersand
Attempting to set a value containing the ampersand
character (&) by iniset would corrupt the value.
So, add an escaping process.

Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp>
Closes-Bug: #1983816
Change-Id: Ie2633bacd2d761d110e6cb12f95382325c329415
2022-08-08 18:59:53 +09:00
Zuul 51a3f2ef1e Merge "delete __pycache__ directory with sudo privileges" 2022-08-06 17:28:46 +00:00
Zuul d9e2d10d28 Merge "Neutron: Do not set removed allow_overlapping_ips" 2022-08-03 12:13:54 +00:00
Hoai-Thu Vuong 79bef068b6 remove duplicate line of REGION_NAME
Change-Id: I42b270749f057c5751e809aba282112b990b9f38
2022-08-02 14:41:59 +07:00
Zuul 8506b5bd7c Merge "Add NEUTRON_ENDPOINT_SERVICE_NAME variable to set service name" 2022-08-02 00:06:56 +00:00
Zuul 0af962d60a Merge "Neutron: Set experimental option to use linuxbridge agent" 2022-08-01 23:36:22 +00:00
Martin Kopec b70d98fe75 Fix doc for adding sudo privileges to stack user
Writing NOPASSWD directive into /etc/sudoers was throwing
permission denied errors. This commit writes the directive
to the /etc/sudoers.d/stack file instead.

Closes-Bug: #1981541
Change-Id: If30f01aa5f3a33dda79ff4a6892116511c8e1542
2022-07-20 14:06:42 +00:00
Takashi Kajinami facf15626e Neutron: Do not set removed allow_overlapping_ips
The parameter has been removed from neutron by [1].

[1] fde91e8059a9a23fb7ece6e3463984329c7ea581

Change-Id: I3b838ea741d19729d6fcf03c0478b1b4d8ec1213
2022-07-19 13:24:38 +00:00
Slawek Kaplonski 1a21ccbdf8 Add NEUTRON_ENDPOINT_SERVICE_NAME variable to set service name
This option can be used to set name of the service used in the
networking service endpoint URL.

Depends-On: https://review.opendev.org/c/openstack/grenade/+/850306

Change-Id: I9e9a06eadc1604214c627bd3bda010cc00aaf83d
2022-07-19 14:51:24 +02:00
Takashi Kajinami cf0bf746e9 Neutron: Set experimental option to use linuxbridge agent
Recently the experimental mechanism has been added to Neutron and now
it requires the [experimental] linuxbridge option when the linuxbridge
mechanism driver is used.

Depends-on: https://review.opendev.org/c/openstack/neutron/+/845181
Change-Id: Ice82a391cda9eb0193f23e6794be7ab3df12c40b
2022-07-19 12:46:04 +02:00
Yadnesh Kulkarni 85340e77f3 delete __pycache__ directory with sudo privileges
Signed-off-by: Yadnesh Kulkarni <ykulkarn@redhat.com>
Change-Id: I9cf3cd8921347eacc1effb2b197b97bc6ff3e0df
2022-07-11 17:14:40 +05:30
Dr. Jens Harbott bd6e5205b1 Increase timeout waiting for OVN startup
We see some cases where OVN startup takes much longer than 5 seconds, up
to 28 seconds have been observed, so increase the limit to 40 to be on
the safe side.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Closes-Bug: 1980421
Change-Id: I6da4a537e6a8d527ff71a821f07164fc7d342882
2022-07-03 22:30:41 +02:00
Zuul 02f8c16c9b Merge "Make devstack-platform-debian-bullseye voting" 2022-06-30 07:37:03 +00:00
Zuul 8d347090d3 Merge "Do not create cinder backup pool and key when cephadm is used" 2022-06-29 19:02:12 +00:00
Martin Kopec e1fb94f82a Make devstack-platform-debian-bullseye voting
The job has been successfully passing lately, let's make it voting.

Change-Id: Ib3b803a26c8647fd49c89371516c0ac7baba2703
2022-06-29 10:43:33 +02:00
Slawek Kaplonski ce1ae9ddef Fix missing "$" in the ENFORCE_SCOPE's variable name
Because of the missing "$" before ENFORCE_SCOPE in the lib/neutron
module, it was treated as an ENFORCE_SCOPE string instead of variable
and Neutron was deployed always with old defaults and disabled scope
enforcement.

Change-Id: Ibe67fea634c5f7abb521c0369ff30dd5db84db8c
2022-06-29 09:57:50 +02:00
Zuul 9ddae9b388 Merge "Avoid including bad service names in perf.json" 2022-06-24 11:11:19 +00:00
Dan Smith fe7cfa6b8c Avoid including bad service names in perf.json
Some of the API services are not properly mounted under /$service/
in the apache proxy. This patch tries to avoid recording data
for "services" like "v2.0" (in the case of neutron) by only adding
names if they're all letters. A single warning is emitted for any
services excluded by this check.

For the moment this will mean we don't collect data for those services,
but when their devstack API config is fixed, they'll start to show
up.

Change-Id: I41cc300e89a4f97a008a8ba97c91f0980f9b9c3f
2022-06-23 09:25:22 -07:00
Vladislav Belogrudov 8a38a73ddf Correct hostname for OVN agent
Currently Devstack uses short hostname for configuration of OVN.
This leads to inability to start instances (failing port binding)
on hosts with full hostnames (including dots). Open vSwitch expects
hostname in external_ids that corresponds to one returned by
``hostname`` command.

Closes-Bug: #1943631
Change-Id: I15b71a49c482be0c8f15ad834e29ea1b33307c86
2022-06-23 07:42:19 +02:00
Zuul eacaa99853 Merge "Reduce memory consumption in Cinder services" 2022-06-22 08:53:39 +00:00
Martin Kopec 8ff52ea12b Mark devstack-platform-centos-9-stream as n-v
Due to the below bug the job has been constantly failing.
Let's make it n-v until the bug is resolved:
  - https://bugs.launchpad.net/neutron/+bug/1979047

Change-Id: Ifc8cc96843a8eac5c98cd1e1f9e4b6287a7f2e7c
2022-06-21 17:31:50 +02:00
Gorka Eguileor d5af514ac9 Reduce memory consumption in Cinder services
This patch reduces memory usage on the Cinder Volume and Backup services
by tuning glibc.

The specific tuning consist on disabling the per thread arenas and
disabling dynamic thresholds.

The Cinder Backup service suffers from high water mark memory usage and
uses excessive memory.  As an example just after 10 restore operations
the service uses almost 1GB of RAM and does not ever free it afterwards.
With this patch the memory consumption of the service is reduced down to
almost 130MB.  If we add a revert from Cinder (Change-Id
I43a20c8687f12bc52b014611cc6977c4c3ca212c) it goes down to 100MB during
my tests.

This glibc tuning is not applied to all Python services because I
haven't done proper testings on them and at first glance they don't seem
to have such great improvements.

Related-bug: #1908805
Change-Id: Ic9030d01468b3189350f83b04a8d1d346c489d3c
2022-06-21 12:16:32 +02:00
Zuul 44d07f3001 Merge "Run debian platform job with OVN" 2022-06-15 15:14:52 +00:00
Zuul 8eede1fc39 Merge "Add support for IPv6 tunnel endpoints" 2022-06-08 21:39:03 +00:00
Zuul 7391297bc3 Merge "Capture QEMU core dumps when possible" 2022-06-08 20:35:06 +00:00
Dr. Jens Harbott e6e7100e85 Don't install pinned setuptools with distro pip
We are seeing failures when using an updated setuptools version
installed together with distro pip on Ubuntu 22.04. Install the version
from u-c only when we are also installing pip from upstream.

Change-Id: Ibb6e9424e5794ccbf9a937d2eecfa3bf60ed312e
2022-06-07 13:42:54 +02:00
Brian Haley c869d59857 Add support for IPv6 tunnel endpoints
Currently, neutron tunnel endpoints must be IPv4 addresses,
i.e. $HOST_IP, although IPv6 endpoints are supported by most
drivers.

Create a TUNNEL_IP_VERSION variable to choose which host IP
to use, either HOST_IP or HOST_IPV6, and configure it in the
OVS and Linuxbridge agent driver files. The default is still
IPv4, but it can be over-ridden by specifying TUNNEL_ENDPOINT_IP
accordingly.

This behaves similar to the SERVICE_IP_VERSION option, which
can either be set to 4 or 6, but not 4+6 - the tunnel overhead
should be consistent on all systems in order not to have MTU
issues.

Must set the ML2 overlay_ip_version config option to match
else agent tunnel sync RPC will not work.

Must set the OVN external_ids:ovn-encap-ip config option to
the correct address.

Updated 'devstack-ipv6-only' job definition and verification role
that will set all services and tunnels to use IPv6 addresses.

Closes-bug: #1619476

Change-Id: I6034278dfc17b55d7863bc4db541bbdaa983a686
2022-06-07 02:28:51 +00:00
Francesco Pantano 96dbf55016 Do not create cinder backup pool and key when cephadm is used
When cephadm is used, if ENABLE_CEPH_C_BAK is True both pool and
key are created by devstack-plugin-ceph. This piece of code can
still stay here to make sure the cinder config is properly built.

Change-Id: I799521f008123b8e42b2021c1c11d374b834bec3
2022-06-06 14:19:32 +02:00
Zuul e661cae7e8 Merge "Allow to skip stop of ovn services" 2022-06-03 20:40:15 +00:00
Zuul 906cf81528 Merge "Add apache2 to the services we collect for memory" 2022-06-03 18:44:10 +00:00
Dan Smith f7d87aa433 Capture QEMU core dumps when possible
Some of the hardest-to-debug issues are qemu crashes deep in a nova
workflow that can't be reproduced locally. This adds a post task to
the playbook so that we capture the most recent qemu core dump, if
there is one.

Change-Id: I48a2ea883325ca920b7e7909edad53a9832fb319
2022-06-03 07:54:35 -07:00
yatinkarel 35fb53423a [ironic][swift]Temporary add sha1 to allowed_digests
Swift removed sha1 from supported digests with [1] and
that broked ironic tinyipa job. Temorary add sha1 to
allowed_digests until it's fixed in ironic.

[1] https://review.opendev.org/c/openstack/swift/+/525771

Story: 2010068
Task: 45539
Change-Id: I68dfc472ce901058b6a7d691c98ed1641d431e54
2022-06-03 11:52:50 +05:30
Zuul 0ae279b54a Merge "Fix doc and user create script to set homedir permissions" 2022-05-31 21:15:54 +00:00
Zuul d0657a02e5 Merge "Do not barf stack trace if stats DB is missing" 2022-05-31 19:04:26 +00:00
yatinkarel 6dd896fefa Allow to skip stop of ovn services
Grenade jobs stop services, check fip connectivity
for a nova server and then upgrade to next release.

But since ovn data plane and db services are stopped along
with other services, fip connectivity fails as a result.

We shouldn't stop these services along with other
neutron services. This patch adds a new variable
"SKIP_STOP_OVN" which can be used by grenade jobs
to skip stop of ovn services.

This will also fix the ovn grenade jobs.

Also source fixup_stuff.sh so function fixup_ovn_centos
is available. It's already sourced in stack.sh but
that's not used in grenade run.

Change-Id: I94818a19f19973779cb2e11753d2881d54dfa3bc
2022-05-31 12:57:39 +05:30
Dan Smith e85c68e60f Add apache2 to the services we collect for memory
Change-Id: Ic6daef5b4df50ce43c6782542cb54c1958e54655
2022-05-26 09:31:36 -07:00
Zuul 0e08e9b48c Merge "Cleanup comment that should've been removed" 2022-05-25 09:12:18 +00:00
Dr. Jens Harbott 599b241d32 Run debian platform job with OVN
Packages for OVN are now available in bullseye, so we can drop the
special handling.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I5e5c78aa19c5208c207ddcf14e208bae8fbc3c55
2022-05-25 08:57:56 +00:00
yatinkarel c64ea4f213 Fix doc and user create script to set homedir permissions
RHEL based distros set homedir permissions to 700,
and Ubuntu 21.04+ to 750[1], i.e missing executable
permission for group or others, this results into failures
as defined in the below bug.

Since in doc we add useradd command, it's good to
add instructions to fix the permissions there itself
instead of getting failures during installation and then
fixing it.

Also update user create script to fix permissions
by adding executable bit to DEST directory if missing.

[1] https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/19533

Closes-Bug: #1966858
Change-Id: Id2787886433281238eb95ee11a75eddeef514293
2022-05-25 06:34:30 +00:00
Zuul 8e1d5aa22e Merge "Drop openEuler support" 2022-05-24 11:34:09 +00:00
Dan Smith 1cdf413ac6 Do not barf stack trace if stats DB is missing
This can happen if devstack fails to run, but we still run the post
tasks. Also could happen if some sort of hybrid job configuration
does not run all of devstack but we still end up running post jobs.

Just warn to stderr and assume no DB info.

Change-Id: I211a331ab668dbb0ad7882908cca4363f865d924
2022-05-23 13:56:13 -07:00
Clark Boylan 1d5be95196 Cleanup comment that should've been removed
The previous change, I237f5663b0f8b060f6df130de04e17e2b1695f8a, removed
a SETUPTOOLS flag, but not the comment explaining why that flag was
previously set. Clean up that comment.

Change-Id: I32b0240fd56310d7f10596aaa8ef432679bfd66a
2022-05-23 08:46:50 -07:00
Clark Boylan 50e3c06ec2 Fix dbcounter installation on Jammy
There are two problems with dbcounter installation on Jammy. The first
is straightforward. We have to use `py_modules` instead of `modules` to
specify the source file. I don't know how this works on other distros
but the docs [0] seem to clearly indicate py_modules does this.

The second issue is quite an issue and requires story time. When
pip/setuptools insteall editable installs (as is done for many of the
openstack projects) it creates an easy-install.pth file that tells the
python interpreter to add the source dirs of those repos to the python
path. Normally these paths are appended to your sys.path. Pip's isolated
build env relies on the assumption that these paths are appeneded to the
path when it santizes sys.path to create the isolated environemnt.

However, when SETUPTOOLS_SYS_PATH_TECHNIQUE is set to rewrite the paths
are not appended and are inserted in the middle. This breaks pip's
isolated build env which broke dbcounter installations. We fix this by
not setting SETUPTOOLS_SYS_PATH_TECHNIQUE to rewrite. Upstream indicates
the reason we set this half a decade ago has since been fixed properly.

The reason Jammy and nothing else breaks is that python3.10 is the first
python version to use pip's isolated build envs by default.

I've locally fiddled with a patch to pip [1] to try and fix this
behavior even when rewrite is set. I don't plan to push this upstream
but it helps to illustrate where the problem lies. If someone else would
like to upstream this feel free.

Finally this change makes the jammy platform job voting again and adds
it to the gate to ensure we don't regress again.

[0] https://docs.python.org/3/distutils/sourcedist.html#specifying-the-files-to-distribute
[1] https://paste.opendev.org/show/bqVAuhgMtVtfYupZK5J6/

Change-Id: I237f5663b0f8b060f6df130de04e17e2b1695f8a
2022-05-20 10:35:18 -07:00
Zuul 34c2842676 Merge "Configure placement section in neutron conf" 2022-05-19 17:23:50 +00:00
Dr. Jens Harbott 560ee16a85 Drop openEuler support
The job is broken since it is running with python3.7 and most services
now require at least python3.8.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: Ie21f71acffabd78c79e2b141951ccf30a5c06445
2022-05-19 14:06:11 +02:00
Dr. Jens Harbott 083eeee5af Make jammy platform jobs non-voting
We missed to add the jobs to the gate queue and so they have already
regressed before they were actually in place. Make them non-voting for
now until the issues are fixed.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I5d1f83dfe23747096163076dcf80750585c0260e
2022-05-19 13:55:35 +02:00
Zuul 08254ca312 Merge "Add Ubuntu 22.04 LTS (jammy) platform job" 2022-05-19 08:16:18 +00:00
Zuul 2f889954ce Merge "lib/tempest: add wait for Glance image import" 2022-05-18 15:38:49 +00:00
Brian Rosmaita 111a38b4d6 lib/tempest: add wait for Glance image import
Glance image import is asynchronous and may be configured to do image
conversion.  If image import is being used, it's possible that the
tempest configuration code is executed before the import has
completed and there may be no active images yet.  In that case,
we will poll glance every TEMPEST_GLANCE_IMPORT_POLL_INTERVAL seconds
(default: 1) to see if there are TEMPEST_GLANCE_IMAGE_COUNT active
images (default: 1) up to TEMPEST_GLANCE_IMPORT_POLL_LIMIT times
(default: 12).

You can see an example of the issue this patch addresses in real
life:
https://review.opendev.org/c/openstack/glance/+/841278/1#message-456096e48b28e5b866deb8bf53e9258ee08219a0

Change-Id: Ie99f12691d9062611a8930accfa14d9540970cc5
2022-05-18 08:22:49 -04:00
Zuul 9eb64896dd Merge "Use proper sed separator for paths" 2022-05-18 11:30:49 +00:00
yatinkarel 92a34dbe95 Configure placement section in neutron conf
Without it segment plugin fails to connect with
placement api. Configure the placement section
if service is deployed.

Closes-Bug: #1973783
Change-Id: Ie7f37770a04f622735cf2263c601257669ab5064
2022-05-18 15:27:40 +05:30
Zuul 47b7b84422 Merge "Improve API log parsing" 2022-05-18 00:19:23 +00:00
Zuul 4fd2831753 Merge "Change DB counting mechanism" 2022-05-18 00:19:20 +00:00
Zuul 071374fa05 Merge "Collect status of all services" 2022-05-17 18:40:28 +00:00
Zuul 83a81755ac Merge "Wait for OVN dbs also along with sockets" 2022-05-12 19:03:49 +00:00
Dan Smith 64d68679d9 Improve API log parsing
Two runs of the same job on the same patch can yield quite different
numbers for API calls if we just count the raw calls. Many of these
are tempest polling for resources, which on a slow worker can require
many more calls than a fast one.

Tempest seems to not change its User-Agent string, but the client
libraries do. So, if we ignore the regular "python-urllib" agent
calls, we get a much more stable count of service-to-service API
calls in the performance report.

Note that we were also logging in a different (less-rich) format for
the tls-proxy.log file, which hampers our ability to parse that
data in the same format. This switches it to "combined" which is used
by the access.log and contains more useful information, like the
user-agent, among other things.

Change-Id: I8889c2e53f85c41150e1245dcbe2a79bac702aad
2022-05-12 07:55:30 -07:00
Dan Smith fe52d7f0a8 Change DB counting mechanism
The mysql performance_schema method for counting per-database queries
is very heavyweight in that it requires full logging (in a table) of
every query. We do hundreds of thousands in the course of a tempest
run, which ends up creating its own performance problem.

This changes the approach we take, which is to bundle a very tiny
sqlalchemy plugin module which counts just what we care about in
a special database.

It is more complex than just enabling the features in mysql, but it
is a massively smaller runtime overhead. It also provides us the
opportunity to easily zero the counters just before a tempest run.

Change-Id: I361bc30bb970cdaf18b966951f217862d302f0b9
2022-05-12 07:55:02 -07:00
Dr. Jens Harbott 5c765cb8a1 Add Ubuntu 22.04 LTS (jammy) platform job
The new Ubuntu LTS release has been made last week, start running
devstack on it as a platform job.

Horizon has issues with py310, so gets disabled for now.

Run variants with OVS and OVN(default).

Co-Authored-By: yatinkarel <ykarel@redhat.com>
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I47696273d6b009f754335b44ef3356b4f5115cd8
2022-05-12 13:54:02 +02:00
Zuul d450e146cc Merge "Global option for enforcing scope (ENFORCE_SCOPE)" 2022-05-07 10:51:35 +00:00
yatinkarel 1baa8905d5 Wait for OVN dbs also along with sockets
When OVN is setup from distro packages, the
main service is ovn-central which when restarted,
restarts ovn-northd, ovn nb and db services.

And during the restart ovn dbs(ovnnb_db.db and ovnsb_db.db)
are created, which may sometime takes time as seen with
ubuntu jammy tests[1].

We already checking for socket's file to be available,
let's also check for db files as without it ovn-*ctl
operations succeed but changes are not persisted until
db files are available and changes are lost with the restart.

[1] https://review.opendev.org/c/openstack/devstack/+/839389

Change-Id: I178da7af8cba8bcc8a67174e439df7c0f2c7d4d5
2022-05-06 18:06:18 +05:30
yatinkarel 42be2425d8 Collect status of all services
Would be helpful in troubleshooting services
which either fails to start or takes time to
start.

Related-Bug: #1970679
Change-Id: Iba2fce5f8b1cd00708f092e6eb5a1fbd96e97da0
2022-04-29 16:40:32 +00:00
Zuul 85c2999e27 Merge "Tolerate missing deps in get-stats.py" 2022-04-27 22:49:07 +00:00
Zuul bfae1bee79 Merge "Set public bridge up for v6 only configurations" 2022-04-27 10:21:07 +00:00
Zuul 48417ca241 Merge "Drop centos 8 stream testing" 2022-04-26 19:57:12 +00:00
Dan Smith 1b601c7b1e Tolerate missing deps in get-stats.py
In order to run on systems where not all requirements are present,
we should be tolerant of missing external dependencies, such as
psutil and pymysql. Print a warning (to stderr) and just leave out
those stats in that case.

Also make running the stats collector use ignore_errors:yes to avoid
failures in the future. I think the stats is not critical enough to
fail a job for bugs like this.

Related-Bug: #1970195
Change-Id: I132b0e1f5033c4f109a8b8cc776c0877574c4a49
2022-04-26 08:02:39 -07:00
Harald Jensås bab0c92103 Use tryint() for stats value
In some cases the value is [not set], in this case
the conversion to integer does not work.

Closes-Bug: #1970431
Change-Id: I74df7d8bc9f5cbe0709a6471cf7639caea0b58e8
2022-04-26 15:51:35 +02:00
Julia Kreger 6964ba4a98 Set public bridge up for v6 only configurations
A long time ago, Ironic's IPv6 only job started to fail working with
errors indicated the host was unreacable. Turns out, this was because
the $ext_gw_interface was not being set to up, and thus could
be found in a Down state, and thus the kernel would not accept routes
for it.

Adds an explicit step to turn up the public bridge, much as done in
the IPv4 router plugin code which would also be executed in 4+6.

That being said, Ironic's CI jobs are very intentionally IPv6 only
to ensure that we have no chances of v4 addressing getting used
at any point in time.

This should allow Ironic to return it's IPv6 only CI job back
to the normal check queue, once a ironic plugin issue has been
resolved which was introduced while it was removed.

Change-Id: I121ec8a2e9640b21a7126f2eeb23da36b4aa95bf
2022-04-26 06:37:31 -07:00
Grzegorz Grasza 8615563df4 Global option for enforcing scope (ENFORCE_SCOPE)
This updates each devstack service library, to use it as the
default value for service-specific RBAC configuration.

Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7
2022-04-26 14:17:20 +02:00
Ghanshyam Mann c6dfd169ae Drop centos 8 stream testing
In Zed cycle testing runtime, we are targetting the centos 9 stream
- https://governance.openstack.org/tc/reference/runtimes/zed.html

With dropping the python 3.6 support, project started adding python 3.8
as minimum, example nova:
- https://github.com/openstack/nova/blob/56b5aed08c6a3ed81b78dc216f0165ebfe3c3350/setup.cfg#L13

with that, centos 8 stream job is failing 100%
- https://zuul.openstack.org/build/970d029dc96742c3aa0f6932a35e97cf
- https://zuul.openstack.org/builds?job_name=devstack-platform-centos-8-stream&skip=0

This commit drops centos-8-stream testing so that we focus on centos-9-stream.

Change-Id: I045e67b1ca79aba1b2a7be9f88d7804c69c6d781
2022-04-25 15:24:39 -05:00
Zuul 3b0c035b90 Merge "install mod_ssl on centos 9 stream by default" 2022-04-25 20:04:16 +00:00
Balazs Gibizer 7191c5e7e7 Use proper sed separator for paths
I941ef5ea90970a0901236afe81c551aaf24ac1d8 added a sed command that
should match and delete path values but used '/' as sed separator. This
leads to error in unstack.sh runs when the path also contains '/':

+./unstack.sh:main:188 sudo sed -i '/directory=/opt/stack/ d' /etc/gitconfig
sed: -e expression #1, char 13: unknown command: `o'

So this patch replace '/' separator with '+'.

Change-Id: I06811c0d9ee7ecddf84ef1c6dd6cff5129dbf4b1
2022-04-25 15:26:28 +02:00
Zuul 76c519bde6 Merge "modify the sample value of LOGDAYS" 2022-04-22 11:09:36 +00:00
Zuul 45f71b10ef Merge "Gather performance data after tempest" 2022-04-21 23:06:35 +00:00
Sean Mooney af75f689fa install mod_ssl on centos 9 stream by default
This change adds mod_ssl to the default set of rpms installed
on rpm based distros.

this is required if the tls-proxy service is enabled
for multi node centos based jobs.

Change-Id: I52652de88352094c824da68e5baf7db4c17cb027
2022-04-21 20:40:44 +01:00
Zhou Yanbing 4423450eb3 modify the sample value of LOGDAYS
the value of LOGDAYS in samples/local.conf is 2, so change the
value in the comment and the sample value in the document to
be consistent with it.

Change-Id: I5822bbf1d6ad347c67c886be1e3325113d079114
2022-04-21 15:00:41 +08:00
Dan Smith c2772c2984 Gather performance data after tempest
This makes us gather a bunch of consistent statistics after we run
tempest that can be use to measure the impact of a given change. These
are stable metrics such as "number of DB queries made" and "how much
memory is each service using after a tempest run."

Note that this will always run after devstack to generate the JSON
file, but there are two things that control its completeness:

 - MYSQL_GATHER_PERFORMANCE must be enabled to get per-db stats
 - Unless tls-proxy is enabled, we will only get API stats for keystone

Change-Id: Ie3b1504256dc1c9c6b59634e86fa98494bcb07b1
2022-04-20 13:07:22 -07:00
Zuul d380858b2d Merge "Add OpenStack two nodes nodeset for Centos 9" 2022-04-19 05:48:02 +00:00
Dan Smith 4baeb3b51f Write safe.directory items to system git config
This is necessary for more consistent behavior across multiple
distro versions. Apparently somewhere along the way, git started
looking at the current user's home directory instead of $HOME.

Related-Bug: https://bugs.launchpad.net/devstack/+bug/1968798

Change-Id: I941ef5ea90970a0901236afe81c551aaf24ac1d8
2022-04-18 08:05:44 -07:00
Ian Wienand 676dcaf944 Mark our source trees as safe for git to use as other users
git commit [1] introduced a new behaviour to work around a CVE that
disallows any git operations in directories not owned by the current
user.

This may seem unrelated to installation, but it plays havoc with PBR,
which calls out to git to get to get revision history.  So if you are
"pip install"-ing from a source tree you don't own, the PBR git calls
in that tree now fail and the install blows up.

This plays havoc with our model.  Firstly, we checkout all code as
"stack" then install it globally with "sudo" (i.e. root) -- which
breaks.  We also have cases of essentially the opposite -- checkouts
we have installed as root, but then run tox in them as a regular user;
tox wants to install the source in its venv but now we have another
user conflict.

This uses the only available configuration option to avoid that by
globally setting the source directories we clone as safe.  This is an
encroachment of the global system for sure, but is about the only
switch available at the moment.  For discussion of other approaches,
see [2].

Related-Bug: https://bugs.launchpad.net/devstack/+bug/1968798

[1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
[2] https://review.opendev.org/c/openstack/devstack/+/837636

Change-Id: Ib9896a99b6d6c4d359ee412743ce30512b3c4fb7
2022-04-13 16:49:07 +10:00
Zuul ce0ff1fd9d Merge "ensure /usr/local/bin in in path" 2022-04-11 14:57:13 +00:00
Sean Mooney eca9783a0a ensure /usr/local/bin in in path
osc is typicaly installed in /usr/local/bin
to avoid command not found errors when invoking osc
in devstack ensure that /usr/local/bin is included
in the PATH.

Change-Id: I605fbc4b131149bf5d1b6307b360fe365c680b1a
2022-04-07 13:31:50 +01:00
afariasa f4a703661e Add OpenStack two nodes nodeset for Centos 9
Change-Id: I01c8e5e0e88d0dcfe778f19548a2e268406ef6bf
2022-04-06 15:24:09 +00:00
Zuul aac6b6c791 Merge "Drop setup.py and setup.cfg" 2022-03-29 17:50:05 +00:00
Zuul 729b196445 Merge "Move openEuler job to experimental pipeline" 2022-03-29 14:03:58 +00:00
Ghanshyam Mann 45b029064f Move openEuler job to experimental pipeline
OpenEuler job fails 100% of the time. As discussed in QA meeting,
we agreed to move OpenEuler job to experimental pipeline.
- https://meetings.opendev.org/meetings/qa/2022/qa.2022-03-22-15.00.log.html#l-76

Once it is fixed, we can think of adding back to regular pipeline.

Change-Id: I831889a09fabe5bed5522d17e352ec8009eac321
2022-03-29 07:18:40 +00:00
Zuul 0ed70e3f76 Merge "Update DEVSTACK_SERIES to zed" 2022-03-28 13:02:03 +00:00
Dr. Jens Harbott 5c51a95d10 Drop setup.py and setup.cfg
devstack isn't a python project, these were introduced only for docs
building and made redundant with [0]. We can remove them now.

[0] Iedcc008b170821aa74acefc02ec6a243a0dc307c

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I90ca1c6918c016d10c579fbae49d13fff1ed59af
2022-03-28 14:00:54 +02:00
Zuul e79913c65f Merge "ignore failures to copy the devstack cache" 2022-03-27 09:57:23 +00:00
zhouyanbing 8dc342d400 remove unuseful local variable define
the local varibale: api_cell_conf in start_nova_rest function
is unuseful, so remove it now.

Change-Id: I0019ce807cf3905ee246b684fce2abcb46336306
2022-03-26 14:22:23 +08:00
Martin Kopec 189c7ff142 Update DEVSTACK_SERIES to zed
stable/yoga branch has been created now and
current master is for zed.

Change-Id: I8743a3440a0ce96acb24b34971548b43ae7c8d4c
2022-03-25 14:06:52 +01:00
Zuul 14779fc992 Merge "Clean usage of project_id in the Neutron's L3 service module" 2022-03-24 03:21:17 +00:00
Slawek Kaplonski cebd00aa04 Clean usage of project_id in the Neutron's L3 service module
After patch [1] project_id in that module is no longer needed as to make
it working with new secure RBAC policies we had to hardcode "demo"
project to be used always.
This is small follow-up patch with cleaning after [1].

[1] https://review.opendev.org/c/openstack/devstack/+/826851/

Change-Id: Iddf9692817c91807fc3269547910e4f83585f07f
2022-03-23 15:30:38 +01:00
Zuul a9d392cdbb Merge "Do not use hardcoded IPv4 localhost value" 2022-03-23 10:51:30 +00:00
Ghanshyam Mann 369042b74f Make centos-9-stream job voting
bug#1960346 is fixed by the below series
- https://review.opendev.org/q/(topic:bug/1960346+OR+topic:wait_until_sshable_pingable)+status:merged
and now centos-9-stream job is passing and made voting
on tempest gate.

This commit makes devstack centos9 steam platform job
as voting and add it gate pipeline too.

Change-Id: Ic35420c5d58926ae90a136045a1558112accc533
2022-03-22 10:59:07 -05:00
Zuul 194790df85 Merge "Clean up unified limits configuration for nova and glance" 2022-03-18 19:26:28 +00:00
Brian Haley 7943a92bdb Do not use hardcoded IPv4 localhost value
There are a couple of places that still use a hardcoded
127.0.0.1 value, even if devstack is run with
SERVICE_IP_VERSION=6 in local.conf. While things still
work, SERVICE_LOCAL_HOST should be used instead since
everything else could be using IPv6.

Change-Id: I2dd9247a4ac19f565d4d5ecb2e1490501fda8bca
2022-03-14 16:04:08 -04:00
Michael Johnson 35bc600da1 Fix tls-proxy on newer versions of openssl
Newer versions of openssl (CentOS9Stream for example) do not like using sha1.
Devstack will fail on these systems[1] with the following error:
801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
This patch updates the tls-proxy code in devstack to use sha256 instead of sha1 which allows devstack to complete when tls-proxy is enabled.

[1] https://zuul.opendev.org/t/openstack/build/1d90b22a39c74e24a8390861b3c5f957/log/job-output.txt#5535

Closes-Bug: #1962600

Change-Id: I71e1371affe32f070167037b0109a489d196bd31
2022-03-11 20:28:39 +00:00
Sean Mooney 13e8db5a6f ignore failures to copy the devstack cache
If the ci images do not have any cached data
we should ignore any error when trying to copying it.
This is requried when using unmodified cloud images.

Change-Id: Ia6e94fc01343d0c292b1477905f8a96a6b43bcf8
2022-03-09 20:17:31 +00:00
melanie witt 2c96180ac8 Clean up unified limits configuration for nova and glance
This is a followup for change Ifdef3510bc7da3098a71739814e35dbaf612ae34
which added configuration of unified limits for nova. This removes an
unnecessary wrapper unsetting of OS_ env variables, unnecessary quoting
on an iniset config value, and a hardcoding of user domain. The glance
code from which the nova code was originally copied is also cleaned up.

Change-Id: I4921af5cc0f624dd5aa848533f7049ee816be593
2022-03-03 23:56:48 +00:00
Zuul a435078fcb Merge "Configure nova unified limits quotas" 2022-03-03 19:12:13 +00:00
Zuul 9bf989eb1a Merge "Made LVM backing disk persistent" 2022-03-02 15:04:47 +00:00
OpenStack Proposal Bot a2ff754536 Updated from generate-devstack-plugins-list
Change-Id: Iff2bf021edee9be3bae21b67e66fe07c552f3a05
2022-03-02 02:13:44 +00:00
Zuul bbe302da85 Merge "Fix installation with OVN backend and compilation" 2022-02-28 10:47:14 +00:00
Zuul 2462893787 Merge "Default CIRROS_ARCH to host arch" 2022-02-22 16:45:51 +00:00
Zuul 8339df0399 Merge "Made Swift backing disk persistent" 2022-02-22 01:54:52 +00:00
Jakob Meng e30620e9a6 Made Swift backing disk persistent
Previously, Swift's backing disk were not be mounted after reboots,
causing swift-proxy-server service to fail with cryptic error
messages such as 'proxy-server: ERROR Insufficient Storage'. Now,
we use 	Dan Smith' create_disk function from functions to create
the backing disk for us and add it to /etc/fstab.

Change-Id: I9cbccc87bc94a55b58e9badf3fdb127d6f1cf599
2022-02-21 20:04:23 +01:00
Zuul d343a70003 Merge "Revert "Revert "Add enforce_scope setting support for keystone""" 2022-02-21 15:33:18 +00:00
Zuul 5e7dad1146 Merge "Use devstack-system-admin for keystone objects creation" 2022-02-21 15:22:08 +00:00
Victor Morales c0882aeaae Add rsync deb package for swift
The rsync debian package is required for swift service. This
requirement has been covered by rpms but not for deb packages.

Change-Id: Iefd1302be9c7fd80e037bbae3638602d6d823580
2022-02-16 18:15:12 -08:00
OpenStack Proposal Bot ef6fac7959 Updated from generate-devstack-plugins-list
Change-Id: If1b667cd4af88511cb1672645a980c9c4fc557ae
2022-02-16 02:16:15 +00:00
Sean Mooney 17b1999eab Default CIRROS_ARCH to host arch
This change use uname -m to get the portable host arch and uses that
as a new default. on x86_64 hosts this should result in no visable change
in behavior however on a non x86 host it will cause devstack to attempt
to download a cirros image that matches the host.

Change-Id: I6d1495a23400ef4cf496302028324fa5794dd45f
2022-02-09 22:14:24 +00:00
Rodolfo Alonso Hernandez 8c6710326e Fix installation with OVN backend and compilation
This patch fixes several issues related to the installation with
OVN backend with the OVS/OVN compilation enabled.

The OVS/OVN local directories prefix, when both services are compiled,
is now "/usr/local".

The "ovn_agent._run_process" function is calling "ovs-appctl" to
configure the logging settings of several services. Instead of
using the service name, the ctl socket file is used instead. That
is more robust and does not fail in systems with previous
installations.

Closes-Bug: #1960514

Change-Id: I69de5333393957593db6e05495f0c3c758efefdf
2022-02-09 21:22:46 +00:00
Zuul 62d6ffa6b3 Merge "Revert "Disable enforcing scopes in Neutron temporary"" 2022-02-08 22:41:18 +00:00
Zuul 1a8b8573ea Merge "Fix deployment of Neutron with enforced scopes" 2022-02-08 22:39:25 +00:00
Zuul 7799e74a05 Merge "Bump fedora-latest to F35" 2022-02-08 22:34:32 +00:00
Jakob Meng accd99e7cd Made LVM backing disk persistent
Previously, loop devices for LVM volume groups backing files were not
created after reboots, causing e.g. Cinder to fail with messages such
as

  ERROR cinder.service [-] Manager for service cinder-volume
  devstack@lvmdriver-1 is reporting problems, not sending
  heartbeat. Service will appear "down".

Now, we use systemd services to manage loop devices for backing files.

Change-Id: I27ec027834966e44aa9a99999358f5b4debc43e0
2022-02-08 11:05:14 +01:00
Zuul f9f6208960 Merge "Add openstack-two-node-centos-8-stream" 2022-02-07 22:42:44 +00:00
Ian Wienand 343e351627 Bump fedora-latest to F35
Generally this is straight forward, but Horizon has a dependency issue
with pyScss (described in [1]) so it is disabled, for now.

[1] https://bugs.launchpad.net/horizon/+bug/1960204

Co-Authored-By: Dr. Jens Harbott <harbott@osism.tech>
Depends-On: https://review.opendev.org/c/openstack/devstack/+/827578
Change-Id: I7c4bf0945f9ac5bd563fe0a698c09b8571c97c5e
2022-02-08 08:08:19 +11:00
Zuul c6ecac744f Merge "revert stackrc execute permissions" 2022-02-05 00:32:06 +00:00
Zuul 091e20b28a Merge "Adapt compute node local.conf to OVN" 2022-02-05 00:26:11 +00:00
Sean Mooney 85c7d8db4e revert stackrc execute permissions
This change reverts the execute permissions from
stackrc which is not meant to be run as a script but sourced
as part of stack.sh

Change-Id: I9a05051e5a297cfaf78d097fa5f90a7c5fd254a6
2022-02-04 12:59:56 +01:00
Rodolfo Alonso Hernandez a756f4b968 Add python3.6 pip support
Since pip v22, python3.6 is not supported (the minimum version is
python3.7). This patch adds the reference for the pip3.6 URL to be
used instead of the default one.

Closes-Bug: #1959600
Change-Id: Iab2c391d5388461fe9e9037cee81884ce8032e72
2022-02-01 11:27:05 +00:00
melanie witt 099a048fb9 Configure nova unified limits quotas
This enables the configuration of nova to use unified limits in
keystone and enforcement in oslo.limit.

Related to blueprint unified-limits-nova

Depends-On: https://review.opendev.org/c/openstack/nova/+/715271

Change-Id: Ifdef3510bc7da3098a71739814e35dbaf612ae34
2022-01-28 20:00:00 +00:00
Zuul 099411815b Merge "Use distro pip on Ubuntu" 2022-01-28 18:49:06 +00:00
Slawek Kaplonski 081c9b716f Revert "Disable enforcing scopes in Neutron temporary"
This reverts commit be7b5bf671.

As related bug is fixed, lets enabled scope enforcement in Neutron
again.

Related-bug: #1959196
Change-Id: I72db7ef533e78a10734d105e6a0debef288e41a1
2022-01-28 09:52:53 +01:00
Slawek Kaplonski 14a0c09001 Fix deployment of Neutron with enforced scopes
After patch [1] new RBAC policies changed in the way that SYSTEM_ADMIN
user isn't anymore allowed to e.g. create resources in behalf of some
projects. Now PROJECT_ADMIN needs to create such resources instead.
So this patch basically reverts most of the changes which were done
in [2] some time ago.
It also introduces new entry in the clouds.yaml file -
"devstack-admin-demo" which is "admin" user in the "demo" project as
it's needed to create some resouces in the demo project now.

Additionally, because of bug [3] this patch changes way how IPv6
external gateway IP is found using Neutron API. This change may be
reverted in the future when bug [3] will be fixed.

[1] https://review.opendev.org/c/openstack/neutron/+/821208
[2] https://review.opendev.org/c/openstack/devstack/+/797450
[3] https://bugs.launchpad.net/neutron/+bug/1959332

Depends-On: https://review.opendev.org/c/openstack/neutron/+/826828

Closes-Bug: #1959196
Change-Id: I32a6e8b9b59269a8699644b563657363425f7174
2022-01-28 09:52:20 +01:00
Ade Lee 1fd45940f3 Add openstack-two-node-centos-8-stream
This will allow multinode FIPS testing

Change-Id: I82b3b8fe56275aed72e13f6d1bd9170c50e5da0d
2022-01-27 15:57:13 +00:00
Slawek Kaplonski be7b5bf671 Disable enforcing scopes in Neutron temporary
After patch [1] was merged in Neutron, enforcing scopes there
is broken.
So lets disable it temporary to unblock Devstack's gate for now.

[1] https://review.opendev.org/c/openstack/neutron/+/821208

Related-Bug: #1959196
Change-Id: I24da6f3897a638749d16f738329a873a5f9a291d
2022-01-27 16:04:32 +01:00
Zuul 6bec828d8e Merge "Fix typo in multinode-lab document" 2022-01-27 08:34:35 +00:00
Grzegorz Grasza 5f5002a378 Revert "Revert "Add enforce_scope setting support for keystone""
This reverts commit 26bd94b45e.

Reason for revert: Devstack keystone creation/setup are moved to
scope tokens, so we can reintroduce the scope check enable.

Change-Id: I6e1c261196dbcaf632748fb6f04e0867648b76c7
2022-01-26 15:41:18 +01:00
Grzegorz Grasza ae40825df6 Use devstack-system-admin for keystone objects creation
This is needed so we can set keystone into enforcing secure RBAC.
This also adjusts lib/glance, which already partially used
devstack-system-admin.

Change-Id: I6df8ad23a3077a8420340167a748ae23ad094962
2022-01-26 15:40:42 +01:00
Dr. Jens Harbott d6909e41af Use distro pip on Ubuntu
Running get-pip.py fails on Ubuntu when running twice, e.g. after a
unstack/stack cycle. Just use distro pip instead.

Closes-Bug: #1957048
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I87a8d53ed8860dd017a6c826dee6b6f4baef3c96
2022-01-22 17:02:29 +01:00
Pierre Riteau 0a31630323 Adapt compute node local.conf to OVN
The default Neutron configuration is now using OVN, but the multinode
lab was using an incompatible configuration:

    The q-agt/neutron-agt service must be disabled with OVN.

Change-Id: I518a739a3daac941880463cde6b47951331d0911
2022-01-21 10:07:07 +01:00
yatinkarel d5d0bed479 Workaround CentOS 8-stream bug until fixed
Recent iputils release in CentOS 8-stream causing
ping failures with non root user. This needs a fix
in systemd package as mentioned in the Related Bugs,
until it's fixed and is in 8-stream mirrors let's
workaround it by setting net.ipv4.ping_group_range
setting manually.

Related-Bug: #1957941
Related-Bug: rhbz#2037807
Change-Id: I0d8dac910647968b625020c2a94e626ba5255058
2022-01-17 08:43:52 +00:00
Zuul b6656b7b38 Merge "Clean up compile_ovn function's parameters" 2022-01-13 17:43:52 +00:00
Zuul 6d55b2a439 Merge "Allow skip the database server installation" 2022-01-12 15:40:57 +00:00
Zuul df551da6f5 Merge "Fix cloning requirements when GIT_DEPTH is set" 2022-01-11 18:51:34 +00:00
Zuul 3a373536f1 Merge "Deprecate lib/neutron" 2022-01-11 17:29:14 +00:00
elajkat c994dc4de2 Deprecate lib/neutron
lib/neutron-legacy was recently undeprecated (see [0]), Openstack CI
uses neutron-legacy and latest work was done in it also.
To avoid double maintenance lib/neutron can be deprecated.

For latest discussion see [1] and [2].

[0]: https://review.opendev.org/c/openstack/devstack/+/704829
[1]: https://meetings.opendev.org/meetings/networking/2022/networking.2022-01-04-14.04.log.html#l-52
[2]: https://meetings.opendev.org/irclogs/%23openstack-qa/%23openstack-qa.2022-01-05.log.html#t2022-01-05T15:57:37

Related-Bug: #1955765
Change-Id: I3fc328b7f47ccd7c1a97cceeea98fb2fbd609017
2022-01-11 14:14:20 +01:00
Zuul 35aa64e5f7 Merge "Added AlmaLinux to CentOS 8 family" 2022-01-11 01:53:55 +00:00
Carlos Camacho cc6e20b24d Allow skip the database server installation
This patch allows to skip the installation
of the database backend packages (MySQL or Postgres)
with the introduction of the INSTALL_DATABASE_SERVER_PACKAGES
variable (defaulted to True).
This is useful in such environments that do not require
to install the MySQL/Postgres server packages directly but using
a container serving that purpose, for those cases all the
remaining steps should be executed just skipping the
packages install.

Change-Id: I26628a31fdda3ce95ed04a2b7ae7b132c288581f
2022-01-10 09:26:56 +01:00
Zuul 6133c1c959 Merge "Only set chap algorithms if not openeuler" 2022-01-07 19:21:40 +00:00
Dr. Jens Harbott 807330ac37 Fix cloning requirements when GIT_DEPTH is set
We always need the master branch of requirements in order to be able to
install tempest with it, so override GIT_DEPTH when cloning that repo.

Closes-Bug: 1956616
Change-Id: Id0b409bfadd73f2c30314724178d6e199121050b
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
2022-01-07 11:42:26 +01:00
Ade Lee ac958698d0 Only set chap algorithms if not openeuler
For some reason, setting the CHAPAlgorithms as in c3b705138
breaks OpenEuler.  Making this conditional so that tests continue
to pass.

Change-Id: Iaa740ecfbb9173dd97e90485bad88225caedb523
2022-01-06 15:20:07 -05:00
Eduardo Santos 4448f243f3 Fix public subnet creation command
There was no space after the --project option in the command that
creates the public subnet, thus if any option follows, the option itself
will be parsed as part of the value passed to the --project option. This
change just adds the missing space.

Change-Id: I1e7375578342a82717222e902fcd65a4a62e33a7
2022-01-06 14:03:16 -03:00
Zuul 9154bf543d Merge "Install OVS from source when it was configured like that" 2022-01-06 00:39:16 +00:00
Zuul e091481341 Merge "Fix tempest upper-constraints" 2022-01-05 10:57:21 +00:00
Zuul 3c98c21fec Merge "Fix mysqladmin failure for Fedora 34 and mariadb" 2022-01-04 19:23:59 +00:00
Zuul 0486d4ccf3 Merge "init_cinder() shouldn't always create DEFAULT_VOLUME_GROUP_NAME" 2022-01-04 18:50:10 +00:00
Zuul 7b0251cf37 Merge "Fix stacking without preconfigured DATABASE_PASSWORD" 2022-01-04 18:33:26 +00:00
Dr. Jens Harbott 2ef4a4c851 Fix tempest upper-constraints
When deploying devstack in a stable branch, the master branch is
available locally only in a CI environment where Zuul prepares all
available branches. For a non-CI deployment we need to stick to using
the remote branch as was the case before [0].

While the situation on the master branch isn't really broken, we apply
the fix here anyway so that future stable branches are created in a
working state.

[0] I5d42ac6b54bf20804d7e5faa39d1289102318b64

Closes-Bug: #1956219
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: Ib7719cb2d48b34db70f885e0afe77d904abba3b5
2022-01-03 19:27:22 +01:00
Zuul 858aca019c Merge "Don't enable the dstat service in CI jobs" 2022-01-03 18:00:28 +00:00
Miguel Lavalle c1a75c6a50 Fix mysqladmin failure for Fedora 34 and mariadb
mysqladmin is incorrectly installed in Fedora 34 with mariadb. This
causes the failure of Zuul Fedora based jobs. The issue is a conflict
between mariadb and community mysql that is described in [1] and [2].

The workaround is to explicitly install package "mariadb"

Also configure an increased swap size like for the other platform jobs
in order to avoid OOM issues.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2026933
[2] https://lists.launchpad.net/maria-discuss/msg06179.html

Closes-Bug: #1956116
Change-Id: Icf6d7e1af5130689ea10b29d37cc9b188b2c9754
2022-01-03 15:33:35 +01:00
Zuul 3155217fb6 Merge "openEuler 20.03 LTS SP2 support" 2021-12-30 12:04:44 +00:00
Zuul 1d7d8e6a17 Merge "Enable oslo.limit to be installed from git repo" 2021-12-30 10:54:09 +00:00
Zuul 71c215ac29 Merge "Revert "Generate deprecation warning for postgresql"" 2021-12-30 10:29:00 +00:00
Zuul 98df253eae Merge "Add option to set chap algorithms for iscsid for FIPS" 2021-12-30 10:28:57 +00:00
Zuul 559f8cc150 Merge "Use MDB backend in Ubuntu" 2021-12-30 10:28:54 +00:00
Zuul 13526abe84 Merge "cinder-backup: Ensure ca cert is defined when tls-proxy is enabled" 2021-12-30 09:32:21 +00:00
yatinkarel 05e622ead2 Use upper-constraints from in review changes
Currently upper-constraints.txt is not getting used
from in-review changes of requirements project and
leading to merge of broken requirements[1].

Use master branch to fetch constraints instead of
the remote branch.

[1] https://review.opendev.org/c/openstack/requirements/+/822575

Depends-On: https://review.opendev.org/c/openstack/requirements/+/823128
Change-Id: I5d42ac6b54bf20804d7e5faa39d1289102318b64
2021-12-29 09:48:39 +00:00
Dr. Jens Harbott 134205c138 Don't enable the dstat service in CI jobs
We still are seeing regular job failures because the pcp package fails
to install. Assume that we can still enable it on demand when someone
needs to debug specific job issues, let us just disable it by default.

Related-Bug: 1943184
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I32ef8038e21c818623db9389588b3c6d3f98dcad
2021-12-23 12:29:14 +01:00
Dr. Jens Harbott 353c3f9cb1 Fix stacking without preconfigured DATABASE_PASSWORD
When we need to read a DATABASE_PASSWORD from the user, make sure we
actually use it in our database URLs.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I5ebf6b0280e82f2c87a63cbee7a9957c6bd26898
2021-12-23 12:07:29 +01:00
Slawek Kaplonski 5888947539 Clean up compile_ovn function's parameters
That function was accepting 3 positional arguments and first
of them was boolean value "build_modules" which isn't used anywhere in
that function.
So this patch cleans it a bit by removing that not used parameter.

Change-Id: I5c57b9116338a63b7bfb170c02e33bb4eae725da
2021-12-22 16:00:29 +01:00
Kevin Zhao 7880ba665e openEuler 20.03 LTS SP2 support
openEuler is an open-source Linux based operating system. The current
openEuler kernel is based on Linux and supports multi arch, such as X86_64
and aarch64. It fully unleashes the potential of computing chips. As an
efficient, stable, and secure open-source OS built by global open-source
contributors, openEuler applies to database, big data, cloud computing,
and AI scenarios. openEuler is using RPM for package management.

Note:
Currently there is no available package for uwsgi-plugin-python3 and ovn, so that
openEuler needs manually install them from source.

Website: https://www.openeuler.org/en/

Change-Id: I169a0017998054604a63ac6c177d0f43f8a32ba6
Co-Authored-By: wangxiyuan <wangxiyuan1007@gmail.com>
Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2021-12-22 14:47:27 +08:00
Slawek Kaplonski 24b65adc9c Deploy Neutron with enforced new RBAC rules
This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821

Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e
2021-12-20 14:42:35 +01:00
Ade Lee c3b7051387 Add option to set chap algorithms for iscsid for FIPS
The default CHAP algorithm for iscsid is md5, which is disallowed
under fips.  We will set the chap algorithm to "SHA3-256,SHA256",
which should work under all configurations.

Change-Id: Ide186fb53b3f9826ff602cb7fb797f245a15033a
2021-12-08 19:20:40 -05:00
Slawek Kaplonski 4185358837 Install OVS from source when it was configured like that
Function _neutron_ovs_base_install_agent_packages always tried to
install openvswitch from packages and start it using systemd units.
That was failing when ovs was expected to be installed from source.
This patch fixes that.

Change-Id: Iae8625dd800d30061ea3dbed9eb0dfbe16f21572
2021-12-08 14:09:49 +00:00
Zuul 6c849e3713 Merge "Support CentOS Stream 9" 2021-12-04 18:18:06 +00:00
Zuul a77943f8aa Merge "Remove unnecessary member role assignments from alt_demo" 2021-12-04 18:18:03 +00:00
Zuul 39acde91f9 Merge "Only write out uwsgi configs when deploying API services" 2021-12-04 17:33:24 +00:00
Lee Yarwood fc8ef86fbe Only write out uwsgi configs when deploying API services
Previously this would always happen for Nova and Cinder even if n-api
and c-api were not enabled on the host respectively.

This change stops this by placing both calls write_uwsgi_config behind
is_service_enabled checks.

Change-Id: I997685da771736dbad79bcfe4b00dbc63bd6d6b6
2021-12-03 12:09:08 +00:00
Lee Yarwood 31334f9a9b nova: Use noVNC 1.3.0 when installing from source
Additionally make the repo name lowercase to match the project name in
our zuul config so that jobs can check the repo out.

Change-Id: Ic2d9c4fa837461bbc29e067a81912b5f72efd3ca
2021-12-03 12:09:01 +00:00
Alfredo Moralejo 5ea4c3c18c Support CentOS Stream 9
This patch includes changes required to run devstack on CentOS Stream 9
which has been already published in official repos by CentOS team [1]:

- Add RDO deps repository for CS9.
- remove xinetd package from installation for swift. Note that
  rsync-daemon is installed which should work fine.
- Replace genisoimage by xorriso in CS9.
- Use /etc/os-release to identify the distro in CS9 as it doesn't
  provide lsb_release command.
- Use pip from rpm package instead of from get-pip.py as done in Fedora.
- Add non-voting job devstack-platform-centos-9-stream to the check
  pipeline.

Change-Id: Ic67cddabd5069211dc0611994b8b8360bcd61bef
2021-12-02 09:10:48 +01:00
Zuul 1414bcfa22 Merge "Remove unnecessary unset for project-scoped token in glance" 2021-12-01 11:27:33 +00:00
Zuul 7020daf7fc Merge "Cleanup keystone library" 2021-11-30 17:59:03 +00:00
Roman Dobosz bd68251463 Change a way for creating data dir in case of OVN.
Calculate the sudo usage with local variable.

Change-Id: I39dff770ff296dc06395acdb430a9cfe1722a30f
2021-11-27 08:12:04 +01:00
yatinkarel b575af0cfe Do not use sudo with OVN_DATADIR when building from source
Jobs with OVN_BUILD_FROMS_SOURCE=True are broken
since [1] as ovn nortd not starting due to permission
issues. Fix it by not using sudo for creating OVN_DATADIR
when building from source.

[1] https://review.opendev.org/c/openstack/devstack/+/806858

Closes-Bug: #1952393
Change-Id: I00f0c8c8173b4d8270fbb3e6079d0d8b332e9de5
2021-11-26 13:44:10 +05:30
Lance Bragstad afd0f84eae Remove unnecessary unset for project-scoped token in glance
Before, we needed to unset a couple of parameters that would make the
client return a project-scoped token instead of a system-scoped token,
which we need when interacting with registered limits in keystone.

This commit removes those unsets since we no longer source those
variables by default. This commit also cleans up some of the redundant
parameters in the registered limit calls, like region.

Change-Id: I1af8a168a29e895d57504d41e30efea271ea232d
2021-11-26 07:26:56 +00:00
Zuul acc9bd6ab9 Merge "Fix OVN DBs cleanup on startup" 2021-11-25 10:38:27 +00:00
Takashi Kajinami c20cd8ed9d cinder-backup: Ensure ca cert is defined when tls-proxy is enabled
Change-Id: Id679eb7061d8e609ce76fbb5b720a041990e8e86
2021-11-24 01:35:46 +09:00
Gregory Thiemonge 6822ff3944 Fix OVN DBs cleanup on startup
When initializing OVN, clean up the correct database directory when
using OVN from packages (/var/lib/ovn/ instead of /opt/stack/data/ovn/).
The /opt/stack/data/ovn location is used only when building OVN from
sources, so a fresh devstack deployment with OVN packages may already
have hundreds of existing routers and ports, creating ARP collisions.

Closes-Bug: #1942201
Change-Id: Ic90d4f2f9d8aaef825ea3325c0ad8fef2a1c5e39
2021-11-23 16:17:24 +01:00
Takashi Kajinami 65a5db8e33 keystone: Dot not set the removed admin_endpoint parameter
The admin_endpoint parameter has been removed from keystone[1], and
setting the parameter is no longer effective.

[1] 192cde56e57a06750641b319da8a72cdcaa554d0

Change-Id: I6ae6a3122668551acc018972624e914fcbb79a22
2021-11-23 12:03:20 +01:00
Lance Bragstad 1d8888dc24 Remove unnecessary member role assignments from alt_demo
This user already has the admin role assignment on a project, which
implies the member role, making explicit calls to add the member role
redundant.

Change-Id: I398c5e2f098aeeb896de83872085cbce529a778a
2021-11-22 21:28:20 +00:00
Zuul 94facb0759 Merge "Add missing ml2, L2 and L3 agent functions to devstack" 2021-11-19 01:10:09 +00:00
Julia Kreger c96993d138 Make OS_CLOUD be able to be configured
OS_CLOUD is used to communiate to CLI tools what cloud
credentials to utilize.
The change I86ffa9cd52454f1c1c72d29b3a0e0caa3e44b829
unfortunately set an explicit OS_CLOUD account which breaks
any jobs which are expecting a previosuly set OS_CLOUD which
may be different to work. For example, OS_CLOUD being set
as devstack-system-admin to facilitate Secure RBAC testing.

Change-Id: Iee900e552584dda622f57eea3508df48dff2e071
2021-11-18 10:39:36 -08:00
Slawek Kaplonski faed11d2a1 Add missing ml2, L2 and L3 agent functions to devstack
Previously those functions were defined in the neutron's devstack plugin
but with [1] we moved qos related code into devstack and we missed about
moving them too.
This is follow up patch to fix that issue.

[1] https://review.opendev.org/c/openstack/devstack/+/815686

Change-Id: Icf459a2f8c6ae3c3cb29b16ba0b92766af41af30
2021-11-18 16:42:40 +01:00
Zuul 487057de80 Merge "Add additional project personas for secure RBAC" 2021-11-18 00:22:24 +00:00
Zuul 8d7ac90f00 Merge "Stop creating userrc_early" 2021-11-17 19:49:59 +00:00
Dr. Jens Harbott f56f7a557a Stop creating userrc_early
We can use the devstack-admin cloud configuration everywhere now
and don't need to set environment variables with cloud credentials
any longer.

Fix the swift setup, where some more options need to be explicitly
specified now and the default OS_CLOUD setting overridden.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I86ffa9cd52454f1c1c72d29b3a0e0caa3e44b829
2021-11-16 19:35:32 +01:00
Slawek Kaplonski f9a896c6e6 Rehome functions to enable Neutron's QoS service
Those functions were part of the neutron devstack plugin but we
discussed it during last PTG [1] and decided to move to the Devstack
repo plugins which are used by e.g. CI jobs which are defined outside
of the neutron repository.
QoS service is used e.g. in the tempest-slow job which is
defined in tempest and used by many different OpenStack projects.

[1] https://etherpad.opendev.org/p/neutron-yoga-ptg#L142

Change-Id: I48f65d530db53fe2c94cad57a8072e1158d738b0
2021-11-13 19:52:06 +00:00
Lance Bragstad 9c81321bfc Add additional project personas for secure RBAC
This commit formalizes some additional users to act as different project
users and updates clouds.yaml file so they're easy to use.

It creates:

  - a reader on the demo project
  - a reader on the alt_demo project
  - a member on the alt_demo project

With the adoption of secure RBAC personas, these are useful for using
OpenStack APIs as that work continues.

Change-Id: I3237a771275311377313b7d7d80ac059ac69d031
2021-11-13 20:41:43 +01:00
Zuul 483e7e243a Merge "Rehome functions to enable Neutron's placement integration" 2021-11-13 19:02:48 +00:00
Zuul 05e9cb1e19 Merge "Clarify error message for ERROR_ON_CLONE=True" 2021-11-12 22:18:44 +00:00
Dr. Jens Harbott 95555ba398 Cleanup keystone library
IDENTITY_API_VERSION is hardcoded to 3 in most locations already, drop
the remaining occurrences, but keep the variable definition since some
plugins still depend on it. Drop ENABLE_IDENTITY_V2 which no longer
has any effect.

Amend variable list for bootstrap_keystone().

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I06f476d2105bc6ec2b511fc5effcfcc3973eaf97
2021-11-10 06:24:15 +01:00
Zuul 55c7830b4b Merge "Update lib/keystone to add more system users" 2021-11-09 16:11:47 +00:00
Zuul 2000d0ccf3 Merge "neutron-legacy: Remove no longer necessary vpnaas conditional" 2021-11-09 13:59:10 +00:00
Lance Bragstad 021ae0bcc8 Update lib/keystone to add more system users
Keystone has supported system-scope since Queens and we already make
sure we create a cloud profile for system-admin in
/etc/openstack/clouds.yaml.

This commit ensures keystone creates a couple of new users to model
system-member and system-reader personas. Doing this by default in
devstack makes it easier for people to use.

We've already taken a similar approach in tempest by setting up the
various system personas for tempest clients to use.

Change-Id: Iceb7c5f517db20072e121dc7538abaa888423c67
2021-11-05 10:44:58 +01:00
Zuul d28865ba3d Merge "Run Bullseye with more swap" 2021-11-04 23:55:11 +00:00
Zuul a2d4d08b00 Merge "Allow cinder default quotas configuration" 2021-11-04 22:08:00 +00:00
Dr. Jens Harbott f8e00b86ae Run Bullseye with more swap
Since Bullseye like Centos 8 Stream needs more memory due to changed
default settings in newer qemu versions, set the swap size to 4G, which
is the same setting already being used for the CS8 jobs successfully.

Change-Id: I83ea34d6aa647d2ab9d4d78ed354904fce836e68
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
2021-11-04 15:28:50 +01:00
Zuul 9101fbf5c4 Merge "Switch off creating a keystone admin endpoint by default" 2021-11-04 14:20:50 +00:00
Ghanshyam Mann 325792d9b9 Clarify error message for ERROR_ON_CLONE=True
If ERROR_ON_CLONE is set to True which is case for
all the devstack based job, devstack does not clone the
repo instead raise error. From current error message, it
is difficult to know that ERROR_ON_CLONE is True until we
traceback the code or check devstack-base job set ERROR_ON_CLONE
to True.

Current error message is like:
-------
+ functions-common:git_clone:560           :   echo
'The /opt/stack/oslo.limit project was not found; if this is a gate job, add'
  The /opt/stack/oslo.limit project was not found; if this is a gate job, add
+ functions-common:git_clone:561           :   echo 'the project to the
 $PROJECTS variable in the job definition.'
the project to the $PROJECTS variable in the job definition.
+ functions-common:git_clone:562           :   die 562 'Cloning not
  allowed in this configuration'
--------

Adding ERROR_ON_CLONE info in error message will help to
know the reason of devstack not cloning the repo.

Change-Id: I9e9852f046fefb299b4ef4446323e9c86437212f
2021-11-03 19:34:19 +00:00
Zuul c053269fc3 Merge "Make creation of keystone admin endpoint optional" 2021-11-03 12:30:10 +00:00
Zuul fb2e741008 Merge "Stop creating a keystone admin site" 2021-11-03 12:30:07 +00:00
Zuul bca0448438 Merge "Create clouds.yaml early enough" 2021-11-02 17:54:37 +00:00
Slawek Kaplonski 7f6d9283b8 Rehome functions to enable Neutron's placement integration
Those functions were part of the neutron devstack plugin but we
discussed it during last PTG [1] and decided to move to the Devstack
repo as plugins which are used by e.g. CI jobs which are defined outside
of the neutron repository.
Placement integration is used e.g. in the tempest-slow job which is
defined in tempest and used by many different OpenStack projects.

[1] https://etherpad.opendev.org/p/neutron-yoga-ptg#L142

Change-Id: Ib86071881f16de1b69c0f9b1b19b6df8b7e66a07
2021-10-27 16:40:30 +02:00
Zuul c8134987c9 Merge "Use Nehalem CPU model by default" 2021-10-22 13:27:53 +00:00
Zuul af23507c34 Merge "Fix use of yaml.load()" 2021-10-22 12:00:35 +00:00
Clark Boylan e06d954229 Use Nehalem CPU model by default
CentOS/RHEL 9 are being compiled for the x86_64-v2 architecture which is
newer than the qemu default of qemu64. This means that for devstack to
boot these instances we need a newer CPU model. Nehalem is apparently
the oldest model that works for x86_64-v2 and is expected to work on
Intel and AMD cpus with kvm or qemu. Switch devstack to this model by
default.

Note that we cannot use host-passthrough or host-model because we want
to support live migration between devstack deployed nova-compute
instances and even within the CI instances that we get the host CPUs can
differ.

Also, we should run this change against as many clouds as possible to
ensure that the newer model works across all of our clouds. There is
some fear that the virtual CPUs presented to us in some clouds may not
be able to run these newer CPU models.

Change-Id: Ibd6e11b59f3c8655bc60ace7383a08458b2177f2
2021-10-21 08:15:12 -07:00
Zuul 6923f7b5e6 Merge "Enable running on Debian Bullseye" 2021-10-20 14:56:29 +00:00
Tristan Cacqueray 4aa27976eb [ci] Remove the implied-branches pragma
This change enables using devstack job with custom branche names.

Change-Id: I95c368f05042a6f8f208988af9a6d89a522a5526
2021-10-19 21:48:17 +00:00
Jens Harbott b538b3267c Switch off creating a keystone admin endpoint by default
With the depending patch, the endpoint will still be created for
heat tests, so we can turn it off for everyone else.

Depends-On: https://review.opendev.org/c/openstack/openstacksdk/+/777343
Change-Id: I0dc7d6cedd07e942b9f23b26a785b386aff41fbc
2021-10-17 17:44:13 +00:00
Jens Harbott eb37657d8e Make creation of keystone admin endpoint optional
The keystone admin endpoint technically isn't different any longer from
the other keystone endpoints in v3 of the API. However, some
applications like heat are still relying on it to exist.

So we make the creation of the admin endpoint during bootstrap optional
here, with the intention to change the default to False once all jobs
that still need this are modified to explicitly require it.

Change-Id: I7ab12141c558186e397c174c248a613d1810011b
2021-10-17 19:36:46 +02:00
Zuul 79356c41cd Merge "Don't fail if there is no nf_conntrack_proto_gre module available" 2021-10-17 16:33:33 +00:00
Jens Harbott c2491bac9d Stop creating a keystone admin site
Keystone no longer has any special functionality hidden behind the admin
site. KEYSTONE_AUTH_URI which used to point to the admin site has long
ago been changed to be a copy of KEYSTONE_SERVICE_URI, which points to
the public site.

Drop all KEYSTONE_AUTH_* variables except KEYSTONE_AUTH_URI which may
still be in use in some plugins.

This also allows to finally drop the fixup_keystone() function.

Change-Id: I549f3cadc27d137e014241cdd47e90267859c848
2021-10-17 17:11:03 +02:00
Jens Harbott ee1c614eda Fix use of yaml.load()
The use of this function has been deprecated for a long time[0]. With
PyYAML==6.0 the call is now failing, so replace it with the safe
version.

[0] https://msg.pyyaml.org/load

Signed-off-by: Jens Harbott <frickler@offenerstapel.de>
Change-Id: I7a170262b50a5c80a516095b872d52e1bea5479d
2021-10-16 17:33:12 +02:00
OpenStack Proposal Bot c027ddd3f8 Updated from generate-devstack-plugins-list
Change-Id: I1abc356970a7f2427bc9683a7e64e54ab52a7651
2021-10-16 06:26:49 +00:00
Dr. Jens Harbott 84901f563e Create clouds.yaml early enough
When using glance limits, the create_glance_accounts call needs access
to the devstack-system-admin cloud definition, so we need to create
the clouds.yaml file before that step.

Change-Id: Ie6d807c46b88b16b316aa166870a6a13f2bb346d
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
2021-10-15 15:07:15 +02:00
Slawek Kaplonski b4e683e6b9 Don't fail if there is no nf_conntrack_proto_gre module available
It may be that it is already compiled in the kernel so there is no
need to load kernel module in such case.

Change-Id: Ie1d32e3fd529e13958857cb3ced6710eebde1e4d
2021-10-14 13:50:30 +02:00
Zuul 82facd6edf Merge "Fix updating setuptools in Centos" 2021-10-12 20:43:00 +00:00
Zuul 10d20b14e7 Merge "Further fixup for Ubuntu cloud images" 2021-10-11 09:26:28 +00:00
Zuul d603c2a459 Merge "Remove cinder from service names" 2021-10-11 08:27:27 +00:00
Zuul 23cbf138b4 Merge "tools: Fix use of continue" 2021-10-11 08:10:36 +00:00
Zuul e2e88dc19a Merge "Fix displaying usage for make_cert.sh" 2021-10-11 00:53:22 +00:00
Zuul 2e336ee79f Merge "Rehome functions to enable Neutron's Trunk service plugin" 2021-10-11 00:51:51 +00:00
Dr. Jens Harbott 61a37bff9a Further fixup for Ubuntu cloud images
The official Ubuntu cloud images have some further python pkgs
preinstalled that conflict with our requirements. Allow to
overwrite them.

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Closes-Bug: 1871485
Change-Id: I793c250cae5e7b9bc835b7016d790d1f9ae8a7f3
2021-10-08 11:04:03 +02:00
Slawek Kaplonski f758b60a4b Rehome functions to enable Neutron's Trunk service plugin
Those functions were part of the neutron devstack plugin but we
discussed on the neutron team meeting [1] to move it to the Devstack
repo as it's mature enough now.

[1] https://meetings.opendev.org/meetings/networking/2021/networking.2021-10-05-14.00.log.html#l-156

Change-Id: I35446adad1d8a7fed142d834de20c48b611015a5
2021-10-06 12:04:26 +02:00
Michal Berger bfc79dc98b tools: Fix use of continue
continue is not used in a proper context here (outside of loop). Use
null cmd instead to simply fall through the pip installation.

Signed-off-by: Michal Berger <michallinuxstuff@gmail.com>
Change-Id: Iaea2e5c0177b475edf19d08d71933a74debbb5d9
2021-10-05 15:44:45 +02:00
Lee Yarwood 714826d1a2 nova: Ensure each compute uses a unique iSCSI initiator
The current initiator name embedded in our CI images is not unique at
present and can often cause failures during live migrations with
attached volumes. This change ensures the name is unique by running
iscsi-iname again and overwriting the existing name.

We could potentially do this during the image build process itself but
given that devstack systems are not supposed to be multi-purpose this
should be safe to do during the devstack run.

Closes-Bug: #1945983
Change-Id: I9ed26a17858df96c04be9ae52bf2e33e023869a5
2021-10-05 11:36:24 +01:00
Jens Harbott 959a7c262a Enable running on Debian Bullseye
Some adaption in database handling is all that is missing. Also add a
platform job that tests this.

Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I6dd3e48444dd415d84df5e7f5c74540847cdd6db
2021-10-04 17:27:33 +02:00
melanie witt c7791301be Enable oslo.limit to be installed from git repo
oslo.limit isn't currently in the list of libraries that can be
installed from a git repo via LIBS_FROM_GIT.

This adds oslo.limit to enable integrated testing against unmerged
oslo.limit changes.

Change-Id: I26cc567fdf4c84014040ae586bbb029b8de7a236
2021-10-01 17:30:52 +00:00
Lee Yarwood 982b03c605 zuul: Remove dedicated devstack-async job
I83d56c9363d481bb6d5921f5e1f9b024f136044b switched the default of
DEVSTACK_PARALLEL over to True so this dedicated job is no longer
required as *all* jobs should now be using it.

Change-Id: I0f475ab177c2cd49eeb6be861cdd11581e8e0b97
2021-09-30 13:08:35 +01:00
Jens Harbott 56e75e4aef Fix uwsgi config for trailing slashes
The apache mod_proxy documentation[0] says that trailing slashes need to
match for the ProxyPass statement. Since adding a slash to the redirected
url would break things that need to access endpoints like /identity
without anything added, we need to drop the trailing slash for the
target URL. See [1] for the discussion of the CVE fix that changed the
previous behavior.

[0] https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass
[1] https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1945274

Depends-On: https://review.opendev.org/c/openstack/devstack/+/811389
Change-Id: Ia6b1a41957833fba87a2e6f048d2483267632385
2021-09-28 20:05:08 +02:00
Rajat Dhasmana 65b46a503a Remove cinder from service names
In devstack job, cinder is not a valid service name and logs error
in gate[1] so remove it.

2021-09-28 05:44:47.791807 | controller | + functions-common:service_check:1603      :   for service in ${ENABLED_SERVICES//,/ }
2021-09-28 05:44:47.795506 | controller | + functions-common:service_check:1605      :   sudo systemctl is-enabled devstack@cinder.service
2021-09-28 05:44:47.809647 | controller | Failed to get unit file state for devstack@cinder.service: No such file or directory

[1] https://e978bdcfc0235dcd9417-6560bc3b6382c1d289b358872777ca09.ssl.cf1.rackcdn.com/801989/7/check/tempest-integrated-storage/779d1e7/job-output.txt

Change-Id: I7ca105201d82b72c7e56778425d3bce7c76047db
2021-09-28 03:13:28 -04:00
Ghanshyam Mann 8d1bfcacf8 Update DEVSTACK_SERIES to yoga
stable/xena branch has been created now and
current master is for yoga.

Change-Id: I0c7809bdac6482bb947f394b0c2535fabb4cf067
2021-09-24 18:01:09 -05:00
Grzegorz Grasza 26f8149218 Use MDB backend in Ubuntu
The MDB backend is the default in Ubuntu and specifying
HDB in debconf doesn't change it to HDB.

Closes-Bug: #1939700
Change-Id: If98f7fc8395678365fb73f0c5cd926cef083e470
2021-08-17 09:41:33 +02:00
Roman Dobosz ac1b723c20 Fix displaying usage for make_cert.sh
Now, if no arguments are passed to make_cert.sh script, it will fail on:

  tools/make_cert.sh: line 30: [: missing `]'

and might go on with generating certs depending on the bash settings.
It is fixed within this patch.

Change-Id: I62bf9c972ebd1644da622439e05114f245f20809
2021-08-06 12:55:39 +02:00
Brian Rosmaita f44aa0c55a Allow cinder default quotas configuration
The default cinder quotas for volumes, backups, or snapshots may
be too low for highly concurrent testing, so make these configurable
in devstack.

Change-Id: Ie3cf3239b48f9905f5760ad0166eea954ecf5eed
2021-08-04 18:27:48 -04:00
zenkuro 6f4eafb823 Added AlmaLinux to CentOS 8 family
Change-Id: I9fb6f010842a495c838d468b47dc5081596f41a2
2021-07-15 21:47:23 +03:00
Gregory Thiemonge a5d52831dc Fix updating setuptools in Centos
In RHEL-based distributions, updating setuptools using pip removes the
files from the python3-setuptools RPM. It breaks some tools such as
semanage (which is used by diskimage-builder) that use the -s flag of
the python interpreter (don't import modules from /usr/local).
This commit reinstalls python3-setuptools to fix those applications.

Change-Id: Ib44857e83f75acf37823fae912960a801c83cf7f
2021-06-21 09:58:47 +02:00
Nobuhiro MIKI 110b9a9b1b Fix typo in multinode-lab document
Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp>
Change-Id: I1b6100d6b8231f1f96a7768e26ab83f010f1e4dc
2021-04-01 11:14:27 +09:00
Armando Migliaccio a676c4029e Revert "Generate deprecation warning for postgresql"
Based on resolution [1], there's no clear indication that next
steps involve the removal of the DB from Devstack or from the gate.

[1] I332cef8ec4539520adcf37c6d2ea11488289fcfd

This reverts commit d9aaae95f2.

Change-Id: I8410d65c0e0b24035aa035fac7560a686d53ec50
2019-10-17 15:58:34 -04:00
Huan Xiong 63beab5243 init_cinder() shouldn't always create DEFAULT_VOLUME_GROUP_NAME
DEFAULT_VOLUME_GROUP_NAME volume group is LVM ephemeral storage used by
Nova. It is created by init_nova() if user sets NOVA_BACKEND to "LVM".
However, init_cinder() is also hardcoded to create it, based on the
asumption that CINDER_ENABLED_BACKENDS includes it. That assumption
doesn't hold for the current code. What's more important, even if user
wants to use DEFAULT_VOLUME_GROUP_NAME as one of cinder backends and
adds it to CINDER_ENABLED_BACKENDS, the current code in init_cinder()
are general enough and should work fine. This change removes relevant
code in init_cinder(). It also moves DEFAULT_VOLUME_GROUP_NAME clean-up
code from unstack.sh to cleanup_nova().

Change-Id: I53762f8eda6256f962cc4e1f1098406879bbcf5c
2018-03-23 14:42:37 +00:00
YAMAMOTO Takashi 6839d42819 neutron-legacy: Remove no longer necessary vpnaas conditional
VPNaaS agent is going to be an L3 agent extention.

Related-Bug: #1692128
Depends-On: I0b86c432e4b2210e5f2a73a7e3ba16d10467f0f2
Change-Id: Id827274b7c74cdf71db6d1f2ab3eadb5fef099f5
2017-10-17 12:59:27 +09:00
81 changed files with 1957 additions and 737 deletions
+1
View File
@@ -2,3 +2,4 @@
host=review.opendev.org
port=29418
project=openstack/devstack.git
defaultbranch=stable/zed
+141 -67
View File
@@ -1,11 +1,3 @@
- pragma:
# NOTE(gtema): this is required for the changes in SDK feature/r1 branch to
# be using devstack
# TODO(gtema): delete this once r1 branch is merged into master
implied-branches:
- master
- feature/r1
- nodeset:
name: openstack-single-node
nodes:
@@ -16,6 +8,16 @@
nodes:
- controller
- nodeset:
name: openstack-single-node-jammy
nodes:
- name: controller
label: ubuntu-jammy
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: openstack-single-node-focal
nodes:
@@ -47,20 +49,10 @@
- controller
- nodeset:
name: devstack-single-node-centos-7
name: devstack-single-node-centos-9-stream
nodes:
- name: controller
label: centos-7
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-centos-8-stream
nodes:
- name: controller
label: centos-8-stream
label: centos-9-stream
groups:
- name: tempest
nodes:
@@ -77,10 +69,10 @@
- controller
- nodeset:
name: devstack-single-node-fedora-latest
name: devstack-single-node-debian-bullseye
nodes:
- name: controller
label: fedora-34
label: debian-bullseye
groups:
- name: tempest
nodes:
@@ -116,6 +108,36 @@
nodes:
- compute1
- nodeset:
name: openstack-two-node-centos-9-stream
nodes:
- name: controller
label: centos-9-stream
- name: compute1
label: centos-9-stream
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- nodeset:
name: openstack-two-node-focal
nodes:
@@ -327,8 +349,10 @@
'{{ devstack_log_dir }}/devstacklog.txt.summary': logs
'{{ devstack_log_dir }}/tcpdump.pcap': logs
'{{ devstack_log_dir }}/worlddump-latest.txt': logs
'{{ devstack_log_dir }}/qemu.coredump': logs
'{{ devstack_full_log}}': logs
'{{ stage_dir }}/verify_tempest_conf.log': logs
'{{ stage_dir }}/performance.json': logs
'{{ stage_dir }}/apache': logs
'{{ stage_dir }}/apache_config': logs
'{{ stage_dir }}/etc': logs
@@ -347,6 +371,7 @@
'{{ stage_dir }}/rpm-qa.txt': logs
'{{ stage_dir }}/core': logs
'{{ stage_dir }}/listen53.txt': logs
'{{ stage_dir }}/services.txt': logs
'{{ stage_dir }}/deprecations.log': logs
'{{ stage_dir }}/audit.log': logs
/etc/ceph: logs
@@ -412,7 +437,7 @@
PUBLIC_BRIDGE_MTU: '{{ external_bridge_mtu }}'
devstack_services:
# Shared services
dstat: true
dstat: false
etcd3: true
memory_tracker: true
mysql: true
@@ -421,7 +446,7 @@
subnode:
devstack_services:
# Shared services
dstat: true
dstat: false
memory_tracker: true
devstack_localrc:
# Multinode specific settings
@@ -487,7 +512,7 @@
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
dstat: true
dstat: false
etcd3: true
memory_tracker: true
mysql: true
@@ -524,7 +549,6 @@
c-bak: true
c-sch: true
c-vol: true
cinder: true
# Services we don't need.
# This section is not really needed, it's for readability.
horizon: false
@@ -538,7 +562,7 @@
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
dstat: true
dstat: false
memory_tracker: true
tls-proxy: true
# Nova services
@@ -574,11 +598,13 @@
name: devstack-ipv6
parent: devstack
description: |
Devstack single node job for integration gate with IPv6.
Devstack single node job for integration gate with IPv6,
all services and tunnels using IPv6 addresses.
vars:
devstack_localrc:
SERVICE_IP_VERSION: 6
SERVICE_HOST: ""
TUNNEL_IP_VERSION: 6
- job:
name: devstack-enforce-scope
@@ -587,9 +613,7 @@
This job runs the devstack with scope checks enabled.
vars:
devstack_localrc:
# Keep enabeling the services here to run with system scope
CINDER_ENFORCE_SCOPE: true
GLANCE_ENFORCE_SCOPE: true
ENFORCE_SCOPE: true
- job:
name: devstack-multinode
@@ -598,31 +622,99 @@
description: |
Simple multinode test to verify multinode functionality on devstack side.
This is not meant to be used as a parent job.
vars:
devstack_localrc:
MYSQL_REDUCE_MEMORY: true
# NOTE(ianw) Platform tests have traditionally been non-voting because
# we often have to rush things through devstack to stabilise the gate,
# and these platforms don't have the round-the-clock support to avoid
# becoming blockers in that situation.
- job:
name: devstack-platform-centos-8-stream
name: devstack-platform-centos-9-stream
parent: tempest-full-py3
description: CentOS 8 Stream platform test
nodeset: devstack-single-node-centos-8-stream
description: CentOS 9 Stream platform test
nodeset: devstack-single-node-centos-9-stream
timeout: 9000
# TODO(kopecmartin) n-v until the following is resolved:
# https://bugs.launchpad.net/neutron/+bug/1979047
voting: false
vars:
configure_swap_size: 4096
- job:
name: devstack-platform-debian-bullseye
parent: tempest-full-py3
description: Debian Bullseye platform test
nodeset: devstack-single-node-debian-bullseye
timeout: 9000
vars:
configure_swap_size: 4096
- job:
name: devstack-async
name: devstack-platform-ubuntu-jammy
parent: tempest-full-py3
description: Async mode enabled
description: Ubuntu 22.04 LTS (jammy) platform test
nodeset: openstack-single-node-jammy
timeout: 9000
vars:
configure_swap_size: 4096
devstack_services:
# Horizon doesn't like py310
horizon: false
- job:
name: devstack-platform-ubuntu-jammy-ovn-source
parent: devstack-platform-ubuntu-jammy
description: Ubuntu 22.04 LTS (jammy) platform test (OVN from source)
voting: false
vars:
devstack_localrc:
DEVSTACK_PARALLEL: True
zuul_copy_output:
/opt/stack/async: logs
OVN_BUILD_FROM_SOURCE: True
OVN_BRANCH: "v21.06.0"
OVS_BRANCH: "a4b04276ab5934d087669ff2d191a23931335c87"
OVS_SYSCONFDIR: "/usr/local/etc/openvswitch"
- job:
name: devstack-platform-ubuntu-jammy-ovs
parent: tempest-full-py3
description: Ubuntu 22.04 LTS (jammy) platform test (OVS)
nodeset: openstack-single-node-jammy
voting: false
timeout: 9000
vars:
configure_swap_size: 8192
devstack_localrc:
Q_AGENT: openvswitch
Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
Q_ML2_TENANT_NETWORK_TYPE: vxlan
devstack_services:
# Horizon doesn't like py310
horizon: false
# Disable OVN services
ovn-northd: false
ovn-controller: false
ovs-vswitchd: false
ovsdb-server: false
# Disable Neutron ML2/OVN services
q-ovn-metadata-agent: false
# Enable Neutron ML2/OVS services
q-agt: true
q-dhcp: true
q-l3: true
q-meta: true
q-metering: true
group-vars:
subnode:
devstack_services:
# Disable OVN services
ovn-controller: false
ovs-vswitchd: false
ovsdb-server: false
# Disable Neutron ML2/OVN services
q-ovn-metadata-agent: false
# Enable Neutron ML2/OVS services
q-agt: true
- job:
name: devstack-no-tls-proxy
@@ -635,23 +727,6 @@
devstack_services:
tls-proxy: false
- job:
name: devstack-platform-fedora-latest
parent: tempest-full-py3
description: Fedora latest platform test
nodeset: devstack-single-node-fedora-latest
voting: false
- job:
name: devstack-platform-fedora-latest-virt-preview
parent: tempest-full-py3
description: Fedora latest platform test using the virt-preview repo.
nodeset: devstack-single-node-fedora-latest
voting: false
vars:
devstack_localrc:
ENABLE_FEDORA_VIRT_PREVIEW_REPO: true
- job:
name: devstack-tox-base
parent: devstack
@@ -725,9 +800,11 @@
- devstack
- devstack-ipv6
- devstack-enforce-scope
- devstack-platform-fedora-latest
- devstack-platform-centos-8-stream
- devstack-async
- devstack-platform-centos-9-stream
- devstack-platform-debian-bullseye
- devstack-platform-ubuntu-jammy
- devstack-platform-ubuntu-jammy-ovn-source
- devstack-platform-ubuntu-jammy-ovs
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
@@ -771,6 +848,11 @@
jobs:
- devstack
- devstack-ipv6
# TODO(kopecmartin) n-v until the following is resolved:
# https://bugs.launchpad.net/neutron/+bug/1979047
# - devstack-platform-centos-9-stream
- devstack-platform-debian-bullseye
- devstack-platform-ubuntu-jammy
- devstack-enforce-scope
- devstack-multinode
- devstack-unit-tests
@@ -818,10 +900,6 @@
# Next cycle we can remove this if everything run out stable enough.
# * nova-multi-cell: maintained by nova and currently non-voting in the
# check queue for nova changes but relies on devstack configuration
# * devstack-platform-fedora-latest-virt-preview: Maintained by lyarwood
# for Nova to allow early testing of the latest versions of Libvirt and
# QEMU. Should only graduate out of experimental if it ever moves into
# the check queue for Nova.
experimental:
jobs:
@@ -850,8 +928,4 @@
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- devstack-platform-fedora-latest-virt-preview
- devstack-no-tls-proxy
periodic:
jobs:
- devstack-no-tls-proxy
+30 -15
View File
@@ -279,7 +279,7 @@ number of days of old log files to keep.
::
LOGDAYS=1
LOGDAYS=2
Some coloring is used during the DevStack runs to make it easier to
see what is going on. This can be disabled with::
@@ -521,8 +521,8 @@ behavior:
can be configured with any valid IPv6 prefix. The default values make
use of an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193.
Service Version
~~~~~~~~~~~~~~~
Service IP Version
~~~~~~~~~~~~~~~~~~
DevStack can enable service operation over either IPv4 or IPv6 by
setting ``SERVICE_IP_VERSION`` to either ``SERVICE_IP_VERSION=4`` or
@@ -542,6 +542,27 @@ optionally be used to alter the default IPv6 address::
HOST_IPV6=${some_local_ipv6_address}
Tunnel IP Version
~~~~~~~~~~~~~~~~~
DevStack can enable tunnel operation over either IPv4 or IPv6 by
setting ``TUNNEL_IP_VERSION`` to either ``TUNNEL_IP_VERSION=4`` or
``TUNNEL_IP_VERSION=6`` respectively.
When set to ``4`` Neutron will use an IPv4 address for tunnel endpoints,
for example, ``HOST_IP``.
When set to ``6`` Neutron will use an IPv6 address for tunnel endpoints,
for example, ``HOST_IPV6``.
The default value for this setting is ``4``. Dual-mode support, for
example ``4+6`` is not supported, as this value must match the address
family of the local tunnel endpoint IP(v6) address.
The value of ``TUNNEL_IP_VERSION`` has a direct relationship to the
setting of ``TUNNEL_ENDPOINT_IP``, which will default to ``HOST_IP``
when set to ``4``, and ``HOST_IPV6`` when set to ``6``.
Multi-node setup
~~~~~~~~~~~~~~~~
@@ -642,6 +663,12 @@ with ``VOLUME_BACKING_FILE_SIZE``.
VOLUME_NAME_PREFIX="volume-"
VOLUME_BACKING_FILE_SIZE=24G
When running highly concurrent tests, the default per-project quotas
for volumes, backups, or snapshots may be too small. These can be
adjusted by setting ``CINDER_QUOTA_VOLUMES``, ``CINDER_QUOTA_BACKUPS``,
or ``CINDER_QUOTA_SNAPSHOTS`` to the desired value. (The default for
each is 10.)
Keystone
~~~~~~~~
@@ -666,7 +693,6 @@ In RegionTwo:
disable_service horizon
KEYSTONE_SERVICE_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
KEYSTONE_AUTH_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
REGION_NAME=RegionTwo
KEYSTONE_REGION_NAME=RegionOne
@@ -679,17 +705,6 @@ KEYSTONE_REGION_NAME to specify the region of Keystone service.
KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
it in the configuration of RegionOne.
Disabling Identity API v2
+++++++++++++++++++++++++
The Identity API v2 is deprecated as of Mitaka and it is recommended to only
use the v3 API. It is possible to setup keystone without v2 API, by doing:
::
ENABLE_IDENTITY_V2=False
Glance
++++++
+11 -3
View File
@@ -75,13 +75,21 @@ Otherwise create the stack user:
useradd -s /bin/bash -d /opt/stack -m stack
Ensure home directory for the ``stack`` user has executable permission for all,
as RHEL based distros create it with ``700`` and Ubuntu 21.04+ with ``750``
which can cause issues during deployment.
::
chmod +x /opt/stack
This user will be making many changes to your system during installation
and operation so it needs to have sudo privileges to root without a
password:
::
echo "stack ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
From here on use the ``stack`` user. **Logout** and **login** as the
``stack`` user.
@@ -169,7 +177,7 @@ machines, create a ``local.conf`` with:
MYSQL_HOST=$SERVICE_HOST
RABBIT_HOST=$SERVICE_HOST
GLANCE_HOSTPORT=$SERVICE_HOST:9292
ENABLED_SERVICES=n-cpu,q-agt,c-vol,placement-client
ENABLED_SERVICES=n-cpu,c-vol,placement-client,ovn-controller,ovs-vswitchd,ovsdb-server,q-ovn-metadata-agent
NOVA_VNC_ENABLED=True
NOVNCPROXY_URL="http://$SERVICE_HOST:6080/vnc_lite.html"
VNCSERVER_LISTEN=$HOST_IP
@@ -395,7 +403,7 @@ SSH keys need to be exchanged between each compute node:
3. Verify that login via ssh works without a password::
ssh -i /root/.ssh/id_rsa.pub stack@DESTINATION
ssh -i /root/.ssh/id_rsa stack@DESTINATION
In essence, this means that every compute node's root user's public RSA key
must exist in every other compute node's stack user's authorized_keys file and
+9 -1
View File
@@ -49,13 +49,21 @@ below)
$ sudo useradd -s /bin/bash -d /opt/stack -m stack
Ensure home directory for the ``stack`` user has executable permission for all,
as RHEL based distros create it with ``700`` and Ubuntu 21.04+ with ``750``
which can cause issues during deployment.
.. code-block:: console
$ sudo chmod +x /opt/stack
Since this user will be making many changes to your system, it will need
to have sudo privileges:
.. code-block:: console
$ apt-get install sudo -y || yum install -y sudo
$ echo "stack ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
$ echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
.. note:: On some systems you may need to use ``sudo visudo``.
+8
View File
@@ -57,6 +57,14 @@ to run DevStack with
$ sudo useradd -s /bin/bash -d /opt/stack -m stack
Ensure home directory for the ``stack`` user has executable permission for all,
as RHEL based distros create it with ``700`` and Ubuntu 21.04+ with ``750``
which can cause issues during deployment.
.. code-block:: console
$ sudo chmod +x /opt/stack
Since this user will be making many changes to your system, it should
have sudo privileges:
+5 -3
View File
@@ -24,8 +24,6 @@ official OpenStack projects.
======================================== ===
Plugin Name URL
======================================== ===
inspur/venus `https://opendev.org/inspur/venus <https://opendev.org/inspur/venus>`__
inspur/venus-dashboard `https://opendev.org/inspur/venus-dashboard <https://opendev.org/inspur/venus-dashboard>`__
openstack/aodh `https://opendev.org/openstack/aodh <https://opendev.org/openstack/aodh>`__
openstack/barbican `https://opendev.org/openstack/barbican <https://opendev.org/openstack/barbican>`__
openstack/blazar `https://opendev.org/openstack/blazar <https://opendev.org/openstack/blazar>`__
@@ -77,6 +75,8 @@ openstack/networking-powervm `https://opendev.org/openstack/networki
openstack/networking-sfc `https://opendev.org/openstack/networking-sfc <https://opendev.org/openstack/networking-sfc>`__
openstack/neutron `https://opendev.org/openstack/neutron <https://opendev.org/openstack/neutron>`__
openstack/neutron-dynamic-routing `https://opendev.org/openstack/neutron-dynamic-routing <https://opendev.org/openstack/neutron-dynamic-routing>`__
openstack/neutron-fwaas `https://opendev.org/openstack/neutron-fwaas <https://opendev.org/openstack/neutron-fwaas>`__
openstack/neutron-fwaas-dashboard `https://opendev.org/openstack/neutron-fwaas-dashboard <https://opendev.org/openstack/neutron-fwaas-dashboard>`__
openstack/neutron-tempest-plugin `https://opendev.org/openstack/neutron-tempest-plugin <https://opendev.org/openstack/neutron-tempest-plugin>`__
openstack/neutron-vpnaas `https://opendev.org/openstack/neutron-vpnaas <https://opendev.org/openstack/neutron-vpnaas>`__
openstack/neutron-vpnaas-dashboard `https://opendev.org/openstack/neutron-vpnaas-dashboard <https://opendev.org/openstack/neutron-vpnaas-dashboard>`__
@@ -94,6 +94,7 @@ openstack/sahara `https://opendev.org/openstack/sahara <
openstack/sahara-dashboard `https://opendev.org/openstack/sahara-dashboard <https://opendev.org/openstack/sahara-dashboard>`__
openstack/senlin `https://opendev.org/openstack/senlin <https://opendev.org/openstack/senlin>`__
openstack/shade `https://opendev.org/openstack/shade <https://opendev.org/openstack/shade>`__
openstack/skyline-apiserver `https://opendev.org/openstack/skyline-apiserver <https://opendev.org/openstack/skyline-apiserver>`__
openstack/solum `https://opendev.org/openstack/solum <https://opendev.org/openstack/solum>`__
openstack/storlets `https://opendev.org/openstack/storlets <https://opendev.org/openstack/storlets>`__
openstack/tacker `https://opendev.org/openstack/tacker <https://opendev.org/openstack/tacker>`__
@@ -101,6 +102,8 @@ openstack/tap-as-a-service `https://opendev.org/openstack/tap-as-a
openstack/telemetry-tempest-plugin `https://opendev.org/openstack/telemetry-tempest-plugin <https://opendev.org/openstack/telemetry-tempest-plugin>`__
openstack/trove `https://opendev.org/openstack/trove <https://opendev.org/openstack/trove>`__
openstack/trove-dashboard `https://opendev.org/openstack/trove-dashboard <https://opendev.org/openstack/trove-dashboard>`__
openstack/venus `https://opendev.org/openstack/venus <https://opendev.org/openstack/venus>`__
openstack/venus-dashboard `https://opendev.org/openstack/venus-dashboard <https://opendev.org/openstack/venus-dashboard>`__
openstack/vitrage `https://opendev.org/openstack/vitrage <https://opendev.org/openstack/vitrage>`__
openstack/vitrage-dashboard `https://opendev.org/openstack/vitrage-dashboard <https://opendev.org/openstack/vitrage-dashboard>`__
openstack/vitrage-tempest-plugin `https://opendev.org/openstack/vitrage-tempest-plugin <https://opendev.org/openstack/vitrage-tempest-plugin>`__
@@ -112,7 +115,6 @@ openstack/zaqar-ui `https://opendev.org/openstack/zaqar-ui
openstack/zun `https://opendev.org/openstack/zun <https://opendev.org/openstack/zun>`__
openstack/zun-ui `https://opendev.org/openstack/zun-ui <https://opendev.org/openstack/zun-ui>`__
performa/os-faults `https://opendev.org/performa/os-faults <https://opendev.org/performa/os-faults>`__
skyline/skyline-apiserver `https://opendev.org/skyline/skyline-apiserver <https://opendev.org/skyline/skyline-apiserver>`__
starlingx/config `https://opendev.org/starlingx/config <https://opendev.org/starlingx/config>`__
starlingx/fault `https://opendev.org/starlingx/fault <https://opendev.org/starlingx/fault>`__
starlingx/ha `https://opendev.org/starlingx/ha <https://opendev.org/starlingx/ha>`__
+1 -1
View File
@@ -238,7 +238,7 @@ package dependencies, packages may be listed at the following
locations in the top-level of the plugin repository:
- ``./devstack/files/debs/$plugin_name`` - Packages to install when running
on Ubuntu, Debian or Linux Mint.
on Ubuntu or Debian.
- ``./devstack/files/rpms/$plugin_name`` - Packages to install when running
on Red Hat, Fedora, or CentOS.
-25
View File
@@ -1,5 +1,4 @@
Listen %PUBLICPORT%
Listen %ADMINPORT%
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined
<Directory %KEYSTONE_BIN%>
@@ -20,20 +19,6 @@ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)"
%SSLKEYFILE%
</VirtualHost>
<VirtualHost *:%ADMINPORT%>
WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
WSGIProcessGroup keystone-admin
WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%M"
ErrorLog /var/log/%APACHE_NAME%/keystone.log
CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
%SSLENGINE%
%SSLCERTFILE%
%SSLKEYFILE%
</VirtualHost>
%SSLLISTEN%<VirtualHost *:443>
%SSLLISTEN% %SSLENGINE%
%SSLLISTEN% %SSLCERTFILE%
@@ -49,13 +34,3 @@ Alias /identity %KEYSTONE_BIN%/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
-2
View File
@@ -1,7 +1,5 @@
conntrack
curl
dnsmasq-base
dnsmasq-utils # for dhcp_release
ebtables
genisoimage # required for config_drive
iptables
+1
View File
@@ -2,5 +2,6 @@ curl
liberasurecode-dev
make
memcached
rsync
sqlite3
xfsprogs
+1 -1
View File
@@ -1,4 +1,4 @@
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
dn: olcDatabase={${LDAP_OLCDB_NUMBER}}${LDAP_OLCDB_TYPE},cn=config
changetype: modify
replace: olcSuffix
olcSuffix: ${BASE_DN}
+16
View File
@@ -0,0 +1,16 @@
[Unit]
Description=Activate LVM backing file %BACKING_FILE%
DefaultDependencies=no
After=systemd-udev-settle.service
Before=lvm2-activation-early.service
Wants=systemd-udev-settle.service
[Service]
ExecStart=/sbin/losetup --find --show %DIRECTIO% %BACKING_FILE%
ExecStop=/bin/sh -c '/sbin/losetup -d $$(/sbin/losetup --associated %BACKING_FILE% -O NAME -n)'
RemainAfterExit=yes
Type=oneshot
[Install]
WantedBy=local-fs.target
Also=systemd-udev-settle.service
-2
View File
@@ -1,8 +1,6 @@
cdrkit-cdrtools-compat # dist:sle12
conntrack-tools
curl
dnsmasq
dnsmasq-utils # dist:opensuse-12.3,opensuse-13.1
ebtables
iptables
iputils
+1 -1
View File
@@ -1,3 +1,3 @@
ceph # NOPRIME
redhat-lsb-core
redhat-lsb-core # not:rhel9
xfsprogs
+1
View File
@@ -16,6 +16,7 @@ libjpeg-turbo-devel # Pillow 3.0.0
libxml2-devel # lxml
libxslt-devel # lxml
libyaml-devel
mod_ssl # required for tls-proxy on centos 9 stream computes
net-tools
openssh-server
openssl
+2 -1
View File
@@ -1,9 +1,10 @@
cryptsetup
dosfstools
genisoimage
genisoimage # not:rhel9
iscsi-initiator-utils
libosinfo
lvm2
sg3_utils
# Stuff for diablo volumes
sysfsutils
xorriso # not:rhel8
+2 -3
View File
@@ -1,9 +1,7 @@
conntrack-tools
curl
dnsmasq # for q-dhcp
dnsmasq-utils # for dhcp_release
ebtables
genisoimage # required for config_drive
genisoimage # not:rhel9 required for config_drive
iptables
iputils
kernel-modules
@@ -13,3 +11,4 @@ polkit
rabbitmq-server # NOPRIME
sqlite
sudo
xorriso # not:rhel8
+1 -1
View File
@@ -4,4 +4,4 @@ memcached
rsync-daemon
sqlite
xfsprogs
xinetd # not:f34
xinetd # not:f35,rhel9
+2 -2
View File
@@ -414,10 +414,10 @@ function upload_image {
# kernel for use when uploading the root filesystem.
local kernel_id="" ramdisk_id="";
if [ -n "$kernel" ]; then
kernel_id=$(openstack --os-cloud=devstack-admin --os-region-name="$REGION_NAME" image create "$image_name-kernel" $(_image_properties_to_arg $img_property) --public --container-format aki --disk-format aki < "$kernel" | grep ' id ' | get_field 2)
kernel_id=$(openstack --os-cloud=devstack-admin --os-region-name="$REGION_NAME" image create "$image_name-kernel" $(_image_properties_to_arg $img_property) --public --container-format aki --disk-format aki < "$kernel" -f value -c id)
fi
if [ -n "$ramdisk" ]; then
ramdisk_id=$(openstack --os-cloud=devstack-admin --os-region-name="$REGION_NAME" image create "$image_name-ramdisk" $(_image_properties_to_arg $img_property) --public --container-format ari --disk-format ari < "$ramdisk" | grep ' id ' | get_field 2)
ramdisk_id=$(openstack --os-cloud=devstack-admin --os-region-name="$REGION_NAME" image create "$image_name-ramdisk" $(_image_properties_to_arg $img_property) --public --container-format ari --disk-format ari < "$ramdisk" -f value -c id)
fi
_upload_image "${image_name%.img}" ami ami "$image" ${kernel_id:+ kernel_id=$kernel_id} ${ramdisk_id:+ ramdisk_id=$ramdisk_id} $img_property
fi
+187 -55
View File
@@ -49,7 +49,7 @@ KILL_PATH="$(which kill)"
STACK_ENV_VARS="BASE_SQL_CONN DATA_DIR DEST ENABLED_SERVICES HOST_IP \
KEYSTONE_SERVICE_URI \
LOGFILE OS_CACERT SERVICE_HOST STACK_USER TLS_IP \
HOST_IPV6 SERVICE_IP_VERSION"
HOST_IPV6 SERVICE_IP_VERSION TUNNEL_ENDPOINT_IP TUNNEL_IP_VERSION"
# Saves significant environment variables to .stackenv for later use
@@ -85,7 +85,7 @@ function write_clouds_yaml {
if [ -f "$SSL_BUNDLE_FILE" ]; then
CA_CERT_ARG="--os-cacert $SSL_BUNDLE_FILE"
fi
# demo -> devstack
# devstack: user with the member role on demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack \
@@ -96,18 +96,7 @@ function write_clouds_yaml {
--os-password $ADMIN_PASSWORD \
--os-project-name demo
# alt_demo -> devstack-alt
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-alt \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username alt_demo \
--os-password $ADMIN_PASSWORD \
--os-project-name alt_demo
# admin -> devstack-admin
# devstack-admin: user with the admin role on the admin project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-admin \
@@ -118,7 +107,62 @@ function write_clouds_yaml {
--os-password $ADMIN_PASSWORD \
--os-project-name admin
# admin with a system-scoped token -> devstack-system
# devstack-admin-demo: user with the admin role on the demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-admin-demo \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username admin \
--os-password $ADMIN_PASSWORD \
--os-project-name demo
# devstack-alt: user with the member role on alt_demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-alt \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username alt_demo \
--os-password $ADMIN_PASSWORD \
--os-project-name alt_demo
# devstack-alt-member: user with the member role on alt_demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-alt-member \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username alt_demo_member \
--os-password $ADMIN_PASSWORD \
--os-project-name alt_demo
# devstack-alt-reader: user with the reader role on alt_demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-alt-reader \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username alt_demo_reader \
--os-password $ADMIN_PASSWORD \
--os-project-name alt_demo
# devstack-reader: user with the reader role on demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-reader \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username demo_reader \
--os-password $ADMIN_PASSWORD \
--os-project-name demo
# devstack-system-admin: user with the admin role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-admin \
@@ -129,6 +173,28 @@ function write_clouds_yaml {
--os-password $ADMIN_PASSWORD \
--os-system-scope all
# devstack-system-member: user with the member role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-member \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username system_member \
--os-password $ADMIN_PASSWORD \
--os-system-scope all
# devstack-system-reader: user with the reader role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-reader \
--os-region-name $REGION_NAME \
$CA_CERT_ARG \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username system_reader \
--os-password $ADMIN_PASSWORD \
--os-system-scope all
cat >> $CLOUDS_YAML <<EOF
functional:
image_name: $DEFAULT_IMAGE_NAME
@@ -346,14 +412,21 @@ function _ensure_lsb_release {
# - os_VENDOR
# - os_PACKAGE
function GetOSVersion {
# We only support distros that provide a sane lsb_release
_ensure_lsb_release
# CentOS Stream 9 does not provide lsb_release
source /etc/os-release
if [[ "${ID}${VERSION}" == "centos9" ]]; then
os_RELEASE=${VERSION_ID}
os_CODENAME="n/a"
os_VENDOR=$(echo $NAME | tr -d '[:space:]')
else
_ensure_lsb_release
os_RELEASE=$(lsb_release -r -s)
os_CODENAME=$(lsb_release -c -s)
os_VENDOR=$(lsb_release -i -s)
os_RELEASE=$(lsb_release -r -s)
os_CODENAME=$(lsb_release -c -s)
os_VENDOR=$(lsb_release -i -s)
fi
if [[ $os_VENDOR =~ (Debian|Ubuntu|LinuxMint) ]]; then
if [[ $os_VENDOR =~ (Debian|Ubuntu) ]]; then
os_PACKAGE="deb"
else
os_PACKAGE="rpm"
@@ -371,9 +444,8 @@ declare -g DISTRO
function GetDistro {
GetOSVersion
if [[ "$os_VENDOR" =~ (Ubuntu) || "$os_VENDOR" =~ (Debian) || \
"$os_VENDOR" =~ (LinuxMint) ]]; then
# 'Everyone' refers to Ubuntu / Debian / Mint releases by
if [[ "$os_VENDOR" =~ (Ubuntu) || "$os_VENDOR" =~ (Debian) ]]; then
# 'Everyone' refers to Ubuntu / Debian releases by
# the code name adjective
DISTRO=$os_CODENAME
elif [[ "$os_VENDOR" =~ (Fedora) ]]; then
@@ -391,6 +463,7 @@ function GetDistro {
DISTRO="sle${os_RELEASE%.*}"
elif [[ "$os_VENDOR" =~ (Red.*Hat) || \
"$os_VENDOR" =~ (CentOS) || \
"$os_VENDOR" =~ (AlmaLinux) || \
"$os_VENDOR" =~ (Scientific) || \
"$os_VENDOR" =~ (OracleServer) || \
"$os_VENDOR" =~ (Virtuozzo) ]]; then
@@ -451,6 +524,7 @@ function is_fedora {
[ "$os_VENDOR" = "RedHatEnterpriseServer" ] || \
[ "$os_VENDOR" = "RedHatEnterprise" ] || \
[ "$os_VENDOR" = "CentOS" ] || [ "$os_VENDOR" = "CentOSStream" ] || \
[ "$os_VENDOR" = "AlmaLinux" ] || \
[ "$os_VENDOR" = "OracleServer" ] || [ "$os_VENDOR" = "Virtuozzo" ]
}
@@ -496,7 +570,6 @@ function is_ubuntu {
[ "$os_PACKAGE" = "deb" ]
}
# Git Functions
# =============
@@ -547,7 +620,7 @@ function git_clone {
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to 'required-projects' in the job definition."
die $LINENO "Cloning not allowed in this configuration"
die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
git_timed clone $git_clone_flags $git_remote $git_dest
fi
@@ -559,10 +632,12 @@ function git_clone {
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to the \$PROJECTS variable in the job definition."
die $LINENO "Cloning not allowed in this configuration"
die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
# '--branch' can also take tags
git_timed clone $git_clone_flags $git_remote $git_dest --branch $git_ref
git_timed clone --no-checkout $git_clone_flags $git_remote $git_dest
cd $git_dest
git_timed fetch $git_clone_flags origin $git_ref
git_timed checkout FETCH_HEAD
elif [[ "$RECLONE" = "True" ]]; then
# if it does exist then simulate what clone does if asked to RECLONE
cd $git_dest
@@ -572,7 +647,7 @@ function git_clone {
# remove the existing ignored files (like pyc) as they cause breakage
# (due to the py files having older timestamps than our pyc, so python
# thinks the pyc files are correct using them)
find $git_dest -name '*.pyc' -delete
sudo find $git_dest -name '*.pyc' -delete
# handle git_ref accordingly to type (tag, branch)
if [[ -n "`git show-ref refs/tags/$git_ref`" ]]; then
@@ -588,6 +663,18 @@ function git_clone {
fi
fi
# NOTE(ianw) 2022-04-13 : commit [1] has broken many assumptions
# about how we clone and work with repos. Mark them safe globally
# as a work-around.
#
# NOTE(danms): On bionic (and likely others) git-config may write
# ~stackuser/.gitconfig if not run with sudo -H. Using --system
# writes these changes to /etc/gitconfig which is more
# discoverable anyway.
#
# [1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
sudo git config --system --add safe.directory ${git_dest}
# print out the results so we know what change was used in the logs
cd $git_dest
git show --oneline | head -1
@@ -793,10 +880,10 @@ function get_or_create_domain {
# Gets domain id
domain_id=$(
# Gets domain id
openstack domain show $1 \
openstack --os-cloud devstack-system-admin domain show $1 \
-f value -c id 2>/dev/null ||
# Creates new domain
openstack domain create $1 \
openstack --os-cloud devstack-system-admin domain create $1 \
--description "$2" \
-f value -c id
)
@@ -811,7 +898,7 @@ function get_or_create_group {
# Gets group id
group_id=$(
# Creates new group with --or-show
openstack group create $1 \
openstack --os-cloud devstack-system-admin group create $1 \
--domain $2 --description "$desc" --or-show \
-f value -c id
)
@@ -830,7 +917,7 @@ function get_or_create_user {
# Gets user id
user_id=$(
# Creates new user with --or-show
openstack user create \
openstack --os-cloud devstack-system-admin user create \
$1 \
--password "$2" \
--domain=$3 \
@@ -847,7 +934,7 @@ function get_or_create_project {
local project_id
project_id=$(
# Creates new project with --or-show
openstack project create $1 \
openstack --os-cloud devstack-system-admin project create $1 \
--domain=$2 \
--or-show -f value -c id
)
@@ -860,7 +947,7 @@ function get_or_create_role {
local role_id
role_id=$(
# Creates role with --or-show
openstack role create $1 \
openstack --os-cloud devstack-system-admin role create $1 \
--or-show -f value -c id
)
echo $role_id
@@ -890,7 +977,7 @@ function get_or_add_user_project_role {
domain_args=$(_get_domain_args $4 $5)
# Gets user role id
user_role_id=$(openstack role assignment list \
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--user $2 \
--project $3 \
@@ -898,11 +985,11 @@ function get_or_add_user_project_role {
| grep '^|\s[a-f0-9]\+' | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
openstack --os-cloud devstack-system-admin role add $1 \
--user $2 \
--project $3 \
$domain_args
user_role_id=$(openstack role assignment list \
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--user $2 \
--project $3 \
@@ -917,17 +1004,17 @@ function get_or_add_user_project_role {
function get_or_add_user_domain_role {
local user_role_id
# Gets user role id
user_role_id=$(openstack role assignment list \
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--user $2 \
--domain $3 \
| grep '^|\s[a-f0-9]\+' | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
openstack --os-cloud devstack-system-admin role add $1 \
--user $2 \
--domain $3
user_role_id=$(openstack role assignment list \
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--user $2 \
--domain $3 \
@@ -936,22 +1023,53 @@ function get_or_add_user_domain_role {
echo $user_role_id
}
# Gets or adds user role to system
# Usage: get_or_add_user_system_role <role> <user> <system> [<user_domain>]
function get_or_add_user_system_role {
local user_role_id
local domain_args
domain_args=$(_get_domain_args $4)
# Gets user role id
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--user $2 \
--system $3 \
$domain_args \
-f value -c Role)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack --os-cloud devstack-system-admin role add $1 \
--user $2 \
--system $3 \
$domain_args
user_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--user $2 \
--system $3 \
$domain_args \
-f value -c Role)
fi
echo $user_role_id
}
# Gets or adds group role to project
# Usage: get_or_add_group_project_role <role> <group> <project>
function get_or_add_group_project_role {
local group_role_id
# Gets group role id
group_role_id=$(openstack role assignment list \
group_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--group $2 \
--project $3 \
-f value)
if [[ -z "$group_role_id" ]]; then
# Adds role to group and get it
openstack role add $1 \
openstack --os-cloud devstack-system-admin role add $1 \
--group $2 \
--project $3
group_role_id=$(openstack role assignment list \
group_role_id=$(openstack --os-cloud devstack-system-admin role assignment list \
--role $1 \
--group $2 \
--project $3 \
@@ -967,9 +1085,9 @@ function get_or_create_service {
# Gets service id
service_id=$(
# Gets service id
openstack service show $2 -f value -c id 2>/dev/null ||
openstack --os-cloud devstack-system-admin service show $2 -f value -c id 2>/dev/null ||
# Creates new service if not exists
openstack service create \
openstack --os-cloud devstack-system-admin service create \
$2 \
--name $1 \
--description="$3" \
@@ -982,14 +1100,14 @@ function get_or_create_service {
# Usage: _get_or_create_endpoint_with_interface <service> <interface> <url> <region>
function _get_or_create_endpoint_with_interface {
local endpoint_id
endpoint_id=$(openstack endpoint list \
endpoint_id=$(openstack --os-cloud devstack-system-admin endpoint list \
--service $1 \
--interface $2 \
--region $4 \
-c ID -f value)
if [[ -z "$endpoint_id" ]]; then
# Creates new endpoint
endpoint_id=$(openstack endpoint create \
endpoint_id=$(openstack --os-cloud devstack-system-admin endpoint create \
$1 $2 $3 --region $4 -f value -c id)
fi
@@ -1023,7 +1141,7 @@ function get_or_create_endpoint {
# Get a URL from the identity service
# Usage: get_endpoint_url <service> <interface>
function get_endpoint_url {
echo $(openstack endpoint list \
echo $(openstack --os-cloud devstack-system-admin endpoint list \
--service $1 --interface $2 \
-c URL -f value)
}
@@ -1038,7 +1156,7 @@ function is_ironic_hardware {
}
function is_ironic_enforce_scope {
is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0
is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]] && return 0
return 1
}
@@ -1447,6 +1565,7 @@ function write_user_unit_file {
local command="$2"
local group=$3
local user=$4
local env_vars="$5"
local extra=""
if [[ -n "$group" ]]; then
extra="Group=$group"
@@ -1460,6 +1579,9 @@ function write_user_unit_file {
iniset -sudo $unitfile "Service" "KillMode" "process"
iniset -sudo $unitfile "Service" "TimeoutStopSec" "300"
iniset -sudo $unitfile "Service" "ExecReload" "$KILL_PATH -HUP \$MAINPID"
if [[ -n "$env_vars" ]] ; then
iniset -sudo $unitfile "Service" "Environment" "$env_vars"
fi
if [[ -n "$group" ]]; then
iniset -sudo $unitfile "Service" "Group" "$group"
fi
@@ -1474,6 +1596,7 @@ function write_uwsgi_user_unit_file {
local command="$2"
local group=$3
local user=$4
local env_vars="$5"
local unitfile="$SYSTEMD_DIR/$service"
mkdir -p $SYSTEMD_DIR
@@ -1488,6 +1611,9 @@ function write_uwsgi_user_unit_file {
iniset -sudo $unitfile "Service" "NotifyAccess" "all"
iniset -sudo $unitfile "Service" "RestartForceExitStatus" "100"
if [[ -n "$env_vars" ]] ; then
iniset -sudo $unitfile "Service" "Environment" "$env_vars"
fi
if [[ -n "$group" ]]; then
iniset -sudo $unitfile "Service" "Group" "$group"
fi
@@ -1535,10 +1661,14 @@ function _run_under_systemd {
local systemd_service="devstack@$service.service"
local group=$3
local user=${4:-$STACK_USER}
if [[ -z "$user" ]]; then
user=$STACK_USER
fi
local env_vars="$5"
if [[ "$command" =~ "uwsgi" ]] ; then
write_uwsgi_user_unit_file $systemd_service "$cmd" "$group" "$user"
write_uwsgi_user_unit_file $systemd_service "$cmd" "$group" "$user" "$env_vars"
else
write_user_unit_file $systemd_service "$cmd" "$group" "$user"
write_user_unit_file $systemd_service "$cmd" "$group" "$user" "$env_vars"
fi
$SYSTEMCTL enable $systemd_service
@@ -1559,18 +1689,20 @@ function is_running {
# If the command includes shell metachatacters (;<>*) it must be run using a shell
# If an optional group is provided sg will be used to run the
# command as that group.
# run_process service "command-line" [group] [user]
# run_process service "command-line" [group] [user] [env_vars]
# env_vars must be a space separated list of variable assigments, ie: "A=1 B=2"
function run_process {
local service=$1
local command="$2"
local group=$3
local user=$4
local env_vars="$5"
local name=$service
time_start "run_process"
if is_service_enabled $service; then
_run_under_systemd "$name" "$command" "$group" "$user"
_run_under_systemd "$name" "$command" "$group" "$user" "$env_vars"
fi
time_stop "run_process"
}
+3
View File
@@ -189,6 +189,9 @@ function iniset {
local option=$3
local value=$4
# Escape the ampersand character (&)
value=$(echo $value | sed -e 's/&/\\&/g')
if [[ -z $section || -z $option ]]; then
$xtrace
return
-4
View File
@@ -186,15 +186,11 @@ function pip_install {
$xtrace
# adding SETUPTOOLS_SYS_PATH_TECHNIQUE is a workaround to keep
# the same behaviour of setuptools before version 25.0.0.
# related issue: https://github.com/pypa/pip/issues/3874
$sudo_pip \
http_proxy="${http_proxy:-}" \
https_proxy="${https_proxy:-}" \
no_proxy="${no_proxy:-}" \
PIP_FIND_LINKS=$PIP_FIND_LINKS \
SETUPTOOLS_SYS_PATH_TECHNIQUE=rewrite \
$cmd_pip $upgrade \
$@
result=$?
+16 -16
View File
@@ -27,6 +27,11 @@ set +o xtrace
APACHE_USER=${APACHE_USER:-$STACK_USER}
APACHE_GROUP=${APACHE_GROUP:-$(id -gn $APACHE_USER)}
APACHE_LOCAL_HOST=$SERVICE_LOCAL_HOST
if [[ "$SERVICE_IP_VERSION" == 6 ]]; then
APACHE_LOCAL_HOST=[$APACHE_LOCAL_HOST]
fi
# Set up apache name and configuration directory
# Note that APACHE_CONF_DIR is really more accurately apache's vhost
@@ -82,19 +87,15 @@ function install_apache_uwsgi {
apxs="apxs"
fi
# This varies based on packaged/installed. If we've
# pip_installed, then the pip setup will only build a "python"
# module that will be either python2 or python3 depending on what
# it was built with.
#
# For package installs, the distro ships both plugins and you need
# to select the right one ... it will not be autodetected.
UWSGI_PYTHON_PLUGIN=python3
if is_ubuntu; then
local pkg_list="uwsgi uwsgi-plugin-python3 libapache2-mod-proxy-uwsgi"
install_package ${pkg_list}
elif is_fedora; then
# NOTE(ianw) 2022-02-03 : Fedora 35 needs to skip this and fall
# into the install-from-source because the upstream packages
# didn't fix Python 3.10 compatibility before release. Should be
# fixed in uwsgi 4.9.0; can remove this when packages available
# or we drop this release
elif is_fedora && ! [[ $DISTRO =~ f35 ]]; then
# Note httpd comes with mod_proxy_uwsgi and it is loaded by
# default; the mod_proxy_uwsgi package actually conflicts now.
# See:
@@ -122,7 +123,6 @@ function install_apache_uwsgi {
popd
# delete the temp directory
sudo rm -rf $dir
UWSGI_PYTHON_PLUGIN=python
fi
if is_ubuntu || is_suse ; then
@@ -283,7 +283,7 @@ function write_uwsgi_config {
# configured after graceful shutdown
iniset "$file" uwsgi worker-reload-mercy $WORKER_TIMEOUT
iniset "$file" uwsgi enable-threads true
iniset "$file" uwsgi plugins http,${UWSGI_PYTHON_PLUGIN}
iniset "$file" uwsgi plugins http,python3
# uwsgi recommends this to prevent thundering herd on accept.
iniset "$file" uwsgi thunder-lock true
# Set hook to trigger graceful shutdown on SIGTERM
@@ -303,7 +303,7 @@ function write_uwsgi_config {
apache_conf=$(apache_site_config_for $name)
iniset "$file" uwsgi socket "$socket"
iniset "$file" uwsgi chmod-socket 666
echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee -a $apache_conf
echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}\" retry=0 " | sudo tee -a $apache_conf
enable_apache_site $name
restart_apache_server
fi
@@ -328,7 +328,7 @@ function write_local_uwsgi_http_config {
rm -rf $file
iniset "$file" uwsgi wsgi-file "$wsgi"
port=$(get_random_port)
iniset "$file" uwsgi http-socket "127.0.0.1:$port"
iniset "$file" uwsgi http-socket "$APACHE_LOCAL_HOST:$port"
iniset "$file" uwsgi processes $API_WORKERS
# This is running standalone
iniset "$file" uwsgi master true
@@ -336,7 +336,7 @@ function write_local_uwsgi_http_config {
iniset "$file" uwsgi die-on-term true
iniset "$file" uwsgi exit-on-reload false
iniset "$file" uwsgi enable-threads true
iniset "$file" uwsgi plugins http,${UWSGI_PYTHON_PLUGIN}
iniset "$file" uwsgi plugins http,python3
# uwsgi recommends this to prevent thundering herd on accept.
iniset "$file" uwsgi thunder-lock true
# Set hook to trigger graceful shutdown on SIGTERM
@@ -364,7 +364,7 @@ function write_local_uwsgi_http_config {
apache_conf=$(apache_site_config_for $name)
echo "KeepAlive Off" | sudo tee $apache_conf
echo "SetEnv proxy-sendchunked 1" | sudo tee -a $apache_conf
echo "ProxyPass \"${url}\" \"http://127.0.0.1:$port\" retry=0 " | sudo tee -a $apache_conf
echo "ProxyPass \"${url}\" \"http://$APACHE_LOCAL_HOST:$port\" retry=0 " | sudo tee -a $apache_conf
enable_apache_site $name
restart_apache_server
}
+51 -22
View File
@@ -91,6 +91,8 @@ CINDER_VOLUME_CLEAR=$(echo ${CINDER_VOLUME_CLEAR} | tr '[:upper:]' '[:lower:]')
# Default to lioadm
CINDER_ISCSI_HELPER=${CINDER_ISCSI_HELPER:-lioadm}
VOLUME_TYPE_MULTIATTACH=${VOLUME_TYPE_MULTIATTACH:-multiattach}
# EL and SUSE should only use lioadm
if is_fedora || is_suse; then
if [[ ${CINDER_ISCSI_HELPER} != "lioadm" ]]; then
@@ -286,6 +288,11 @@ function configure_cinder {
iniset $CINDER_CONF DEFAULT allowed_direct_url_schemes $CINDER_ALLOWED_DIRECT_URL_SCHEMES
fi
# set default quotas
iniset $CINDER_CONF DEFAULT quota_volumes ${CINDER_QUOTA_VOLUMES:-10}
iniset $CINDER_CONF DEFAULT quota_backups ${CINDER_QUOTA_BACKUPS:-10}
iniset $CINDER_CONF DEFAULT quota_snapshots ${CINDER_QUOTA_SNAPSHOTS:-10}
# Avoid RPC timeouts in slow CI and test environments by doubling the
# default response timeout set by RPC clients. See bug #1873234 for more
# details and example failures.
@@ -348,7 +355,9 @@ function configure_cinder {
# Format logging
setup_logging $CINDER_CONF $CINDER_USE_MOD_WSGI
write_uwsgi_config "$CINDER_UWSGI_CONF" "$CINDER_UWSGI" "/volume"
if is_service_enabled c-api; then
write_uwsgi_config "$CINDER_UWSGI_CONF" "$CINDER_UWSGI" "/volume"
fi
if [[ -r $CINDER_PLUGINS/$CINDER_DRIVER ]]; then
configure_cinder_driver
@@ -373,7 +382,7 @@ function configure_cinder {
iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
fi
if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $CINDER_CONF oslo_policy enforce_scope true
iniset $CINDER_CONF oslo_policy enforce_new_defaults true
fi
@@ -381,16 +390,24 @@ function configure_cinder {
# create_cinder_accounts() - Set up common required cinder accounts
# Tenant User Roles
# Project User Roles
# ------------------------------------------------------------------
# service cinder admin # if enabled
# SERVICE_PROJECT_NAME cinder service
# SERVICE_PROJECT_NAME cinder creator (if Barbican is enabled)
# Migrated from keystone_data.sh
function create_cinder_accounts {
# Cinder
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
create_service_user "cinder"
local extra_role=""
# cinder needs the "creator" role in order to interact with barbican
if is_service_enabled barbican; then
extra_role=$(get_or_create_role "creator")
fi
create_service_user "cinder" $extra_role
# block-storage is the official service type
get_or_create_service "cinder" "block-storage" "Cinder Volume Service"
@@ -440,10 +457,6 @@ function init_cinder {
be_type=${be%%:*}
be_name=${be##*:}
if type init_cinder_backend_${be_type} >/dev/null 2>&1; then
# Always init the default volume group for lvm.
if [[ "$be_type" == "lvm" ]]; then
init_default_lvm_volume_group
fi
init_cinder_backend_${be_type} ${be_name}
fi
done
@@ -549,8 +562,13 @@ function start_cinder {
fi
run_process c-sch "$CINDER_BIN_DIR/cinder-scheduler --config-file $CINDER_CONF"
run_process c-bak "$CINDER_BIN_DIR/cinder-backup --config-file $CINDER_CONF"
run_process c-vol "$CINDER_BIN_DIR/cinder-volume --config-file $CINDER_CONF"
# Tune glibc for Python Services using single malloc arena for all threads
# and disabling dynamic thresholds to reduce memory usage when using native
# threads directly or via eventlet.tpool
# https://www.gnu.org/software/libc/manual/html_node/Memory-Allocation-Tunables.html
malloc_tuning="MALLOC_ARENA_MAX=1 MALLOC_MMAP_THRESHOLD_=131072 MALLOC_TRIM_THRESHOLD_=262144"
run_process c-bak "$CINDER_BIN_DIR/cinder-backup --config-file $CINDER_CONF" "" "" "$malloc_tuning"
run_process c-vol "$CINDER_BIN_DIR/cinder-volume --config-file $CINDER_CONF" "" "" "$malloc_tuning"
# NOTE(jdg): For cinder, startup order matters. To ensure that repor_capabilities is received
# by the scheduler start the cinder-volume service last (or restart it) after the scheduler
@@ -565,6 +583,23 @@ function stop_cinder {
stop_process c-vol
}
function create_one_type {
type_name=$1
property_key=$2
property_value=$3
# NOTE (e0ne): openstack client doesn't work with cinder in noauth mode
if is_service_enabled keystone; then
openstack --os-region-name="$REGION_NAME" volume type create --property $property_key="$property_value" $type_name
else
# TODO (e0ne): use openstack client once it will support cinder in noauth mode:
# https://bugs.launchpad.net/python-cinderclient/+bug/1755279
local cinder_url
cinder_url=$CINDER_SERVICE_PROTOCOL://$SERVICE_HOST:$CINDER_SERVICE_PORT/v3
OS_USER_ID=$OS_USERNAME OS_PROJECT_ID=$OS_PROJECT_NAME cinder --os-auth-type noauth --os-endpoint=$cinder_url type-create $type_name
OS_USER_ID=$OS_USERNAME OS_PROJECT_ID=$OS_PROJECT_NAME cinder --os-auth-type noauth --os-endpoint=$cinder_url type-key $type_name set $property_key="$property_value"
fi
}
# create_volume_types() - Create Cinder's configured volume types
function create_volume_types {
# Create volume types
@@ -572,19 +607,13 @@ function create_volume_types {
local be be_name
for be in ${CINDER_ENABLED_BACKENDS//,/ }; do
be_name=${be##*:}
# NOTE (e0ne): openstack client doesn't work with cinder in noauth mode
if is_service_enabled keystone; then
openstack --os-region-name="$REGION_NAME" volume type create --property volume_backend_name="${be_name}" ${be_name}
else
# TODO (e0ne): use openstack client once it will support cinder in noauth mode:
# https://bugs.launchpad.net/python-cinderclient/+bug/1755279
local cinder_url
cinder_url=$CINDER_SERVICE_PROTOCOL://$SERVICE_HOST:$CINDER_SERVICE_PORT/v3
OS_USER_ID=$OS_USERNAME OS_PROJECT_ID=$OS_PROJECT_NAME cinder --os-auth-type noauth --os-endpoint=$cinder_url type-create ${be_name}
OS_USER_ID=$OS_USERNAME OS_PROJECT_ID=$OS_PROJECT_NAME cinder --os-auth-type noauth --os-endpoint=$cinder_url type-key ${be_name} set volume_backend_name=${be_name}
fi
create_one_type $be_name "volume_backend_name" $be_name
done
if [[ $ENABLE_VOLUME_MULTIATTACH == "True" ]]; then
create_one_type $VOLUME_TYPE_MULTIATTACH $VOLUME_TYPE_MULTIATTACH "<is> True"
fi
# Increase quota for the service project if glance is using cinder,
# since it's likely to occasionally go above the default 10 in parallel
# test execution.
+8 -5
View File
@@ -26,12 +26,15 @@ CINDER_BAK_CEPH_USER=${CINDER_BAK_CEPH_USER:-cinder-bak}
function configure_cinder_backup_ceph {
sudo ceph -c ${CEPH_CONF_FILE} osd pool create ${CINDER_BAK_CEPH_POOL} ${CINDER_BAK_CEPH_POOL_PG} ${CINDER_BAK_CEPH_POOL_PGP}
if [[ "$REMOTE_CEPH" = "False" && "$CEPH_REPLICAS" -ne 1 ]]; then
sudo ceph -c ${CEPH_CONF_FILE} osd pool set ${CINDER_BAK_CEPH_POOL} crush_ruleset ${RULE_ID}
# Execute this part only when cephadm is not used
if [[ "$CEPHADM_DEPLOY" = "False" ]]; then
sudo ceph -c ${CEPH_CONF_FILE} osd pool create ${CINDER_BAK_CEPH_POOL} ${CINDER_BAK_CEPH_POOL_PG} ${CINDER_BAK_CEPH_POOL_PGP}
if [[ "$REMOTE_CEPH" = "False" && "$CEPH_REPLICAS" -ne 1 ]]; then
sudo ceph -c ${CEPH_CONF_FILE} osd pool set ${CINDER_BAK_CEPH_POOL} crush_ruleset ${RULE_ID}
fi
sudo ceph -c ${CEPH_CONF_FILE} auth get-or-create client.${CINDER_BAK_CEPH_USER} mon "allow r" osd "allow class-read object_prefix rbd_children, allow rwx pool=${CINDER_BAK_CEPH_POOL}, allow rwx pool=${CINDER_CEPH_POOL}" | sudo tee ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring
sudo chown $(whoami):$(whoami) ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring
fi
sudo ceph -c ${CEPH_CONF_FILE} auth get-or-create client.${CINDER_BAK_CEPH_USER} mon "allow r" osd "allow class-read object_prefix rbd_children, allow rwx pool=${CINDER_BAK_CEPH_POOL}, allow rwx pool=${CINDER_CEPH_POOL}" | sudo tee ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring
sudo chown $(whoami):$(whoami) ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring
iniset $CINDER_CONF DEFAULT backup_driver "cinder.backup.drivers.ceph.CephBackupDriver"
iniset $CINDER_CONF DEFAULT backup_ceph_conf "$CEPH_CONF_FILE"
+3
View File
@@ -24,6 +24,9 @@ function configure_cinder_backup_swift {
# to use it.
iniset $CINDER_CONF DEFAULT backup_driver "cinder.backup.drivers.swift.SwiftBackupDriver"
iniset $CINDER_CONF DEFAULT backup_swift_url "$SWIFT_SERVICE_PROTOCOL://$SERVICE_HOST:$SWIFT_DEFAULT_BIND_PORT/v1/AUTH_"
if is_service_enabled tls-proxy; then
iniset $CINDER_CONF DEFAULT backup_swift_ca_cert_file $SSL_BUNDLE_FILE
fi
}
# init_cinder_backup_swift: nothing to do
+4 -2
View File
@@ -89,6 +89,10 @@ function initialize_database_backends {
DATABASE_PASSWORD=$MYSQL_PASSWORD
fi
return 0
}
function define_database_baseurl {
# We configure Nova, Horizon, Glance and Keystone to use MySQL as their
# database server. While they share a single server, each has their own
# database and tables.
@@ -100,8 +104,6 @@ function initialize_database_backends {
# NOTE: Don't specify ``/db`` in this string so we can use it for multiple services
BASE_SQL_CONN=${BASE_SQL_CONN:-$(get_database_type_$DATABASE_TYPE)://$DATABASE_USER:$DATABASE_PASSWORD@$DATABASE_HOST}
return 0
}
# Recreate a given database
+61 -19
View File
@@ -12,6 +12,7 @@ _XTRACE_DB_MYSQL=$(set +o | grep xtrace)
set +o xtrace
MYSQL_DRIVER=${MYSQL_DRIVER:-PyMySQL}
INSTALL_DATABASE_SERVER_PACKAGES=$(trueorfalse True INSTALL_DATABASE_SERVER_PACKAGES)
register_database mysql
@@ -25,6 +26,8 @@ if [[ -z "$MYSQL_SERVICE_NAME" ]]; then
# provide a mysql.service symlink for backwards-compatibility, but
# let's not rely on that.
MYSQL_SERVICE_NAME=mariadb
elif [[ "$DISTRO" == "bullseye" ]]; then
MYSQL_SERVICE_NAME=mariadb
fi
fi
@@ -83,10 +86,16 @@ function configure_database_mysql {
exit_distro_not_supported "mysql configuration"
fi
# Start mysql-server
# Change bind-address from localhost (127.0.0.1) to any (::)
iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"
# (Re)Start mysql-server
if is_fedora || is_suse; then
# service is not started by default
start_service $MYSQL_SERVICE_NAME
elif is_ubuntu; then
# required since bind-address could have changed above
restart_service $MYSQL_SERVICE_NAME
fi
# Set the root password - only works the first time. For Ubuntu, we already
@@ -99,13 +108,13 @@ function configure_database_mysql {
if is_ubuntu && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
local cmd_args="-uroot -p$DATABASE_PASSWORD "
else
local cmd_args="-uroot -p$DATABASE_PASSWORD -h127.0.0.1 "
local cmd_args="-uroot -p$DATABASE_PASSWORD -h$SERVICE_LOCAL_HOST "
fi
# In mariadb e.g. on Ubuntu socket plugin is used for authentication
# as root so it works only as sudo. To restore old "mysql like" behaviour,
# we need to change auth plugin for root user
if is_ubuntu && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
if is_ubuntu && [[ "$DISTRO" != "bullseye" ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
sudo mysql $cmd_args -e "UPDATE mysql.user SET plugin='' WHERE user='$DATABASE_USER' AND host='localhost';"
sudo mysql $cmd_args -e "FLUSH PRIVILEGES;"
fi
@@ -116,9 +125,7 @@ function configure_database_mysql {
# Now update ``my.cnf`` for some local needs and restart the mysql service
# Change bind-address from localhost (127.0.0.1) to any (::) and
# set default db type to InnoDB
iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"
# Set default db type to InnoDB
iniset -sudo $my_conf mysqld sql_mode TRADITIONAL
iniset -sudo $my_conf mysqld default-storage-engine InnoDB
iniset -sudo $my_conf mysqld max_connections 1024
@@ -143,6 +150,29 @@ function configure_database_mysql {
iniset -sudo $my_conf mysqld log-queries-not-using-indexes 1
fi
if [[ "$MYSQL_GATHER_PERFORMANCE" == "True" ]]; then
echo "enabling MySQL performance counting"
# Install our sqlalchemy plugin
pip_install ${TOP_DIR}/tools/dbcounter
# Create our stats database for accounting
recreate_database stats
mysql -u $DATABASE_USER -p$DATABASE_PASSWORD -h $MYSQL_HOST -e \
"CREATE TABLE queries (db VARCHAR(32), op VARCHAR(32),
count INT, PRIMARY KEY (db, op)) ENGINE MEMORY" stats
fi
if [[ "$MYSQL_REDUCE_MEMORY" == "True" ]]; then
iniset -sudo $my_conf mysqld read_buffer_size 64K
iniset -sudo $my_conf mysqld innodb_buffer_pool_size 16M
iniset -sudo $my_conf mysqld thread_stack 192K
iniset -sudo $my_conf mysqld thread_cache_size 8
iniset -sudo $my_conf mysqld tmp_table_size 8M
iniset -sudo $my_conf mysqld sort_buffer_size 8M
iniset -sudo $my_conf mysqld max_allowed_packet 8M
fi
restart_service $MYSQL_SERVICE_NAME
}
@@ -173,18 +203,20 @@ EOF
chmod 0600 $HOME/.my.cnf
fi
# Install mysql-server
if is_oraclelinux; then
install_package mysql-community-server
elif is_fedora; then
install_package mariadb-server mariadb-devel
sudo systemctl enable $MYSQL_SERVICE_NAME
elif is_suse; then
install_package mariadb-server
sudo systemctl enable $MYSQL_SERVICE_NAME
elif is_ubuntu; then
install_package $MYSQL_SERVICE_NAME-server
else
exit_distro_not_supported "mysql installation"
if [[ "$INSTALL_DATABASE_SERVER_PACKAGES" == "True" ]]; then
if is_oraclelinux; then
install_package mysql-community-server
elif is_fedora; then
install_package mariadb-server mariadb-devel mariadb
sudo systemctl enable $MYSQL_SERVICE_NAME
elif is_suse; then
install_package mariadb-server
sudo systemctl enable $MYSQL_SERVICE_NAME
elif is_ubuntu; then
install_package $MYSQL_SERVICE_NAME-server
else
exit_distro_not_supported "mysql installation"
fi
fi
}
@@ -200,7 +232,17 @@ function install_database_python_mysql {
function database_connection_url_mysql {
local db=$1
echo "$BASE_SQL_CONN/$db?charset=utf8"
local plugin
# NOTE(danms): We don't enable perf on subnodes yet because the
# plugin is not installed there
if [[ "$MYSQL_GATHER_PERFORMANCE" == "True" ]]; then
if is_service_enabled mysql; then
plugin="&plugin=dbcounter"
fi
fi
echo "$BASE_SQL_CONN/$db?charset=utf8$plugin"
}
+11 -10
View File
@@ -13,7 +13,7 @@ set +o xtrace
MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-200}
INSTALL_DATABASE_SERVER_PACKAGES=$(trueorfalse True INSTALL_DATABASE_SERVER_PACKAGES)
register_database postgresql
@@ -95,7 +95,6 @@ function configure_database_postgresql {
function install_database_postgresql {
echo_summary "Installing postgresql"
deprecated "Use of postgresql in devstack is deprecated, and will be removed during the Pike cycle"
local pgpass=$HOME/.pgpass
if [[ ! -e $pgpass ]]; then
cat <<EOF > $pgpass
@@ -105,15 +104,17 @@ EOF
else
sed -i "s/:root:\w\+/:root:$DATABASE_PASSWORD/" $pgpass
fi
if is_ubuntu; then
install_package postgresql
elif is_fedora || is_suse; then
install_package postgresql-server
if is_fedora; then
sudo systemctl enable postgresql
if [[ "$INSTALL_DATABASE_SERVER_PACKAGES" == "True" ]]; then
if is_ubuntu; then
install_package postgresql
elif is_fedora || is_suse; then
install_package postgresql-server
if is_fedora; then
sudo systemctl enable postgresql
fi
else
exit_distro_not_supported "postgresql installation"
fi
else
exit_distro_not_supported "postgresql installation"
fi
}
+15 -22
View File
@@ -288,24 +288,17 @@ function configure_glance_store {
function configure_glance_quotas {
# NOTE(danms): We need to have some of the OS_ things unset in
# order to use system scope, which is required for creating these
# limits. This is a hack, but I dunno how else to get osc to use
# system scope.
# Registered limit resources in keystone are system-specific resources.
# Make sure we use a system-scoped token to interact with this API.
bash -c "unset OS_USERNAME OS_TENANT_NAME OS_PROJECT_NAME;
openstack --os-cloud devstack-system-admin registered limit create \
--service glance --default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL \
--region $REGION_NAME image_size_total; \
openstack --os-cloud devstack-system-admin registered limit create \
--service glance --default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL \
--region $REGION_NAME image_stage_total; \
openstack --os-cloud devstack-system-admin registered limit create \
--service glance --default-limit 100 --region $REGION_NAME \
image_count_total; \
openstack --os-cloud devstack-system-admin registered limit create \
--service glance --default-limit 100 --region $REGION_NAME \
image_count_uploading"
openstack --os-cloud devstack-system-admin registered limit create --service glance \
--default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL --region $REGION_NAME image_size_total
openstack --os-cloud devstack-system-admin registered limit create --service glance \
--default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL --region $REGION_NAME image_stage_total
openstack --os-cloud devstack-system-admin registered limit create --service glance \
--default-limit 100 --region $REGION_NAME image_count_total
openstack --os-cloud devstack-system-admin registered limit create --service glance \
--default-limit 100 --region $REGION_NAME image_count_uploading
# Tell glance to use these limits
iniset $GLANCE_API_CONF DEFAULT use_keystone_limits True
@@ -316,13 +309,13 @@ function configure_glance_quotas {
iniset $GLANCE_API_CONF oslo_limit username glance
iniset $GLANCE_API_CONF oslo_limit auth_type password
iniset $GLANCE_API_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI
iniset $GLANCE_API_CONF oslo_limit system_scope "'all'"
iniset $GLANCE_API_CONF oslo_limit system_scope all
iniset $GLANCE_API_CONF oslo_limit endpoint_id \
$(openstack endpoint list --service glance -f value -c ID)
$(openstack --os-cloud devstack-system-admin endpoint list --service glance -f value -c ID)
# Allow the glance service user to read quotas
openstack role add --user glance --user-domain Default --system all \
reader
openstack --os-cloud devstack-system-admin role add --user glance \
--user-domain $SERVICE_DOMAIN_NAME --system all reader
}
# configure_glance() - Set config files, create data dirs, etc
@@ -439,7 +432,7 @@ function configure_glance {
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
fi
if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $GLANCE_API_CONF oslo_policy enforce_scope true
iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
+77 -43
View File
@@ -9,7 +9,6 @@
# - ``tls`` file
# - ``DEST``, ``STACK_USER``
# - ``FILES``
# - ``IDENTITY_API_VERSION``
# - ``BASE_SQL_CONN``
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# - ``S3_SERVICE_PORT`` (template backend only)
@@ -50,9 +49,7 @@ fi
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
@@ -81,21 +78,12 @@ KEYSTONE_RESOURCE_BACKEND=${KEYSTONE_RESOURCE_BACKEND:-sql}
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet}
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]')
# Set Keystone interface configuration
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
# Public facing bits
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
# Bind hosts
KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
# Set the project for service accounts in Keystone
SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
@@ -106,7 +94,6 @@ SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
# if we are running with SSL use https protocols
if is_service_enabled tls-proxy; then
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
@@ -134,6 +121,15 @@ KEYSTONE_PASSWORD_HASH_ROUNDS=${KEYSTONE_PASSWORD_HASH_ROUNDS:-4}
# Cache settings
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
# Whether to create a keystone admin endpoint for legacy applications
KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT)
# Flag to set the oslo_policy.enforce_scope. This is used to switch
# the Identity API policies to start checking the scope of token. By Default,
# this flag is False.
# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
# Functions
# ---------
@@ -154,11 +150,8 @@ function cleanup_keystone {
sudo rm -f $(apache_site_config_for keystone)
else
stop_process "keystone"
# TODO: remove admin at pike-2
remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
sudo rm -f $(apache_site_config_for keystone-wsgi-public)
sudo rm -f $(apache_site_config_for keystone-wsgi-admin)
fi
}
@@ -171,12 +164,10 @@ function _config_keystone_apache_wsgi {
local keystone_certfile=""
local keystone_keyfile=""
local keystone_service_port=$KEYSTONE_SERVICE_PORT
local keystone_auth_port=$KEYSTONE_AUTH_PORT
local venv_path=""
if is_service_enabled tls-proxy; then
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
@@ -185,7 +176,6 @@ function _config_keystone_apache_wsgi {
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
sudo sed -e "
s|%PUBLICPORT%|$keystone_service_port|g;
s|%ADMINPORT%|$keystone_auth_port|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%SSLLISTEN%|$keystone_ssl_listen|g;
s|%SSLENGINE%|$keystone_ssl|g;
@@ -223,22 +213,17 @@ function configure_keystone {
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
local service_port=$KEYSTONE_SERVICE_PORT
local auth_port=$KEYSTONE_AUTH_PORT
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_port=$KEYSTONE_AUTH_PORT_INT
fi
# Override the endpoints advertised by keystone (the public_endpoint and
# admin_endpoint) so that clients use the correct endpoint. By default, the
# keystone server uses the public_port and admin_port which isn't going to
# work when you want to use a different port (in the case of proxy), or you
# don't want the port (in the case of putting keystone on a path in
# apache).
# Override the endpoints advertised by keystone so that clients use the correct
# endpoint. By default, the keystone server uses the public_port which isn't
# going to work when you want to use a different port (in the case of proxy),
# or you don't want the port (in the case of putting keystone on a path in apache).
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
@@ -261,7 +246,6 @@ function configure_keystone {
_config_keystone_apache_wsgi
else # uwsgi
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
fi
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
@@ -281,6 +265,11 @@ function configure_keystone {
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
fi
}
# create_keystone_accounts() - Sets up common required keystone accounts
@@ -303,20 +292,28 @@ function configure_keystone {
# admins admin admin admin
# nonadmins demo, alt_demo member, anotherrole demo, alt_demo
# System User Roles
# ------------------------------------------------------------------
# all admin admin
# all system_reader reader
# all system_member member
# Migrated from keystone_data.sh
function create_keystone_accounts {
# The keystone bootstrapping process (performed via keystone-manage
# bootstrap) creates an admin user, admin role, member role, and admin
# bootstrap) creates an admin user and an admin
# project. As a sanity check we exercise the CLI to retrieve the IDs for
# these values.
local admin_project
admin_project=$(openstack project show "admin" -f value -c id)
local admin_user
admin_user=$(openstack user show "admin" -f value -c id)
# These roles are also created during bootstrap but we don't need their IDs
local admin_role="admin"
local member_role="member"
local reader_role="reader"
async_run ks-domain-role get_or_add_user_domain_role $admin_role $admin_user default
@@ -352,21 +349,53 @@ function create_keystone_accounts {
async_wait ks-{domain-role,domain,project,service,reseller,anotherrole}
async_run ks-demo-member get_or_add_user_project_role $member_role $demo_user $demo_project
async_run ks-demo-admin get_or_add_user_project_role $admin_role $admin_user $demo_project
async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project
async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project
# alt_demo
# Create a user to act as a reader on project demo
local demo_reader
demo_reader=$(get_or_create_user "demo_reader" \
"$ADMIN_PASSWORD" "default" "demo_reader@example.com")
async_run ks-demo-reader get_or_add_user_project_role $reader_role $demo_reader $demo_project
# Create a different project called alt_demo
local alt_demo_project
alt_demo_project=$(get_or_create_project "alt_demo" default)
# Create a user to act as member, admin and anotherrole on project alt_demo
local alt_demo_user
alt_demo_user=$(get_or_create_user "alt_demo" \
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
async_run ks-alt-member get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
async_run ks-alt-admin get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
async_run ks-alt-admin get_or_add_user_project_role $admin_role $alt_demo_user $alt_demo_project
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
# Create another user to act as a member on project alt_demo
local alt_demo_member
alt_demo_member=$(get_or_create_user "alt_demo_member" \
"$ADMIN_PASSWORD" "default" "alt_demo_member@example.com")
async_run ks-alt-member-user get_or_add_user_project_role $member_role $alt_demo_member $alt_demo_project
# Create another user to act as a reader on project alt_demo
local alt_demo_reader
alt_demo_reader=$(get_or_create_user "alt_demo_reader" \
"$ADMIN_PASSWORD" "default" "alt_demo_reader@example.com")
async_run ks-alt-reader-user get_or_add_user_project_role $reader_role $alt_demo_reader $alt_demo_project
# Create two users, give one the member role on the system and the other the
# reader role on the system. These two users model system-member and
# system-reader personas. The admin user already has the admin role on the
# system and we can re-use this user as a system-admin.
system_member_user=$(get_or_create_user "system_member" \
"$ADMIN_PASSWORD" "default" "system_member@example.com")
async_run ks-system-member get_or_add_user_system_role $member_role $system_member_user "all"
system_reader_user=$(get_or_create_user "system_reader" \
"$ADMIN_PASSWORD" "default" "system_reader@example.com")
async_run ks-system-reader get_or_add_user_system_role $reader_role $system_reader_user "all"
# groups
local admin_group
admin_group=$(get_or_create_group "admins" \
@@ -381,8 +410,9 @@ function create_keystone_accounts {
async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project
async_wait ks-demo-{member,admin,another,invis}
async_wait ks-alt-{member,admin,another}
async_wait ks-demo-{member,admin,another,invis,reader}
async_wait ks-alt-{admin,another,member-user,reader-user}
async_wait ks-system-{member,reader}
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
if is_service_enabled ldap; then
@@ -518,7 +548,7 @@ function install_keystone {
function start_keystone {
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
local auth_protocol=$KEYSTONE_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_protocol="http"
@@ -537,7 +567,7 @@ function start_keystone {
# unencryted traffic at this point.
# If running in Apache, use the path rather than port.
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v3/
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
die $LINENO "keystone did not start"
@@ -546,7 +576,6 @@ function start_keystone {
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.
@@ -567,11 +596,8 @@ function stop_keystone {
# This function uses the following GLOBAL variables:
# - ``KEYSTONE_BIN_DIR``
# - ``ADMIN_PASSWORD``
# - ``IDENTITY_API_VERSION``
# - ``REGION_NAME``
# - ``KEYSTONE_SERVICE_PROTOCOL``
# - ``KEYSTONE_SERVICE_HOST``
# - ``KEYSTONE_SERVICE_PORT``
# - ``KEYSTONE_SERVICE_URI``
function bootstrap_keystone {
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
--bootstrap-username admin \
@@ -580,8 +606,16 @@ function bootstrap_keystone {
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id "$REGION_NAME" \
--bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
if [ "$KEYSTONE_ADMIN_ENDPOINT" == "True" ]; then
openstack endpoint create --region "$REGION_NAME" \
--os-username admin \
--os-user-domain-id default \
--os-password "$ADMIN_PASSWORD" \
--os-project-name admin \
--os-project-domain-id default \
keystone admin "$KEYSTONE_SERVICE_URI"
fi
}
# create_ldap_domain() - Create domain file and initialize domain with a user
+5 -1
View File
@@ -33,14 +33,17 @@ LDAP_SERVICE_NAME=slapd
if is_ubuntu; then
LDAP_OLCDB_NUMBER=1
LDAP_OLCDB_TYPE=mdb
LDAP_ROOTPW_COMMAND=replace
elif is_fedora; then
LDAP_OLCDB_NUMBER=2
LDAP_OLCDB_TYPE=hdb
LDAP_ROOTPW_COMMAND=add
elif is_suse; then
# SUSE has slappasswd in /usr/sbin/
PATH=$PATH:/usr/sbin/
LDAP_OLCDB_NUMBER=1
LDAP_OLCDB_TYPE=hdb
LDAP_ROOTPW_COMMAND=add
LDAP_SERVICE_NAME=ldap
fi
@@ -56,6 +59,7 @@ function _ldap_varsubst {
local slappass=$2
sed -e "
s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|
s|\${LDAP_OLCDB_TYPE}|$LDAP_OLCDB_TYPE|
s|\${SLAPPASS}|$slappass|
s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|
s|\${BASE_DC}|$LDAP_BASE_DC|
@@ -157,7 +161,7 @@ function configure_ldap {
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/domain string Users
slapd shared/organization string $LDAP_DOMAIN
slapd slapd/backend string HDB
slapd slapd/backend string ${LDAP_OLCDB_TYPE^^}
slapd slapd/purge_database boolean true
slapd slapd/move_old_database boolean true
slapd slapd/allow_ldap_v2 boolean false
+2
View File
@@ -38,6 +38,7 @@ GITDIR["oslo.config"]=$DEST/oslo.config
GITDIR["oslo.context"]=$DEST/oslo.context
GITDIR["oslo.db"]=$DEST/oslo.db
GITDIR["oslo.i18n"]=$DEST/oslo.i18n
GITDIR["oslo.limit"]=$DEST/oslo.limit
GITDIR["oslo.log"]=$DEST/oslo.log
GITDIR["oslo.messaging"]=$DEST/oslo.messaging
GITDIR["oslo.middleware"]=$DEST/oslo.middleware
@@ -102,6 +103,7 @@ function install_libs {
_install_lib_from_source "oslo.context"
_install_lib_from_source "oslo.db"
_install_lib_from_source "oslo.i18n"
_install_lib_from_source "oslo.limit"
_install_lib_from_source "oslo.log"
_install_lib_from_source "oslo.messaging"
_install_lib_from_source "oslo.middleware"
+27 -22
View File
@@ -53,28 +53,10 @@ function _remove_lvm_volume_group {
sudo vgremove -f $vg
}
# _clean_lvm_backing_file() removes the backing file of the
# volume group
#
# Usage: _clean_lvm_backing_file() $backing_file
function _clean_lvm_backing_file {
local backing_file=$1
# If the backing physical device is a loop device, it was probably setup by DevStack
if [[ -n "$backing_file" ]] && [[ -e "$backing_file" ]]; then
local vg_dev
vg_dev=$(sudo losetup -j $backing_file | awk -F':' '/'$BACKING_FILE_SUFFIX'/ { print $1}')
if [[ -n "$vg_dev" ]]; then
sudo losetup -d $vg_dev
fi
rm -f $backing_file
fi
}
# clean_lvm_volume_group() cleans up the volume group and removes the
# backing file
#
# Usage: clean_lvm_volume_group $vg
# Usage: clean_lvm_volume_group() $vg
function clean_lvm_volume_group {
local vg=$1
@@ -83,11 +65,22 @@ function clean_lvm_volume_group {
# if there is no logical volume left, it's safe to attempt a cleanup
# of the backing file
if [[ -z "$(sudo lvs --noheadings -o lv_name $vg 2>/dev/null)" ]]; then
_clean_lvm_backing_file $DATA_DIR/$vg$BACKING_FILE_SUFFIX
local backing_file=$DATA_DIR/$vg$BACKING_FILE_SUFFIX
if [[ -n "$vg$BACKING_FILE_SUFFIX" ]] && \
[[ -e "/etc/systemd/system/$vg$BACKING_FILE_SUFFIX.service" ]]; then
sudo systemctl disable --now $vg$BACKING_FILE_SUFFIX.service
sudo rm -f /etc/systemd/system/$vg$BACKING_FILE_SUFFIX.service
sudo systemctl daemon-reload
fi
# If the backing physical device is a loop device, it was probably setup by DevStack
if [[ -n "$backing_file" ]] && [[ -e "$backing_file" ]]; then
rm -f $backing_file
fi
fi
}
# _create_lvm_volume_group creates default volume group
#
# Usage: _create_lvm_volume_group() $vg $size
@@ -106,8 +99,20 @@ function _create_lvm_volume_group {
directio="--direct-io=on"
fi
# Only create systemd service if it doesn't already exists
if [[ ! -e "/etc/systemd/system/$vg$BACKING_FILE_SUFFIX.service" ]]; then
sed -e "
s|%DIRECTIO%|${directio}|g;
s|%BACKING_FILE%|${backing_file}|g;
" $FILES/lvm-backing-file.template | sudo tee \
/etc/systemd/system/$vg$BACKING_FILE_SUFFIX.service
sudo systemctl daemon-reload
sudo systemctl enable --now $vg$BACKING_FILE_SUFFIX.service
fi
local vg_dev
vg_dev=$(sudo losetup -f --show $directio $backing_file)
vg_dev=$(sudo losetup --associated $backing_file -O NAME -n)
# Only create volume group if it doesn't already exist
if ! sudo vgs $vg; then
+52 -7
View File
@@ -37,6 +37,11 @@ NEUTRON_DEPLOY_MOD_WSGI=$(trueorfalse False NEUTRON_DEPLOY_MOD_WSGI)
NEUTRON_AGENT=${NEUTRON_AGENT:-openvswitch}
NEUTRON_DIR=$DEST/neutron
# If NEUTRON_ENFORCE_SCOPE == True, it will set "enforce_scope"
# and "enforce_new_defaults" to True in the Neutron's config to enforce usage
# of the new RBAC policies and scopes.
NEUTRON_ENFORCE_SCOPE=$(trueorfalse False NEUTRON_ENFORCE_SCOPE)
NEUTRON_DISTRIBUTED_ROUTING=$(trueorfalse False NEUTRON_DISTRIBUTED_ROUTING)
# Distributed Virtual Router (DVR) configuration
# Can be:
@@ -109,6 +114,12 @@ NEUTRON_TENANT_VLAN_RANGE=${NEUTRON_TENANT_VLAN_RANGE:-${TENANT_VLAN_RANGE:-100:
# Physical network for VLAN network usage.
NEUTRON_PHYSICAL_NETWORK=${NEUTRON_PHYSICAL_NETWORK:-}
# The name of the service in the endpoint URL
NEUTRON_ENDPOINT_SERVICE_NAME=${NEUTRON_ENDPOINT_SERVICE_NAME-"networking"}
if [[ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" && -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]]; then
NEUTRON_ENDPOINT_SERVICE_NAME="networking"
fi
# Additional neutron api config files
declare -a -g _NEUTRON_SERVER_EXTRA_CONF_FILES_ABS
@@ -141,6 +152,7 @@ fi
# cleanup_neutron() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_neutron_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
source $TOP_DIR/lib/neutron_plugins/${NEUTRON_AGENT}_agent
if is_neutron_ovs_base_plugin; then
neutron_ovs_base_cleanup
@@ -164,6 +176,7 @@ function configure_root_helper_options {
# configure_neutron() - Set config files, create data dirs, etc
function configure_neutron_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR
(cd $NEUTRON_DIR && exec ./tools/generate_config_file_samples.sh)
@@ -206,7 +219,6 @@ function configure_neutron_new {
iniset $NEUTRON_CONF DEFAULT core_plugin $NEUTRON_CORE_PLUGIN
iniset $NEUTRON_CONF DEFAULT policy_file $policy_file
iniset $NEUTRON_CONF DEFAULT allow_overlapping_ips True
iniset $NEUTRON_CONF DEFAULT router_distributed $NEUTRON_DISTRIBUTED_ROUTING
iniset $NEUTRON_CONF DEFAULT auth_strategy $NEUTRON_AUTH_STRATEGY
@@ -222,7 +234,12 @@ function configure_neutron_new {
else
mech_drivers+=",linuxbridge"
fi
if [[ "$mech_drivers" == *"linuxbridge"* ]]; then
iniset $NEUTRON_CONF experimental linuxbridge True
fi
iniset $NEUTRON_CORE_PLUGIN_CONF ml2 mechanism_drivers $mech_drivers
iniset $NEUTRON_CORE_PLUGIN_CONF ml2 overlay_ip_version $TUNNEL_IP_VERSION
iniset $NEUTRON_CORE_PLUGIN_CONF ml2_type_vxlan vni_ranges 1001:2000
iniset $NEUTRON_CORE_PLUGIN_CONF ml2_type_flat flat_networks $PUBLIC_NETWORK_NAME
@@ -232,6 +249,7 @@ function configure_neutron_new {
if [[ "$NEUTRON_PORT_SECURITY" = "True" ]]; then
neutron_ml2_extension_driver_add port_security
fi
configure_rbac_policies
fi
# Neutron OVS or LB agent
@@ -243,10 +261,10 @@ function configure_neutron_new {
# Configure the neutron agent
if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver iptables
iniset $NEUTRON_CORE_PLUGIN_CONF vxlan local_ip $HOST_IP
iniset $NEUTRON_CORE_PLUGIN_CONF vxlan local_ip $TUNNEL_ENDPOINT_IP
elif [[ $NEUTRON_AGENT == "openvswitch" ]]; then
iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver openvswitch
iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $TUNNEL_ENDPOINT_IP
if [[ "$NEUTRON_DISTRIBUTED_ROUTING" = "True" ]]; then
iniset $NEUTRON_CORE_PLUGIN_CONF agent l2_population True
@@ -353,6 +371,7 @@ function configure_neutron_rootwrap {
# Takes a single optional argument which is the config file to update,
# if not passed $NOVA_CONF is used.
function configure_neutron_nova_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local conf=${1:-$NOVA_CONF}
iniset $conf neutron auth_type "password"
iniset $conf neutron auth_url "$KEYSTONE_SERVICE_URI"
@@ -379,13 +398,17 @@ function configure_neutron_nova_new {
# create_neutron_accounts() - Create required service accounts
function create_neutron_accounts_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local neutron_url
if [ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" ]; then
neutron_url=$NEUTRON_SERVICE_PROTOCOL://$NEUTRON_SERVICE_HOST/networking/
neutron_url=$NEUTRON_SERVICE_PROTOCOL://$NEUTRON_SERVICE_HOST/
else
neutron_url=$NEUTRON_SERVICE_PROTOCOL://$NEUTRON_SERVICE_HOST:$NEUTRON_SERVICE_PORT/
fi
if [ ! -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]; then
neutron_url=$neutron_url$NEUTRON_ENDPOINT_SERVICE_NAME
fi
if [[ "$ENABLED_SERVICES" =~ "neutron-api" ]]; then
@@ -402,6 +425,7 @@ function create_neutron_accounts_new {
# init_neutron() - Initialize databases, etc.
function init_neutron_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
recreate_database neutron
time_start "dbsync"
@@ -412,6 +436,7 @@ function init_neutron_new {
# install_neutron() - Collect source and prepare
function install_neutron_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
git_clone $NEUTRON_REPO $NEUTRON_DIR $NEUTRON_BRANCH
setup_develop $NEUTRON_DIR
@@ -464,19 +489,22 @@ function start_neutron_api {
if [ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" ]; then
run_process neutron-api "$(which uwsgi) --procname-prefix neutron-api --ini $NEUTRON_UWSGI_CONF"
neutron_url=$service_protocol://$NEUTRON_SERVICE_HOST/networking/
neutron_url=$service_protocol://$NEUTRON_SERVICE_HOST/
enable_service neutron-rpc-server
run_process neutron-rpc-server "$NEUTRON_BIN_DIR/neutron-rpc-server $opts"
else
# Start the Neutron service
# TODO(sc68cal) Stop hard coding this
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts"
neutron_url=$service_protocol://$NEUTRON_SERVICE_HOST:$service_port
neutron_url=$service_protocol://$NEUTRON_SERVICE_HOST:$service_port/
# Start proxy if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
fi
fi
if [ ! -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]; then
neutron_url=$neutron_url$NEUTRON_ENDPOINT_SERVICE_NAME
fi
if ! wait_for_service $SERVICE_TIMEOUT $neutron_url; then
die $LINENO "neutron-api did not start"
@@ -485,6 +513,7 @@ function start_neutron_api {
# start_neutron() - Start running processes
function start_neutron_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
# Start up the neutron agents if enabled
# TODO(sc68cal) Make this pluggable so different DevStack plugins for different Neutron plugins
# can resolve the $NEUTRON_AGENT_BINARY
@@ -522,6 +551,7 @@ function start_neutron_new {
# stop_neutron() - Stop running processes
function stop_neutron_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
for serv in neutron-api neutron-agent neutron-l3; do
stop_process $serv
done
@@ -537,13 +567,13 @@ function stop_neutron_new {
fi
if is_service_enabled neutron-metadata-agent; then
sudo pkill -9 -f neutron-ns-metadata-proxy || :
stop_process neutron-metadata-agent
fi
}
# neutron_service_plugin_class_add() - add service plugin class
function neutron_service_plugin_class_add_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local service_plugin_class=$1
local plugins=""
@@ -568,11 +598,13 @@ function _neutron_ml2_extension_driver_add {
}
function neutron_server_config_add_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
_NEUTRON_SERVER_EXTRA_CONF_FILES_ABS+=($1)
}
# neutron_deploy_rootwrap_filters() - deploy rootwrap filters
function neutron_deploy_rootwrap_filters_new {
deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local srcdir=$1
sudo install -d -o root -g root -m 755 $NEUTRON_CONF_DIR/rootwrap.d
sudo install -o root -g root -m 644 $srcdir/etc/neutron/rootwrap.d/*.filters $NEUTRON_CONF_DIR/rootwrap.d
@@ -612,6 +644,19 @@ function configure_neutron {
fi
}
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
function configure_rbac_policies {
if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
iniset $NEUTRON_CONF oslo_policy enforce_scope True
else
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults False
iniset $NEUTRON_CONF oslo_policy enforce_scope False
fi
}
function configure_neutron_nova {
if is_neutron_legacy_enabled; then
# Call back to old function
+84 -18
View File
@@ -90,6 +90,11 @@ NEUTRON_DEPLOY_MOD_WSGI=$(trueorfalse False NEUTRON_DEPLOY_MOD_WSGI)
NEUTRON_UWSGI_CONF=$NEUTRON_CONF_DIR/neutron-api-uwsgi.ini
# If NEUTRON_ENFORCE_SCOPE == True, it will set "enforce_scope"
# and "enforce_new_defaults" to True in the Neutron's config to enforce usage
# of the new RBAC policies and scopes.
NEUTRON_ENFORCE_SCOPE=$(trueorfalse False NEUTRON_ENFORCE_SCOPE)
# Agent binaries. Note, binary paths for other agents are set in per-service
# scripts in lib/neutron_plugins/services/
AGENT_DHCP_BINARY="$NEUTRON_BIN_DIR/neutron-dhcp-agent"
@@ -133,10 +138,19 @@ Q_NOTIFY_NOVA_PORT_DATA_CHANGES=${Q_NOTIFY_NOVA_PORT_DATA_CHANGES:-True}
VIF_PLUGGING_IS_FATAL=${VIF_PLUGGING_IS_FATAL:-True}
VIF_PLUGGING_TIMEOUT=${VIF_PLUGGING_TIMEOUT:-300}
# Allow to skip stopping of OVN services
SKIP_STOP_OVN=${SKIP_STOP_OVN:-False}
# The directory which contains files for Q_PLUGIN_EXTRA_CONF_FILES.
# /etc/neutron is assumed by many of devstack plugins. Do not change.
_Q_PLUGIN_EXTRA_CONF_PATH=/etc/neutron
# The name of the service in the endpoint URL
NEUTRON_ENDPOINT_SERVICE_NAME=${NEUTRON_ENDPOINT_SERVICE_NAME-"networking"}
if [[ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" && -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]]; then
NEUTRON_ENDPOINT_SERVICE_NAME="networking"
fi
# List of config file names in addition to the main plugin config file
# To add additional plugin config files, use ``neutron_server_config_add``
# utility function. For example:
@@ -238,13 +252,6 @@ if [[ $Q_AGENT == "linuxbridge" && -z ${LB_PHYSICAL_INTERFACE} ]]; then
LB_PHYSICAL_INTERFACE=$default_route_dev
fi
# When Neutron tunnels are enabled it is needed to specify the
# IP address of the end point in the local server. This IP is set
# by default to the same IP address that the HOST IP.
# This variable can be used to specify a different end point IP address
# Example: ``TUNNEL_ENDPOINT_IP=1.1.1.1``
TUNNEL_ENDPOINT_IP=${TUNNEL_ENDPOINT_IP:-$HOST_IP}
# With the openvswitch plugin, set to True in ``localrc`` to enable
# provider GRE tunnels when ``ENABLE_TENANT_TUNNELS`` is False.
#
@@ -275,6 +282,12 @@ source $TOP_DIR/lib/neutron_plugins/services/metering
# L3 Service functions
source $TOP_DIR/lib/neutron_plugins/services/l3
# Additional Neutron service plugins
source $TOP_DIR/lib/neutron_plugins/services/placement
source $TOP_DIR/lib/neutron_plugins/services/trunk
source $TOP_DIR/lib/neutron_plugins/services/qos
# Use security group or not
if has_neutron_plugin_security_group; then
Q_USE_SECGROUP=${Q_USE_SECGROUP:-True}
@@ -369,6 +382,21 @@ function configure_mutnauq {
configure_ovn_plugin
fi
# Configure Neutron's advanced services
if is_service_enabled q-placement neutron-placement; then
configure_placement_extension
fi
if is_service_enabled q-trunk neutron-trunk; then
configure_trunk_extension
fi
if is_service_enabled q-qos neutron-qos; then
configure_qos
if is_service_enabled q-l3 neutron-l3; then
configure_l3_agent_extension_fip_qos
configure_l3_agent_extension_gateway_ip_qos
fi
fi
iniset $NEUTRON_CONF DEFAULT api_workers "$API_WORKERS"
# devstack is not a tool for running uber scale OpenStack
# clouds, therefore running without a dedicated RPC worker
@@ -409,10 +437,13 @@ function create_nova_conf_neutron {
function create_mutnauq_accounts {
local neutron_url
if [ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" ]; then
neutron_url=$Q_PROTOCOL://$SERVICE_HOST/networking/
neutron_url=$Q_PROTOCOL://$SERVICE_HOST/
else
neutron_url=$Q_PROTOCOL://$SERVICE_HOST:$Q_PORT/
fi
if [ ! -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]; then
neutron_url=$neutron_url$NEUTRON_ENDPOINT_SERVICE_NAME
fi
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
@@ -468,6 +499,19 @@ function configure_neutron_after_post_config {
if [[ $Q_SERVICE_PLUGIN_CLASSES != '' ]]; then
iniset $NEUTRON_CONF DEFAULT service_plugins $Q_SERVICE_PLUGIN_CLASSES
fi
configure_rbac_policies
}
# configure_rbac_policies() - Configure Neutron to enforce new RBAC
# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
function configure_rbac_policies {
if [[ "$NEUTRON_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == True ]]; then
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
iniset $NEUTRON_CONF oslo_policy enforce_scope True
else
iniset $NEUTRON_CONF oslo_policy enforce_new_defaults False
iniset $NEUTRON_CONF oslo_policy enforce_scope False
fi
}
# Start running OVN processes
@@ -503,17 +547,20 @@ function start_neutron_service_and_check {
if [ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" ]; then
enable_service neutron-api
run_process neutron-api "$(which uwsgi) --procname-prefix neutron-api --ini $NEUTRON_UWSGI_CONF"
neutron_url=$Q_PROTOCOL://$Q_HOST/networking/
neutron_url=$Q_PROTOCOL://$Q_HOST/
enable_service neutron-rpc-server
run_process neutron-rpc-server "$NEUTRON_BIN_DIR/neutron-rpc-server $cfg_file_options"
else
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options"
neutron_url=$service_protocol://$Q_HOST:$service_port
neutron_url=$service_protocol://$Q_HOST:$service_port/
# Start proxy if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT
fi
fi
if [ ! -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]; then
neutron_url=$neutron_url$NEUTRON_ENDPOINT_SERVICE_NAME
fi
echo "Waiting for Neutron to start..."
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $neutron_url"
@@ -543,11 +590,7 @@ function start_mutnauq_l2_agent {
function start_mutnauq_other_agents {
run_process q-dhcp "$AGENT_DHCP_BINARY --config-file $NEUTRON_CONF --config-file $Q_DHCP_CONF_FILE"
if is_service_enabled neutron-vpnaas; then
: # Started by plugin
else
run_process q-l3 "$AGENT_L3_BINARY $(determine_config_files neutron-l3-agent)"
fi
run_process q-l3 "$AGENT_L3_BINARY $(determine_config_files neutron-l3-agent)"
run_process q-meta "$AGENT_META_BINARY --config-file $NEUTRON_CONF --config-file $Q_META_CONF_FILE"
run_process q-metering "$AGENT_METERING_BINARY --config-file $NEUTRON_CONF --config-file $METERING_AGENT_CONF_FILENAME"
@@ -585,7 +628,6 @@ function stop_mutnauq_other {
fi
if is_service_enabled q-meta; then
sudo pkill -9 -f neutron-ns-metadata-proxy || :
stop_process q-meta
fi
@@ -603,7 +645,7 @@ function stop_mutnauq {
stop_mutnauq_other
stop_mutnauq_l2_agent
if [[ $Q_AGENT == "ovn" ]]; then
if [[ $Q_AGENT == "ovn" && $SKIP_STOP_OVN != "True" ]]; then
stop_ovn
fi
}
@@ -874,18 +916,30 @@ function _configure_neutron_plugin_agent {
neutron_plugin_configure_plugin_agent
}
function _replace_api_paste_composite {
local sep
sep=$(echo -ne "\x01")
# Replace it
$sudo sed -i -e "s/\/\: neutronversions_composite/\/"${NEUTRON_ENDPOINT_SERVICE_NAME}"\/\: neutronversions_composite/" "$Q_API_PASTE_FILE"
$sudo sed -i -e "s/\/healthcheck\: healthcheck/\/"${NEUTRON_ENDPOINT_SERVICE_NAME}"\/healthcheck\: healthcheck/" "$Q_API_PASTE_FILE"
$sudo sed -i -e "s/\/v2.0\: neutronapi_v2_0/\/"${NEUTRON_ENDPOINT_SERVICE_NAME}"\/v2.0\: neutronapi_v2_0/" "$Q_API_PASTE_FILE"
}
# _configure_neutron_service() - Set config files for neutron service
# It is called when q-svc is enabled.
function _configure_neutron_service {
Q_API_PASTE_FILE=$NEUTRON_CONF_DIR/api-paste.ini
cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE
if [[ -n "$NEUTRON_ENDPOINT_SERVICE_NAME" ]]; then
_replace_api_paste_composite
fi
# Update either configuration file with plugin
iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS
iniset $NEUTRON_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $NEUTRON_CONF oslo_policy policy_file $Q_POLICY_FILE
iniset $NEUTRON_CONF DEFAULT allow_overlapping_ips $Q_ALLOW_OVERLAPPING_IP
iniset $NEUTRON_CONF DEFAULT auth_strategy $Q_AUTH_STRATEGY
configure_keystone_authtoken_middleware $NEUTRON_CONF $Q_ADMIN_USERNAME
@@ -896,6 +950,9 @@ function _configure_neutron_service {
configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova
# Configuration for placement client
configure_keystone_authtoken_middleware $NEUTRON_CONF placement placement
# Configure plugin
neutron_plugin_configure_service
}
@@ -1022,6 +1079,15 @@ function _ssh_check_neutron {
test_with_retry "$testcmd" "server $ip didn't become ssh-able" $timeout_sec
}
function plugin_agent_add_l2_agent_extension {
local l2_agent_extension=$1
if [[ -z "$L2_AGENT_EXTENSIONS" ]]; then
L2_AGENT_EXTENSIONS=$l2_agent_extension
elif [[ ! ,${L2_AGENT_EXTENSIONS}, =~ ,${l2_agent_extension}, ]]; then
L2_AGENT_EXTENSIONS+=",$l2_agent_extension"
fi
}
# Restore xtrace
$_XTRACE_NEUTRON
+8
View File
@@ -125,6 +125,10 @@ function neutron_plugin_configure_service {
fi
populate_ml2_config /$Q_PLUGIN_CONF_FILE ml2 mechanism_drivers=$Q_ML2_PLUGIN_MECHANISM_DRIVERS
if [[ "$Q_ML2_PLUGIN_MECHANISM_DRIVERS" == *"linuxbridge"* ]]; then
iniset $NEUTRON_CONF experimental linuxbridge True
fi
populate_ml2_config /$Q_PLUGIN_CONF_FILE ml2 overlay_ip_version=$TUNNEL_IP_VERSION
if [[ -n "$Q_ML2_PLUGIN_TYPE_DRIVERS" ]]; then
populate_ml2_config /$Q_PLUGIN_CONF_FILE ml2 type_drivers=$Q_ML2_PLUGIN_TYPE_DRIVERS
@@ -156,5 +160,9 @@ function has_neutron_plugin_security_group {
return 0
}
function configure_qos_ml2 {
neutron_ml2_extension_driver_add "qos"
}
# Restore xtrace
$_XTRACE_NEUTRON_ML2
+54 -29
View File
@@ -24,11 +24,6 @@ source ${TOP_DIR}/lib/neutron_plugins/openvswitch_agent
# Load devstack ovs compliation and loading functions
source ${TOP_DIR}/lib/neutron_plugins/ovs_source
# Defaults
# --------
Q_BUILD_OVS_FROM_GIT=$(trueorfalse True Q_BUILD_OVS_FROM_GIT)
# Set variables for building OVN from source
OVN_REPO=${OVN_REPO:-https://github.com/ovn-org/ovn.git}
OVN_REPO_NAME=$(basename ${OVN_REPO} | cut -f1 -d'.')
@@ -74,6 +69,9 @@ OVN_UUID=${OVN_UUID:-}
# unless the distro kernel includes ovs+conntrack support.
OVN_BUILD_MODULES=$(trueorfalse False OVN_BUILD_MODULES)
OVN_BUILD_FROM_SOURCE=$(trueorfalse False OVN_BUILD_FROM_SOURCE)
if [[ "$OVN_BUILD_FROM_SOURCE" == "True" ]]; then
Q_BUILD_OVS_FROM_GIT=True
fi
# Whether or not to install the ovs python module from ovs source. This can be
# used to test and validate new ovs python features. This should only be used
@@ -101,8 +99,10 @@ ENABLE_CHASSIS_AS_GW=$(trueorfalse True ENABLE_CHASSIS_AS_GW)
OVN_L3_CREATE_PUBLIC_NETWORK=$(trueorfalse True OVN_L3_CREATE_PUBLIC_NETWORK)
export OVSDB_SERVER_LOCAL_HOST=$SERVICE_LOCAL_HOST
TUNNEL_IP=$TUNNEL_ENDPOINT_IP
if [[ "$SERVICE_IP_VERSION" == 6 ]]; then
OVSDB_SERVER_LOCAL_HOST=[$OVSDB_SERVER_LOCAL_HOST]
TUNNEL_IP=[$TUNNEL_IP]
fi
OVN_IGMP_SNOOPING_ENABLE=$(trueorfalse False OVN_IGMP_SNOOPING_ENABLE)
@@ -119,7 +119,13 @@ OVS_SCRIPTDIR=$OVS_SHAREDIR/scripts
OVS_DATADIR=$DATA_DIR/ovs
OVS_SYSCONFDIR=${OVS_SYSCONFDIR:-$OVS_PREFIX/etc/openvswitch}
OVN_DATADIR=$DATA_DIR/ovn
if [[ "$OVN_BUILD_FROM_SOURCE" == "True" ]]; then
OVN_DATADIR=$DATA_DIR/ovn
else
# When using OVN from packages, the data dir for OVN DBs is
# /var/lib/ovn
OVN_DATADIR=/var/lib/ovn
fi
OVN_SHAREDIR=$OVS_PREFIX/share/ovn
OVN_SCRIPTDIR=$OVN_SHAREDIR/scripts
OVN_RUNDIR=$OVS_PREFIX/var/run/ovn
@@ -165,12 +171,23 @@ Q_LOG_DRIVER_LOG_BASE=${Q_LOG_DRIVER_LOG_BASE:-acl_log_meter}
# Utility Functions
# -----------------
function wait_for_db_file {
local count=0
while [ ! -f $1 ]; do
sleep 1
count=$((count+1))
if [ "$count" -gt 40 ]; then
die $LINENO "DB File $1 not found"
fi
done
}
function wait_for_sock_file {
local count=0
while [ ! -S $1 ]; do
sleep 1
count=$((count+1))
if [ "$count" -gt 5 ]; then
if [ "$count" -gt 40 ]; then
die $LINENO "Socket $1 not found"
fi
done
@@ -249,7 +266,12 @@ function _run_process {
local testcmd="test -e $OVS_RUNDIR/$service.pid"
test_with_retry "$testcmd" "$service did not start" $SERVICE_TIMEOUT 1
sudo ovs-appctl -t $service vlog/set console:off syslog:info file:info
local service_ctl_file
service_ctl_file=$(ls $OVS_RUNDIR | grep $service | grep ctl)
if [ -z "$service_ctl_file" ]; then
die $LINENO "ctl file for service $service is not present."
fi
sudo ovs-appctl -t $OVS_RUNDIR/$service_ctl_file vlog/set console:off syslog:info file:info
}
function clone_repository {
@@ -288,16 +310,13 @@ function _disable_libvirt_apparmor {
# compile_ovn() - Compile OVN from source and load needed modules
# Accepts three parameters:
# - first optional is False by default and means that
# modules are built and installed.
# - second optional parameter defines prefix for
# - first optional parameter defines prefix for
# ovn compilation
# - third optional parameter defines localstatedir for
# - second optional parameter defines localstatedir for
# ovn single machine runtime
function compile_ovn {
local build_modules=${1:-False}
local prefix=$2
local localstatedir=$3
local prefix=$1
local localstatedir=$2
if [ -n "$prefix" ]; then
prefix="--prefix=$prefix"
@@ -341,11 +360,6 @@ function ovn_sanity_check {
# install_ovn() - Collect source and prepare
function install_ovn {
if [[ "$Q_BUILD_OVS_FROM_GIT" == "False" ]]; then
echo "Installation of OVS from source disabled."
return 0
fi
echo "Installing OVN and dependent packages"
# Check the OVN configuration
@@ -375,7 +389,7 @@ function install_ovn {
compile_ovs $OVN_BUILD_MODULES
if use_new_ovn_repository; then
compile_ovn $OVN_BUILD_MODULES
compile_ovn
fi
sudo mkdir -p $OVS_PREFIX/var/log/openvswitch
@@ -383,6 +397,8 @@ function install_ovn {
sudo mkdir -p $OVS_PREFIX/var/log/ovn
sudo chown $(whoami) $OVS_PREFIX/var/log/ovn
else
# Load fixup_ovn_centos
source ${TOP_DIR}/tools/fixup_stuff.sh
fixup_ovn_centos
install_package $(get_packages openvswitch)
install_package $(get_packages ovn)
@@ -561,14 +577,20 @@ function init_ovn {
# create new ones on each devstack run.
_disable_libvirt_apparmor
local mkdir_cmd="mkdir -p ${OVN_DATADIR}"
mkdir -p $OVN_DATADIR
if [[ "$OVN_BUILD_FROM_SOURCE" == "False" ]]; then
mkdir_cmd="sudo ${mkdir_cmd}"
fi
$mkdir_cmd
mkdir -p $OVS_DATADIR
rm -f $OVS_DATADIR/*.db
rm -f $OVS_DATADIR/.*.db.~lock~
rm -f $OVN_DATADIR/*.db
rm -f $OVN_DATADIR/.*.db.~lock~
sudo rm -f $OVN_DATADIR/*.db
sudo rm -f $OVN_DATADIR/.*.db.~lock~
sudo rm -f $OVN_RUNDIR/*.sock
}
function _start_ovs {
@@ -595,7 +617,7 @@ function _start_ovs {
dbcmd+=" --remote=db:hardware_vtep,Global,managers $OVS_DATADIR/vtep.db"
fi
dbcmd+=" $OVS_DATADIR/conf.db"
_run_process ovsdb-server "$dbcmd"
_run_process ovsdb-server "$dbcmd" "" "$STACK_GROUP" "root"
# Note: ovn-controller will create and configure br-int once it is started.
# So, no need to create it now because nothing depends on that bridge here.
@@ -620,8 +642,8 @@ function _start_ovs {
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-remote="$OVN_SB_REMOTE"
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-bridge="br-int"
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-encap-type="geneve"
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-encap-ip="$HOST_IP"
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:hostname="$LOCAL_HOSTNAME"
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-encap-ip="$TUNNEL_IP"
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:hostname=$(hostname)
# Select this chassis to host gateway routers
if [[ "$ENABLE_CHASSIS_AS_GW" == "True" ]]; then
sudo ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-cms-options="enable-chassis-as-gw"
@@ -635,7 +657,7 @@ function _start_ovs {
if is_service_enabled ovn-controller-vtep ; then
ovn_base_setup_bridge br-v
vtep-ctl add-ps br-v
vtep-ctl set Physical_Switch br-v tunnel_ips=$HOST_IP
vtep-ctl set Physical_Switch br-v tunnel_ips=$TUNNEL_IP
enable_service ovs-vtep
local vtepcmd="$OVS_SCRIPTDIR/ovs-vtep --log-file --pidfile --detach br-v"
@@ -683,14 +705,17 @@ function start_ovn {
local cmd="/bin/bash $SCRIPTDIR/ovn-ctl --no-monitor start_northd"
local stop_cmd="/bin/bash $SCRIPTDIR/ovn-ctl stop_northd"
_run_process ovn-northd "$cmd" "$stop_cmd"
_run_process ovn-northd "$cmd" "$stop_cmd" "$STACK_GROUP" "root"
else
_start_process "$OVN_NORTHD_SERVICE"
fi
# Wait for the service to be ready
# Check for socket and db files for both OVN NB and SB
wait_for_sock_file $OVS_RUNDIR/ovnnb_db.sock
wait_for_sock_file $OVS_RUNDIR/ovnsb_db.sock
wait_for_db_file $OVN_DATADIR/ovnnb_db.db
wait_for_db_file $OVN_DATADIR/ovnsb_db.db
if is_service_enabled tls-proxy; then
sudo ovn-nbctl --db=unix:$OVS_RUNDIR/ovnnb_db.sock set-ssl $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/ca-chain.pem
+31 -18
View File
@@ -7,6 +7,12 @@
_XTRACE_NEUTRON_OVS_BASE=$(set +o | grep xtrace)
set +o xtrace
# Load devstack ovs compliation and loading functions
source ${TOP_DIR}/lib/neutron_plugins/ovs_source
# Defaults
# --------
OVS_BRIDGE=${OVS_BRIDGE:-br-int}
# OVS recognize default 'system' datapath or 'netdev' for userspace datapath
OVS_DATAPATH_TYPE=${OVS_DATAPATH_TYPE:-system}
@@ -60,26 +66,33 @@ function _neutron_ovs_base_install_ubuntu_dkms {
}
function _neutron_ovs_base_install_agent_packages {
# Install deps
install_package $(get_packages "openvswitch")
if is_ubuntu; then
_neutron_ovs_base_install_ubuntu_dkms
restart_service openvswitch-switch
elif is_fedora; then
restart_service openvswitch
sudo systemctl enable openvswitch
elif is_suse; then
if [[ $DISTRO == "sle12" ]] && vercmp "$os_RELEASE" "<" "12.2" ; then
if [ "$Q_BUILD_OVS_FROM_GIT" == "True" ]; then
remove_ovs_packages
compile_ovs False /usr/local /var
load_conntrack_gre_module
start_new_ovs
else
# Install deps
install_package $(get_packages "openvswitch")
if is_ubuntu; then
_neutron_ovs_base_install_ubuntu_dkms
restart_service openvswitch-switch
else
# workaround for https://bugzilla.suse.com/show_bug.cgi?id=1085971
if [[ $DISTRO =~ "tumbleweed" ]]; then
sudo sed -i -e "s,^OVS_USER_ID=.*,OVS_USER_ID='root:root'," /etc/sysconfig/openvswitch
elif is_fedora; then
restart_service openvswitch
sudo systemctl enable openvswitch
elif is_suse; then
if [[ $DISTRO == "sle12" ]] && vercmp "$os_RELEASE" "<" "12.2" ; then
restart_service openvswitch-switch
else
# workaround for https://bugzilla.suse.com/show_bug.cgi?id=1085971
if [[ $DISTRO =~ "tumbleweed" ]]; then
sudo sed -i -e "s,^OVS_USER_ID=.*,OVS_USER_ID='root:root'," /etc/sysconfig/openvswitch
fi
restart_service openvswitch || {
journalctl -xe || :
systemctl status openvswitch
}
fi
restart_service openvswitch || {
journalctl -xe || :
systemctl status openvswitch
}
fi
fi
}
+11 -6
View File
@@ -14,6 +14,7 @@
# Defaults
# --------
Q_BUILD_OVS_FROM_GIT=$(trueorfalse False Q_BUILD_OVS_FROM_GIT)
# Set variables for building OVS from source
OVS_REPO=${OVS_REPO:-https://github.com/openvswitch/ovs.git}
@@ -86,9 +87,15 @@ function prepare_for_ovs_compilation {
install_package kernel-devel-$KERNEL_VERSION
install_package kernel-headers-$KERNEL_VERSION
if is_service_enabled tls-proxy; then
install_package openssl-devel
fi
elif is_ubuntu ; then
install_package linux-headers-$KERNEL_VERSION
if is_service_enabled tls-proxy; then
install_package libssl-dev
fi
fi
}
@@ -157,10 +164,8 @@ function compile_ovs {
sudo make install
if [[ "$build_modules" == "True" ]]; then
sudo make INSTALL_MOD_DIR=kernel/net/openvswitch modules_install
reload_ovs_kernel_modules
else
load_ovs_kernel_modules
fi
reload_ovs_kernel_modules
cd $_pwd
}
@@ -187,12 +192,12 @@ function action_openvswitch {
# start_new_ovs() - removes old ovs database, creates a new one and starts ovs
function start_new_ovs {
sudo rm -f /etc/openvswitch/conf.db /etc/openvswitch/.conf.db~lock~
sudo /usr/share/openvswitch/scripts/ovs-ctl start
sudo /usr/local/share/openvswitch/scripts/ovs-ctl start
}
# stop_new_ovs() - stops ovs
function stop_new_ovs {
local ovs_ctl='/usr/share/openvswitch/scripts/ovs-ctl'
local ovs_ctl='/usr/local/share/openvswitch/scripts/ovs-ctl'
if [ -x $ovs_ctl ] ; then
sudo $ovs_ctl stop
@@ -211,5 +216,5 @@ function remove_ovs_packages {
# load_conntrack_gre_module() - loads nf_conntrack_proto_gre kernel module
function load_conntrack_gre_module {
sudo modprobe nf_conntrack_proto_gre
load_module nf_conntrack_proto_gre False
}
+47 -36
View File
@@ -147,10 +147,6 @@ function _neutron_get_ext_gw_interface {
}
function create_neutron_initial_network {
local project_id
project_id=$(openstack project list | grep " demo " | get_field 1)
die_if_not_set $LINENO project_id "Failure retrieving project_id for demo"
# Allow drivers that need to create an initial network to do so here
if type -p neutron_plugin_create_initial_network_profile > /dev/null; then
neutron_plugin_create_initial_network_profile $PHYSICAL_NETWORK
@@ -170,15 +166,15 @@ function create_neutron_initial_network {
if is_provider_network; then
die_if_not_set $LINENO PHYSICAL_NETWORK "You must specify the PHYSICAL_NETWORK"
die_if_not_set $LINENO PROVIDER_NETWORK_TYPE "You must specify the PROVIDER_NETWORK_TYPE"
NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create $PHYSICAL_NETWORK --project $project_id --provider-network-type $PROVIDER_NETWORK_TYPE --provider-physical-network "$PHYSICAL_NETWORK" ${SEGMENTATION_ID:+--provider-segment $SEGMENTATION_ID} --share | grep ' id ' | get_field 2)
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PHYSICAL_NETWORK $project_id"
NET_ID=$(openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" network create $PHYSICAL_NETWORK --provider-network-type $PROVIDER_NETWORK_TYPE --provider-physical-network "$PHYSICAL_NETWORK" ${SEGMENTATION_ID:+--provider-segment $SEGMENTATION_ID} --share -f value -c id)
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PHYSICAL_NETWORK"
if [[ "$IP_VERSION" =~ 4.* ]]; then
if [ -z $SUBNETPOOL_V4_ID ]; then
fixed_range_v4=$FIXED_RANGE
fi
SUBNET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create --project $project_id --ip-version 4 ${ALLOCATION_POOL:+--allocation-pool $ALLOCATION_POOL} $PROVIDER_SUBNET_NAME --gateway $NETWORK_GATEWAY ${SUBNETPOOL_V4_ID:+--subnet-pool $SUBNETPOOL_V4_ID} --network $NET_ID ${fixed_range_v4:+--subnet-range $fixed_range_v4} | grep ' id ' | get_field 2)
die_if_not_set $LINENO SUBNET_ID "Failure creating SUBNET_ID for $PROVIDER_SUBNET_NAME $project_id"
SUBNET_ID=$(openstack --os-cloud devstack --os-region "$REGION_NAME" subnet create --ip-version 4 ${ALLOCATION_POOL:+--allocation-pool $ALLOCATION_POOL} $PROVIDER_SUBNET_NAME --gateway $NETWORK_GATEWAY ${SUBNETPOOL_V4_ID:+--subnet-pool $SUBNETPOOL_V4_ID} --network $NET_ID ${fixed_range_v4:+--subnet-range $fixed_range_v4} -f value -c id)
die_if_not_set $LINENO SUBNET_ID "Failure creating SUBNET_ID for $PROVIDER_SUBNET_NAME"
fi
if [[ "$IP_VERSION" =~ .*6 ]]; then
@@ -187,8 +183,8 @@ function create_neutron_initial_network {
if [ -z $SUBNETPOOL_V6_ID ]; then
fixed_range_v6=$IPV6_PROVIDER_FIXED_RANGE
fi
IPV6_SUBNET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create --project $project_id --ip-version 6 --gateway $IPV6_PROVIDER_NETWORK_GATEWAY $IPV6_PROVIDER_SUBNET_NAME ${SUBNETPOOL_V6_ID:+--subnet-pool $SUBNETPOOL_V6_ID} --network $NET_ID ${fixed_range_v6:+--subnet-range $fixed_range_v6} | grep ' id ' | get_field 2)
die_if_not_set $LINENO IPV6_SUBNET_ID "Failure creating IPV6_SUBNET_ID for $IPV6_PROVIDER_SUBNET_NAME $project_id"
IPV6_SUBNET_ID=$(openstack --os-cloud devstack --os-region "$REGION_NAME" subnet create --ip-version 6 --gateway $IPV6_PROVIDER_NETWORK_GATEWAY $IPV6_PROVIDER_SUBNET_NAME ${SUBNETPOOL_V6_ID:+--subnet-pool $SUBNETPOOL_V6_ID} --network $NET_ID ${fixed_range_v6:+--subnet-range $fixed_range_v6} -f value -c id)
die_if_not_set $LINENO IPV6_SUBNET_ID "Failure creating IPV6_SUBNET_ID for $IPV6_PROVIDER_SUBNET_NAME"
fi
if [[ $Q_AGENT == "openvswitch" ]]; then
@@ -197,17 +193,17 @@ function create_neutron_initial_network {
sudo ip link set $PUBLIC_INTERFACE up
fi
else
NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create --project $project_id "$PRIVATE_NETWORK_NAME" | grep ' id ' | get_field 2)
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PRIVATE_NETWORK_NAME $project_id"
NET_ID=$(openstack --os-cloud devstack --os-region "$REGION_NAME" network create "$PRIVATE_NETWORK_NAME" -f value -c id)
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PRIVATE_NETWORK_NAME"
if [[ "$IP_VERSION" =~ 4.* ]]; then
# Create IPv4 private subnet
SUBNET_ID=$(_neutron_create_private_subnet_v4 $project_id)
SUBNET_ID=$(_neutron_create_private_subnet_v4)
fi
if [[ "$IP_VERSION" =~ .*6 ]]; then
# Create IPv6 private subnet
IPV6_SUBNET_ID=$(_neutron_create_private_subnet_v6 $project_id)
IPV6_SUBNET_ID=$(_neutron_create_private_subnet_v6)
fi
fi
@@ -215,12 +211,12 @@ function create_neutron_initial_network {
# Create a router, and add the private subnet as one of its interfaces
if [[ "$Q_L3_ROUTER_PER_TENANT" == "True" ]]; then
# create a tenant-owned router.
ROUTER_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router create --project $project_id $Q_ROUTER_NAME | grep ' id ' | get_field 2)
die_if_not_set $LINENO ROUTER_ID "Failure creating ROUTER_ID for $project_id $Q_ROUTER_NAME"
ROUTER_ID=$(openstack --os-cloud devstack --os-region "$REGION_NAME" router create $Q_ROUTER_NAME -f value -c id)
die_if_not_set $LINENO ROUTER_ID "Failure creating router $Q_ROUTER_NAME"
else
# Plugin only supports creating a single router, which should be admin owned.
ROUTER_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router create $Q_ROUTER_NAME | grep ' id ' | get_field 2)
die_if_not_set $LINENO ROUTER_ID "Failure creating ROUTER_ID for $Q_ROUTER_NAME"
ROUTER_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router create $Q_ROUTER_NAME -f value -c id)
die_if_not_set $LINENO ROUTER_ID "Failure creating router $Q_ROUTER_NAME"
fi
EXTERNAL_NETWORK_FLAGS="--external"
@@ -229,9 +225,9 @@ function create_neutron_initial_network {
fi
# Create an external network, and a subnet. Configure the external network as router gw
if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
EXT_NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS --provider-network-type ${PUBLIC_PROVIDERNET_TYPE:-flat} ${PUBLIC_PROVIDERNET_SEGMENTATION_ID:+--provider-segment $PUBLIC_PROVIDERNET_SEGMENTATION_ID} --provider-physical-network ${PUBLIC_PHYSICAL_NETWORK} | grep ' id ' | get_field 2)
EXT_NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS --provider-network-type ${PUBLIC_PROVIDERNET_TYPE:-flat} ${PUBLIC_PROVIDERNET_SEGMENTATION_ID:+--provider-segment $PUBLIC_PROVIDERNET_SEGMENTATION_ID} --provider-physical-network ${PUBLIC_PHYSICAL_NETWORK} -f value -c id)
else
EXT_NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS | grep ' id ' | get_field 2)
EXT_NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS -f value -c id)
fi
die_if_not_set $LINENO EXT_NET_ID "Failure creating EXT_NET_ID for $PUBLIC_NETWORK_NAME"
@@ -249,35 +245,32 @@ function create_neutron_initial_network {
# Create private IPv4 subnet
function _neutron_create_private_subnet_v4 {
local project_id=$1
if [ -z $SUBNETPOOL_V4_ID ]; then
fixed_range_v4=$FIXED_RANGE
fi
local subnet_params="--project $project_id "
subnet_params+="--ip-version 4 "
local subnet_params="--ip-version 4 "
if [[ -n "$NETWORK_GATEWAY" ]]; then
subnet_params+="--gateway $NETWORK_GATEWAY "
fi
subnet_params+="${SUBNETPOOL_V4_ID:+--subnet-pool $SUBNETPOOL_V4_ID} "
subnet_params+="${fixed_range_v4:+--subnet-range $fixed_range_v4} "
subnet_params+="--network $NET_ID $PRIVATE_SUBNET_NAME"
local subnet_id
subnet_id=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create $subnet_params | grep ' id ' | get_field 2)
die_if_not_set $LINENO subnet_id "Failure creating private IPv4 subnet for $project_id"
subnet_id=$(openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" subnet create $subnet_params -f value -c id)
die_if_not_set $LINENO subnet_id "Failure creating private IPv4 subnet"
echo $subnet_id
}
# Create private IPv6 subnet
function _neutron_create_private_subnet_v6 {
local project_id=$1
die_if_not_set $LINENO IPV6_RA_MODE "IPV6 RA Mode not set"
die_if_not_set $LINENO IPV6_ADDRESS_MODE "IPV6 Address Mode not set"
local ipv6_modes="--ipv6-ra-mode $IPV6_RA_MODE --ipv6-address-mode $IPV6_ADDRESS_MODE"
if [ -z $SUBNETPOOL_V6_ID ]; then
fixed_range_v6=$FIXED_RANGE_V6
fi
local subnet_params="--project $project_id "
subnet_params+="--ip-version 6 "
local subnet_params="--ip-version 6 "
if [[ -n "$IPV6_PRIVATE_NETWORK_GATEWAY" ]]; then
subnet_params+="--gateway $IPV6_PRIVATE_NETWORK_GATEWAY "
fi
@@ -285,8 +278,8 @@ function _neutron_create_private_subnet_v6 {
subnet_params+="${fixed_range_v6:+--subnet-range $fixed_range_v6} "
subnet_params+="$ipv6_modes --network $NET_ID $IPV6_PRIVATE_SUBNET_NAME "
local ipv6_subnet_id
ipv6_subnet_id=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create $subnet_params | grep ' id ' | get_field 2)
die_if_not_set $LINENO ipv6_subnet_id "Failure creating private IPv6 subnet for $project_id"
ipv6_subnet_id=$(openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" subnet create $subnet_params -f value -c id)
die_if_not_set $LINENO ipv6_subnet_id "Failure creating private IPv6 subnet"
echo $ipv6_subnet_id
}
@@ -319,7 +312,7 @@ function _neutron_create_public_subnet_v6 {
# Configure neutron router for IPv4 public access
function _neutron_configure_router_v4 {
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router add subnet $ROUTER_ID $SUBNET_ID
openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" router add subnet $ROUTER_ID $SUBNET_ID
# Create a public subnet on the external network
local id_and_ext_gw_ip
id_and_ext_gw_ip=$(_neutron_create_public_subnet_v4 $EXT_NET_ID)
@@ -327,7 +320,7 @@ function _neutron_configure_router_v4 {
ext_gw_ip=$(echo $id_and_ext_gw_ip | get_field 2)
PUB_SUBNET_ID=$(echo $id_and_ext_gw_ip | get_field 5)
# Configure the external network as the default router gateway
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
# This logic is specific to using OVN or the l3-agent for layer 3
if ([[ $Q_AGENT == "ovn" ]] && [[ "$OVN_L3_CREATE_PUBLIC_NETWORK" == "True" ]] && is_service_enabled q-svc neutron-server) || is_service_enabled q-l3 neutron-l3; then
@@ -363,7 +356,7 @@ function _neutron_configure_router_v4 {
# Configure neutron router for IPv6 public access
function _neutron_configure_router_v6 {
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router add subnet $ROUTER_ID $IPV6_SUBNET_ID
openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" router add subnet $ROUTER_ID $IPV6_SUBNET_ID
# Create a public subnet on the external network
local ipv6_id_and_ext_gw_ip
ipv6_id_and_ext_gw_ip=$(_neutron_create_public_subnet_v6 $EXT_NET_ID)
@@ -375,7 +368,7 @@ function _neutron_configure_router_v6 {
# If the external network has not already been set as the default router
# gateway when configuring an IPv4 public subnet, do so now
if [[ "$IP_VERSION" == "6" ]]; then
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
fi
# This logic is specific to using OVN or the l3-agent for layer 3
@@ -396,7 +389,13 @@ function _neutron_configure_router_v6 {
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Configure and enable public bridge
# Override global IPV6_ROUTER_GW_IP with the true value from neutron
IPV6_ROUTER_GW_IP=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" port list -c 'Fixed IP Addresses' | grep $ipv6_pub_subnet_id | awk -F'ip_address' '{ print $2 }' | cut -f2 -d\' | tr '\n' ' ')
# NOTE(slaweq): when enforce scopes is enabled in Neutron, router's
# gateway ports aren't visible in API because such ports don't belongs
# to any tenant. Because of that, at least temporary we need to find
# IPv6 address of the router's gateway in a bit different way.
# It can be reverted when bug
# https://bugs.launchpad.net/neutron/+bug/1959332 will be fixed
IPV6_ROUTER_GW_IP=$(openstack --os-cloud devstack-admin-demo --os-region "$REGION_NAME" router show $ROUTER_ID -c external_gateway_info -f json | grep -C 1 $ipv6_pub_subnet_id | grep ip_address | awk '{print $2}' | tr -d '"')
die_if_not_set $LINENO IPV6_ROUTER_GW_IP "Failure retrieving IPV6_ROUTER_GW_IP"
if is_neutron_ovs_base_plugin; then
@@ -404,7 +403,10 @@ function _neutron_configure_router_v6 {
ext_gw_interface=$(_neutron_get_ext_gw_interface)
local ipv6_cidr_len=${IPV6_PUBLIC_RANGE#*/}
# Configure interface for public bridge
# Configure interface for public bridge by setting the interface
# to "up" in case the job is running entirely private network based
# testing.
sudo ip link set $ext_gw_interface up
sudo ip -6 addr replace $ipv6_ext_gw_ip/$ipv6_cidr_len dev $ext_gw_interface
# Any IPv6 private subnet that uses the default IPV6 subnet pool
# and that is plugged into the default router (Q_ROUTER_NAME) will
@@ -427,3 +429,12 @@ function is_networking_extension_supported {
EXT_LIST=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" extension list --network -c Alias -f value)
[[ $EXT_LIST =~ $extension ]] && return 0
}
function plugin_agent_add_l3_agent_extension {
local l3_agent_extension=$1
if [[ -z "$L3_AGENT_EXTENSIONS" ]]; then
L3_AGENT_EXTENSIONS=$l3_agent_extension
elif [[ ! ,${L3_AGENT_EXTENSIONS}, =~ ,${l3_agent_extension}, ]]; then
L3_AGENT_EXTENSIONS+=",$l3_agent_extension"
fi
}
+21
View File
@@ -0,0 +1,21 @@
#!/bin/bash
function configure_placement_service_plugin {
neutron_service_plugin_class_add "placement"
}
function configure_placement_neutron {
iniset $NEUTRON_CONF placement auth_type "$NEUTRON_PLACEMENT_AUTH_TYPE"
iniset $NEUTRON_CONF placement auth_url "$KEYSTONE_SERVICE_URI"
iniset $NEUTRON_CONF placement username "$NEUTRON_PLACEMENT_USERNAME"
iniset $NEUTRON_CONF placement password "$SERVICE_PASSWORD"
iniset $NEUTRON_CONF placement user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NEUTRON_CONF placement project_name "$SERVICE_TENANT_NAME"
iniset $NEUTRON_CONF placement project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NEUTRON_CONF placement region_name "$REGION_NAME"
}
function configure_placement_extension {
configure_placement_service_plugin
configure_placement_neutron
}
+30
View File
@@ -0,0 +1,30 @@
#!/bin/bash
function configure_qos_service_plugin {
neutron_service_plugin_class_add "qos"
}
function configure_qos_core_plugin {
configure_qos_$NEUTRON_CORE_PLUGIN
}
function configure_qos_l2_agent {
plugin_agent_add_l2_agent_extension "qos"
}
function configure_qos {
configure_qos_service_plugin
configure_qos_core_plugin
configure_qos_l2_agent
}
function configure_l3_agent_extension_fip_qos {
plugin_agent_add_l3_agent_extension "fip_qos"
}
function configure_l3_agent_extension_gateway_ip_qos {
plugin_agent_add_l3_agent_extension "gateway_ip_qos"
}
+5
View File
@@ -0,0 +1,5 @@
#!/bin/bash
function configure_trunk_extension {
neutron_service_plugin_class_add "trunk"
}
+85 -21
View File
@@ -103,24 +103,10 @@ FORCE_CONFIG_DRIVE=${FORCE_CONFIG_DRIVE:-"False"}
# The following NOVA_FILTERS contains SameHostFilter and DifferentHostFilter with
# the default filters.
NOVA_FILTERS="AvailabilityZoneFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,SameHostFilter,DifferentHostFilter"
NOVA_FILTERS="ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,SameHostFilter,DifferentHostFilter"
QEMU_CONF=/etc/libvirt/qemu.conf
# Set default defaults here as some hypervisor drivers override these
PUBLIC_INTERFACE_DEFAULT=br100
# Set ``GUEST_INTERFACE_DEFAULT`` to some interface on the box so that
# the default isn't completely crazy. This will match ``eth*``, ``em*``, or
# the new ``p*`` interfaces, then basically picks the first
# alphabetically. It's probably wrong, however it's less wrong than
# always using ``eth0`` which doesn't exist on new Linux distros at all.
GUEST_INTERFACE_DEFAULT=$(ip link \
| grep 'state UP' \
| awk '{print $2}' \
| sed 's/://' \
| grep ^[ep] \
| head -1)
# ``NOVA_VNC_ENABLED`` can be used to forcibly enable VNC configuration.
# In multi-node setups allows compute hosts to not run ``n-novnc``.
NOVA_VNC_ENABLED=$(trueorfalse False NOVA_VNC_ENABLED)
@@ -159,6 +145,9 @@ NOVA_NOTIFICATION_FORMAT=${NOVA_NOTIFICATION_FORMAT:-unversioned}
# image in devstack is CirrOS.
NOVA_SHUTDOWN_TIMEOUT=${NOVA_SHUTDOWN_TIMEOUT:-0}
# Whether to use Keystone unified limits instead of legacy quota limits.
NOVA_USE_UNIFIED_LIMITS=$(trueorfalse False NOVA_USE_UNIFIED_LIMITS)
# Functions
# ---------
@@ -233,6 +222,10 @@ function cleanup_nova {
stop_process "n-api-meta"
remove_uwsgi_config "$NOVA_UWSGI_CONF" "$NOVA_UWSGI"
remove_uwsgi_config "$NOVA_METADATA_UWSGI_CONF" "$NOVA_METADATA_UWSGI"
if [[ "$NOVA_BACKEND" == "LVM" ]]; then
clean_lvm_volume_group $DEFAULT_VOLUME_GROUP_NAME
fi
}
# configure_nova() - Set config files, create data dirs, etc
@@ -260,7 +253,8 @@ function configure_nova {
if [ ! -e /dev/kvm ]; then
echo "WARNING: Switching to QEMU"
LIBVIRT_TYPE=qemu
LIBVIRT_CPU_MODE=none
LIBVIRT_CPU_MODE=custom
LIBVIRT_CPU_MODEL=Nehalem
if which selinuxenabled >/dev/null 2>&1 && selinuxenabled; then
# https://bugzilla.redhat.com/show_bug.cgi?id=753589
sudo setsebool virt_use_execmem on
@@ -298,6 +292,9 @@ function configure_nova {
fi
fi
# Ensure each compute host uses a unique iSCSI initiator
echo InitiatorName=$(iscsi-iname) | sudo tee /etc/iscsi/initiatorname.iscsi
if [[ ${ISCSID_DEBUG} == "True" ]]; then
# Install an override that starts iscsid with debugging
# enabled.
@@ -311,6 +308,10 @@ EOF
sudo systemctl daemon-reload
fi
# set chap algorithms. The default chap_algorithm is md5 which will
# not work under FIPS.
iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
# ensure that iscsid is started, even when disabled by default
restart_service iscsid
fi
@@ -378,6 +379,13 @@ function create_nova_accounts {
"http://$SERVICE_HOST:$S3_SERVICE_PORT" \
"http://$SERVICE_HOST:$S3_SERVICE_PORT"
fi
# Unified limits
if is_service_enabled n-api; then
if [[ "$NOVA_USE_UNIFIED_LIMITS" = True ]]; then
configure_nova_unified_limits
fi
fi
}
# create_nova_conf() - Create a new nova.conf file
@@ -475,7 +483,8 @@ function create_nova_conf {
fi
# nova defaults to genisoimage but only mkisofs is available for 15.0+
if is_suse; then
# rhel provides mkisofs symlink to genisoimage or xorriso appropiately
if is_suse || is_fedora; then
iniset $NOVA_CONF DEFAULT mkisofs_cmd /usr/bin/mkisofs
fi
@@ -484,8 +493,13 @@ function create_nova_conf {
iniset $NOVA_CONF upgrade_levels compute "auto"
write_uwsgi_config "$NOVA_UWSGI_CONF" "$NOVA_UWSGI" "/compute"
write_uwsgi_config "$NOVA_METADATA_UWSGI_CONF" "$NOVA_METADATA_UWSGI" "" "$SERVICE_LISTEN_ADDRESS:${METADATA_SERVICE_PORT}"
if is_service_enabled n-api; then
write_uwsgi_config "$NOVA_UWSGI_CONF" "$NOVA_UWSGI" "/compute"
fi
if is_service_enabled n-api-meta; then
write_uwsgi_config "$NOVA_METADATA_UWSGI_CONF" "$NOVA_METADATA_UWSGI" "" "$SERVICE_LISTEN_ADDRESS:${METADATA_SERVICE_PORT}"
fi
if is_service_enabled ceilometer; then
iniset $NOVA_CONF DEFAULT instance_usage_audit "True"
@@ -713,6 +727,53 @@ function configure_console_proxies {
fi
}
function configure_nova_unified_limits {
# Registered limit resources in keystone are system-specific resources.
# Make sure we use a system-scoped token to interact with this API.
# Default limits here mirror the legacy config-based default values.
# Note: disk quota is new in nova as of unified limits.
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 10 --region $REGION_NAME servers
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 20 --region $REGION_NAME class:VCPU
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit $((50 * 1024)) --region $REGION_NAME class:MEMORY_MB
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 20 --region $REGION_NAME class:DISK_GB
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 128 --region $REGION_NAME server_metadata_items
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 5 --region $REGION_NAME server_injected_files
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 10240 --region $REGION_NAME server_injected_file_content_bytes
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 255 --region $REGION_NAME server_injected_file_path_bytes
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 100 --region $REGION_NAME server_key_pairs
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 10 --region $REGION_NAME server_groups
openstack --os-cloud devstack-system-admin registered limit create \
--service nova --default-limit 10 --region $REGION_NAME server_group_members
# Tell nova to use these limits
iniset $NOVA_CONF quota driver "nova.quota.UnifiedLimitsDriver"
# Configure oslo_limit so it can talk to keystone
iniset $NOVA_CONF oslo_limit user_domain_name $SERVICE_DOMAIN_NAME
iniset $NOVA_CONF oslo_limit password $SERVICE_PASSWORD
iniset $NOVA_CONF oslo_limit username nova
iniset $NOVA_CONF oslo_limit auth_type password
iniset $NOVA_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI
iniset $NOVA_CONF oslo_limit system_scope all
iniset $NOVA_CONF oslo_limit endpoint_id \
$(openstack endpoint list --service nova -f value -c ID)
# Allow the nova service user to read quotas
openstack --os-cloud devstack-system-admin role add --user nova \
--user-domain $SERVICE_DOMAIN_NAME --system all reader
}
function init_nova_service_user_conf {
iniset $NOVA_CONF service_user send_service_user_token True
iniset $NOVA_CONF service_user auth_type password
@@ -827,7 +888,7 @@ function install_nova {
NOVNC_WEB_DIR=/usr/share/novnc
install_package novnc
else
NOVNC_WEB_DIR=$DEST/noVNC
NOVNC_WEB_DIR=$DEST/novnc
git_clone $NOVNC_REPO $NOVNC_WEB_DIR $NOVNC_BRANCH
fi
fi
@@ -921,6 +982,10 @@ function start_nova_compute {
# by the compute process.
configure_console_compute
# Set rebuild timeout longer for BFV instances because we likely have
# slower disk than expected. Default is 20s/GB
iniset $NOVA_CPU_CONF DEFAULT reimage_timeout_per_gb 60
# Configure the OVSDB connection for os-vif
if [ -n "$OVSDB_SERVER_LOCAL_HOST" ]; then
iniset $NOVA_CPU_CONF os_vif_ovs ovsdb_connection "tcp:$OVSDB_SERVER_LOCAL_HOST:6640"
@@ -966,7 +1031,6 @@ function start_nova_rest {
local old_path=$PATH
export PATH=$NOVA_BIN_DIR:$PATH
local api_cell_conf=$NOVA_CONF
local compute_cell_conf=$NOVA_CONF
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
+1 -1
View File
@@ -90,7 +90,7 @@ function install_libvirt {
install_package libvirt libvirt-devel python3-libvirt
if is_arch "aarch64"; then
install_package edk2.git-aarch64
install_package edk2-aarch64
fi
fi
+3
View File
@@ -40,6 +40,9 @@ function configure_nova_hypervisor {
configure_libvirt
iniset $NOVA_CONF libvirt virt_type "$LIBVIRT_TYPE"
iniset $NOVA_CONF libvirt cpu_mode "$LIBVIRT_CPU_MODE"
if [ "$LIBVIRT_CPU_MODE" == "custom" ] ; then
iniset $NOVA_CONF libvirt cpu_model "$LIBVIRT_CPU_MODEL"
fi
# Do not enable USB tablet input devices to avoid QEMU CPU overhead.
iniset $NOVA_CONF DEFAULT pointer_model "ps2mouse"
iniset $NOVA_CONF libvirt live_migration_uri "qemu+ssh://$STACK_USER@%s/system"
+20 -36
View File
@@ -179,12 +179,9 @@ function is_swift_enabled {
# cleanup_swift() - Remove residual data files
function cleanup_swift {
rm -f ${SWIFT_CONF_DIR}{*.builder,*.ring.gz,backups/*.builder,backups/*.ring.gz}
if egrep -q ${SWIFT_DATA_DIR}/drives/sdb1 /proc/mounts; then
sudo umount ${SWIFT_DATA_DIR}/drives/sdb1
fi
if [[ -e ${SWIFT_DISK_IMAGE} ]]; then
rm ${SWIFT_DISK_IMAGE}
fi
destroy_disk ${SWIFT_DISK_IMAGE} ${SWIFT_DATA_DIR}/drives/sdb1
rm -rf ${SWIFT_DATA_DIR}/run/
if [ "$SWIFT_USE_MOD_WSGI" == "True" ]; then
_cleanup_swift_apache_wsgi
@@ -405,6 +402,11 @@ function configure_swift {
# Versioned Writes
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:versioned_writes allow_versioned_writes true
# Add sha1 temporary https://storyboard.openstack.org/#!/story/2010068
if [[ "$SWIFT_ENABLE_TEMPURLS" == "True" ]]; then
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:tempurl allowed_digests "sha1 sha256 sha512"
fi
# Configure Ceilometer
if is_service_enabled ceilometer; then
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:ceilometer "set log_level" "WARN"
@@ -430,7 +432,7 @@ function configure_swift {
swift_pipeline+=" authtoken"
if is_service_enabled s3api;then
swift_pipeline+=" s3token"
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token auth_uri ${KEYSTONE_AUTH_URI_V3}
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token auth_uri ${KEYSTONE_SERVICE_URI_V3}
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token delay_auth_decision true
fi
swift_pipeline+=" keystoneauth"
@@ -521,7 +523,7 @@ function configure_swift {
local auth_vers
auth_vers=$(iniget ${testfile} func_test auth_version)
iniset ${testfile} func_test auth_host ${KEYSTONE_SERVICE_HOST}
if [[ "$KEYSTONE_AUTH_PROTOCOL" == "https" ]]; then
if [[ "$KEYSTONE_SERVICE_PROTOCOL" == "https" ]]; then
iniset ${testfile} func_test auth_port 443
else
iniset ${testfile} func_test auth_port 80
@@ -575,28 +577,7 @@ function create_swift_disk {
sudo install -d -o ${STACK_USER} -g ${user_group} ${SWIFT_DATA_DIR}/{drives,cache,run,logs}
# Create a loopback disk and format it to XFS.
if [[ -e ${SWIFT_DISK_IMAGE} ]]; then
if egrep -q ${SWIFT_DATA_DIR}/drives/sdb1 /proc/mounts; then
sudo umount ${SWIFT_DATA_DIR}/drives/sdb1
sudo rm -f ${SWIFT_DISK_IMAGE}
fi
fi
mkdir -p ${SWIFT_DATA_DIR}/drives/images
sudo touch ${SWIFT_DISK_IMAGE}
sudo chown ${STACK_USER}: ${SWIFT_DISK_IMAGE}
truncate -s ${SWIFT_LOOPBACK_DISK_SIZE} ${SWIFT_DISK_IMAGE}
# Make a fresh XFS filesystem
/sbin/mkfs.xfs -f -i size=1024 ${SWIFT_DISK_IMAGE}
# Mount the disk with mount options to make it as efficient as possible
mkdir -p ${SWIFT_DATA_DIR}/drives/sdb1
if ! egrep -q ${SWIFT_DATA_DIR}/drives/sdb1 /proc/mounts; then
sudo mount -t xfs -o loop,noatime,nodiratime,logbufs=8 \
${SWIFT_DISK_IMAGE} ${SWIFT_DATA_DIR}/drives/sdb1
fi
create_disk ${SWIFT_DISK_IMAGE} ${SWIFT_DATA_DIR}/drives/sdb1 ${SWIFT_LOOPBACK_DISK_SIZE}
# Create a link to the above mount and
# create all of the directories needed to emulate a few different servers
@@ -866,12 +847,15 @@ function stop_swift {
function swift_configure_tempurls {
# note we are using swift credentials!
OS_USERNAME=swift \
OS_PASSWORD=$SERVICE_PASSWORD \
OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
openstack object store account \
openstack --os-cloud "" \
--os-region-name $REGION_NAME \
--os-auth-url $KEYSTONE_SERVICE_URI \
--os-username=swift \
--os-password=$SERVICE_PASSWORD \
--os-user-domain-name=$SERVICE_DOMAIN_NAME \
--os-project-name=$SERVICE_PROJECT_NAME \
--os-project-domain-name=$SERVICE_DOMAIN_NAME \
object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}
+154 -23
View File
@@ -58,7 +58,7 @@ BUILD_TIMEOUT=${BUILD_TIMEOUT:-196}
# This must be False on stable branches, as master tempest
# deps do not match stable branch deps. Set this to True to
# have tempest installed in DevStack by default.
INSTALL_TEMPEST=${INSTALL_TEMPEST:-"True"}
INSTALL_TEMPEST=${INSTALL_TEMPEST:-"False"}
# This variable is passed directly to pip install inside the common tox venv
# that is created
@@ -71,6 +71,17 @@ TEMPEST_VOLUME_VENDOR=${TEMPEST_VOLUME_VENDOR:-$TEMPEST_DEFAULT_VOLUME_VENDOR}
TEMPEST_DEFAULT_STORAGE_PROTOCOL="iSCSI"
TEMPEST_STORAGE_PROTOCOL=${TEMPEST_STORAGE_PROTOCOL:-$TEMPEST_DEFAULT_STORAGE_PROTOCOL}
# Glance/Image variables
# When Glance image import is enabled, image creation is asynchronous and images
# may not yet be active when tempest looks for them. In that case, we poll
# Glance every TEMPEST_GLANCE_IMPORT_POLL_INTERVAL seconds for the number of
# times specified by TEMPEST_GLANCE_IMPORT_POLL_LIMIT. If you are importing
# multiple images, set TEMPEST_GLANCE_IMAGE_COUNT so the poller does not quit
# too early (though it will not exceed the polling limit).
TEMPEST_GLANCE_IMPORT_POLL_INTERVAL=${TEMPEST_GLANCE_IMPORT_POLL_INTERVAL:-1}
TEMPEST_GLANCE_IMPORT_POLL_LIMIT=${TEMPEST_GLANCE_IMPORT_POLL_LIMIT:-12}
TEMPEST_GLANCE_IMAGE_COUNT=${TEMPEST_GLANCE_IMAGE_COUNT:-1}
# Neutron/Network variables
IPV6_ENABLED=$(trueorfalse True IPV6_ENABLED)
IPV6_SUBNET_ATTRIBUTES_ENABLED=$(trueorfalse True IPV6_SUBNET_ATTRIBUTES_ENABLED)
@@ -90,7 +101,6 @@ TEMPEST_USE_TEST_ACCOUNTS=$(trueorfalse False TEMPEST_USE_TEST_ACCOUNTS)
# it will run tempest with
TEMPEST_CONCURRENCY=${TEMPEST_CONCURRENCY:-$(nproc)}
# Functions
# ---------
@@ -115,7 +125,16 @@ function set_tempest_venv_constraints {
local tmp_c
tmp_c=$1
if [[ $TEMPEST_VENV_UPPER_CONSTRAINTS == "master" ]]; then
(cd $REQUIREMENTS_DIR && git show origin/master:upper-constraints.txt) > $tmp_c
(cd $REQUIREMENTS_DIR &&
git show master:upper-constraints.txt 2>/dev/null ||
git show origin/master:upper-constraints.txt) > $tmp_c
# NOTE(gmann): we need to set the below env var pointing to master
# constraints even that is what default in tox.ini. Otherwise it can
# create the issue for grenade run where old and new devstack can have
# different tempest (old and master) to install. For detail problem,
# refer to the https://bugs.launchpad.net/devstack/+bug/2003993
export UPPER_CONSTRAINTS_FILE=https://releases.openstack.org/constraints/upper/master
export TOX_CONSTRAINTS_FILE=https://releases.openstack.org/constraints/upper/master
else
echo "Using $TEMPEST_VENV_UPPER_CONSTRAINTS constraints in Tempest virtual env."
cat $TEMPEST_VENV_UPPER_CONSTRAINTS > $tmp_c
@@ -126,6 +145,48 @@ function set_tempest_venv_constraints {
fi
}
# Makes a call to glance to get a list of active images, ignoring
# ramdisk and kernel images. Takes 3 arguments, an array and two
# variables. The array will contain the list of active image UUIDs;
# if an image with ``DEFAULT_IMAGE_NAME`` is found, its UUID will be
# set as the value of *both* other parameters.
function get_active_images {
declare -n img_array=$1
declare -n img_id=$2
declare -n img_id_alt=$3
# start with a fresh array in case we are called multiple times
img_array=()
while read -r IMAGE_NAME IMAGE_UUID; do
if [ "$IMAGE_NAME" = "$DEFAULT_IMAGE_NAME" ]; then
img_id="$IMAGE_UUID"
img_id_alt="$IMAGE_UUID"
fi
img_array+=($IMAGE_UUID)
done < <(openstack --os-cloud devstack-admin image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }')
}
function poll_glance_images {
declare -n image_array=$1
declare -n image_id=$2
declare -n image_id_alt=$3
local -i poll_count
poll_count=$TEMPEST_GLANCE_IMPORT_POLL_LIMIT
while (( poll_count-- > 0 )) ; do
sleep $TEMPEST_GLANCE_IMPORT_POLL_INTERVAL
get_active_images image_array image_id image_id_alt
if (( ${#image_array[*]} >= $TEMPEST_GLANCE_IMAGE_COUNT )) ; then
return
fi
done
local msg
msg="Polling limit of $TEMPEST_GLANCE_IMPORT_POLL_LIMIT exceeded; "
msg+="poll interval was $TEMPEST_GLANCE_IMPORT_POLL_INTERVAL sec"
warn $LINENO "$msg"
}
# configure_tempest() - Set config files, create data dirs, etc
function configure_tempest {
if [[ "$INSTALL_TEMPEST" == "True" ]]; then
@@ -167,13 +228,21 @@ function configure_tempest {
declare -a images
if is_service_enabled glance; then
while read -r IMAGE_NAME IMAGE_UUID; do
if [ "$IMAGE_NAME" = "$DEFAULT_IMAGE_NAME" ]; then
image_uuid="$IMAGE_UUID"
image_uuid_alt="$IMAGE_UUID"
get_active_images images image_uuid image_uuid_alt
if (( ${#images[*]} < $TEMPEST_GLANCE_IMAGE_COUNT )); then
# Glance image import is asynchronous and may be configured
# to do image conversion. If image import is being used,
# it's possible that this code is being executed before the
# import has completed and there may be no active images yet.
if [[ "$GLANCE_USE_IMPORT_WORKFLOW" == "True" ]]; then
poll_glance_images images image_uuid image_uuid_alt
if (( ${#images[*]} < $TEMPEST_GLANCE_IMAGE_COUNT )); then
echo "Only found ${#images[*]} image(s), was looking for $TEMPEST_GLANCE_IMAGE_COUNT"
exit 1
fi
fi
images+=($IMAGE_UUID)
done < <(openstack --os-cloud devstack-admin image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }')
fi
case "${#images[*]}" in
0)
@@ -287,8 +356,8 @@ function configure_tempest {
if [[ "$NEUTRON_CREATE_INITIAL_NETWORKS" == "True" ]] && is_networking_extension_supported 'external-net'; then
public_network_id=$(openstack --os-cloud devstack-admin network show -f value -c id $PUBLIC_NETWORK_NAME)
# make sure shared network presence does not confuses the tempest tests
openstack --os-cloud devstack-admin network create --share shared
openstack --os-cloud devstack-admin subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create --share shared
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
fi
iniset $TEMPEST_CONFIG DEFAULT use_syslog $SYSLOG
@@ -393,7 +462,7 @@ function configure_tempest {
# NOTE- To avoid microversion tests failure on stable branch, we need to change "tempest_compute_max_microversion"
# for stable branch on each release which should be changed from "latest" to max supported version of that release.
local tempest_compute_min_microversion=${TEMPEST_COMPUTE_MIN_MICROVERSION:-None}
local tempest_compute_max_microversion=${TEMPEST_COMPUTE_MAX_MICROVERSION:-"latest"}
local tempest_compute_max_microversion=${TEMPEST_COMPUTE_MAX_MICROVERSION:-"2.93"}
# Reset microversions to None where v2.0 is running which does not support microversion.
# Both "None" means no microversion testing.
if [[ "$TEMPEST_COMPUTE_TYPE" == "compute_legacy" ]]; then
@@ -443,6 +512,8 @@ function configure_tempest {
iniset $TEMPEST_CONFIG network-feature-enabled ipv6_subnet_attributes "$IPV6_SUBNET_ATTRIBUTES_ENABLED"
iniset $TEMPEST_CONFIG network-feature-enabled port_security $NEUTRON_PORT_SECURITY
iniset $TEMPEST_CONFIG enforce_scope neutron "$NEUTRON_ENFORCE_SCOPE"
# Scenario
SCENARIO_IMAGE_DIR=${SCENARIO_IMAGE_DIR:-$FILES}
SCENARIO_IMAGE_FILE=$DEFAULT_IMAGE_FILE_NAME
@@ -484,7 +555,7 @@ function configure_tempest {
fi
iniset $TEMPEST_CONFIG volume-feature-enabled volume_revert $(trueorfalse False TEMPEST_VOLUME_REVERT_TO_SNAPSHOT)
local tempest_volume_min_microversion=${TEMPEST_VOLUME_MIN_MICROVERSION:-None}
local tempest_volume_max_microversion=${TEMPEST_VOLUME_MAX_MICROVERSION:-"latest"}
local tempest_volume_max_microversion=${TEMPEST_VOLUME_MAX_MICROVERSION:-"3.70"}
if [ "$tempest_volume_min_microversion" == "None" ]; then
inicomment $TEMPEST_CONFIG volume min_microversion
else
@@ -533,13 +604,17 @@ function configure_tempest {
iniset $TEMPEST_CONFIG volume storage_protocol "$TEMPEST_STORAGE_PROTOCOL"
fi
if [[ $ENABLE_VOLUME_MULTIATTACH == "True" ]]; then
iniset $TEMPEST_CONFIG volume volume_type_multiattach $VOLUME_TYPE_MULTIATTACH
fi
# Placement Features
# Set the microversion range for placement.
# Setting [None, latest] range of microversion which allow Tempest to run all microversions tests.
# NOTE- To avoid microversion tests failure on stable branch, we need to change "tempest_placement_max_microversion"
# for stable branch on each release which should be changed from "latest" to max supported version of that release.
local tempest_placement_min_microversion=${TEMPEST_PLACEMENT_MIN_MICROVERSION:-None}
local tempest_placement_max_microversion=${TEMPEST_PLACEMENT_MAX_MICROVERSION:-"latest"}
local tempest_placement_max_microversion=${TEMPEST_PLACEMENT_MAX_MICROVERSION:-"1.39"}
if [ "$tempest_placement_min_microversion" == "None" ]; then
inicomment $TEMPEST_CONFIG placement min_microversion
else
@@ -600,9 +675,23 @@ function configure_tempest {
fi
done
iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
# ``enforce_scope``
# If services enable the enforce_scope for their policy
# we need to enable the same on Tempest side so that
# test can be run with scoped token.
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $TEMPEST_CONFIG enforce_scope keystone true
iniset $TEMPEST_CONFIG auth admin_system 'all'
iniset $TEMPEST_CONFIG auth admin_project_name ''
fi
iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $TEMPEST_CONFIG enforce_scope glance true
fi
if [[ "$CINDER_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $TEMPEST_CONFIG enforce_scope cinder true
fi
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
# libvirt-lxc does not support boot from volume or attaching volumes
@@ -617,13 +706,13 @@ function configure_tempest {
local tmp_cfg_file
tmp_cfg_file=$(mktemp)
cd $TEMPEST_DIR
if [[ "$OFFLINE" != "True" ]]; then
tox -revenv-tempest --notest
fi
local tmp_u_c_m
tmp_u_c_m=$(mktemp -t tempest_u_c_m.XXXXXXXXXX)
set_tempest_venv_constraints $tmp_u_c_m
if [[ "$OFFLINE" != "True" ]]; then
tox -revenv-tempest --notest
fi
tox -evenv-tempest -- pip install -c $tmp_u_c_m -r requirements.txt
rm -f $tmp_u_c_m
@@ -660,7 +749,30 @@ function configure_tempest {
DISABLE_NETWORK_API_EXTENSIONS+=", l3_agent_scheduler"
fi
local network_api_extensions=${NETWORK_API_EXTENSIONS:-"all"}
DEFAULT_NET_EXT="address-scope,agent,allowed-address-pairs,auto-allocated-topology"
DEFAULT_NET_EXT+=",availability_zone,binding,default-subnetpools,dhcp_agent_scheduler"
DEFAULT_NET_EXT+=",dvr,ext-gw-mode,external-net,extra_dhcp_opt,extraroute,flavors"
DEFAULT_NET_EXT+=",l3-flavors,l3-ha,l3_agent_scheduler,multi-provider,net-mtu"
DEFAULT_NET_EXT+=",network-ip-availability,network_availability_zone,pagination"
DEFAULT_NET_EXT+=",port-security,project-id,provider,quotas,quota_details,rbac-policies"
DEFAULT_NET_EXT+=",revision-if-match,router,router_availability_zone,security-group,service-type,sorting"
DEFAULT_NET_EXT+=",standard-attr-description,standard-attr-revisions,standard-attr-tag,standard-attr-timestamp"
DEFAULT_NET_EXT+=",subnet-service-types,subnet_allocation,net-mtu-writable,ip-substring-filtering"
DEFAULT_NET_EXT+=",availability_zone_filter,filter-validation,empty-string-filtering,port-mac-address-regenerate"
DEFAULT_NET_EXT+=",port-security-groups-filtering,fip-port-details,binding-extended"
DEFAULT_NET_EXT+=",subnet_onboard,l3-port-ip-change-not-allowed,agent-resources-synced"
DEFAULT_NET_EXT+=",floatingip-pools,rbac-security-groups,subnetpool-prefix-ops,router-admin-state-down-before-update"
DEFAULT_NET_EXT+=",rbac-subnetpool,tag-ports-during-bulk-creation,stateful-security-group,address-group,extraroute-atomic"
DEFAULT_NET_EXT+=",port-numa-affinity-policy,rbac-address-scope,security-groups-remote-address-group,trunk,trunk-details"
DEFAULT_NET_EXT+=",rbac-address-group,port-device-profile"
DEFAULT_NET_EXT+=",multiple-external-gateways,qos-pps-minimum,l3-ext-ndp-proxy,rbac-bgpvpn"
DEFAULT_NET_EXT+=",qos-pps,ecmp_routes,bgp,floating-ip-port-forwarding-port-ranges"
# New in Yoga
DEFAULT_NET_EXT+=",security-groups-shared-filtering,security-groups-normalized-cidr,quota-check-limit"
DEFAULT_NET_EXT+=",port-resource-request-groups"
# New in Zed
DEFAULT_NET_EXT+=",port-mac-override,floating-ip-port-forwarding-detail,network-cascade-delete"
local network_api_extensions=${NETWORK_API_EXTENSIONS:-$DEFAULT_NET_EXT}
if [[ ! -z "$DISABLE_NETWORK_API_EXTENSIONS" ]]; then
# Enabled extensions are either the ones explicitly specified or those available on the API endpoint
network_api_extensions=${NETWORK_API_EXTENSIONS:-$(iniget $tmp_cfg_file network-feature-enabled api_extensions | tr -d " ")}
@@ -672,7 +784,10 @@ function configure_tempest {
fi
iniset $TEMPEST_CONFIG network-feature-enabled api_extensions $network_api_extensions
# Swift API Extensions
local object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-"all"}
DEFAULT_SWIFT_OPT="account_quotas,bulk_delete,bulk_upload,container_quotas"
DEFAULT_SWIFT_OPT+=",container_sync,crossdomain,formpost,ratelimit,slo"
DEFAULT_SWIFT_OPT+=",staticweb,tempauth,tempurl,versioned_writes"
local object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-$DEFAULT_SWIFT_OPT}
if [[ ! -z "$DISABLE_OBJECT_STORAGE_API_EXTENSIONS" ]]; then
# Enabled extensions are either the ones explicitly specified or those available on the API endpoint
object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-$(iniget $tmp_cfg_file object-storage-feature-enabled discoverable_apis | tr -d " ")}
@@ -681,7 +796,18 @@ function configure_tempest {
fi
iniset $TEMPEST_CONFIG object-storage-feature-enabled discoverable_apis $object_storage_api_extensions
# Cinder API Extensions
local volume_api_extensions=${VOLUME_API_EXTENSIONS:-"all"}
DEFAULT_VOL_EXT="OS-SCH-HNT,backups,capabilities,cgsnapshots,consistencygroups"
DEFAULT_VOL_EXT+=",encryption,os-admin-actions,os-availability-zone"
DEFAULT_VOL_EXT+=",os-extended-services,os-extended-snapshot-attributes"
DEFAULT_VOL_EXT+=",os-hosts,os-quota-class-sets,os-quota-sets"
DEFAULT_VOL_EXT+=",os-services,os-snapshot-actions,os-snapshot-manage"
DEFAULT_VOL_EXT+=",os-snapshot-unmanage,os-types-extra-specs,os-types-manage"
DEFAULT_VOL_EXT+=",os-used-limits,os-vol-host-attr,os-vol-image-meta"
DEFAULT_VOL_EXT+=",os-vol-mig-status-attr,os-vol-tenant-attr,os-volume-actions"
DEFAULT_VOL_EXT+=",os-volume-encryption-metadata,os-volume-manage"
DEFAULT_VOL_EXT+=",os-volume-transfer,os-volume-type-access"
DEFAULT_VOL_EXT+=",os-volume-unmanage,qos-specs,scheduler-stats"
local volume_api_extensions=${VOLUME_API_EXTENSIONS:-$DEFAULT_VOL_EXT}
if [[ ! -z "$DISABLE_VOLUME_API_EXTENSIONS" ]]; then
# Enabled extensions are either the ones explicitly specified or those available on the API endpoint
volume_api_extensions=${VOLUME_API_EXTENSIONS:-$(iniget $tmp_cfg_file volume-feature-enabled api_extensions | tr -d " ")}
@@ -697,7 +823,12 @@ function configure_tempest {
# install_tempest() - Collect source and prepare
function install_tempest {
git_clone $TEMPEST_REPO $TEMPEST_DIR $TEMPEST_BRANCH
pip_install 'tox!=2.8.0'
# NOTE(gmann): Pinning tox<4.0.0 for stable/zed and lower. Tox 4.0.0
# released after zed was released and has some incompatible changes
# and it is ok not to fix the issues caused by tox 4.0.0 in stable
# beanches jobs. We can continue testing the stable/zed and lower
# branches with tox<4.0.0
pip_install 'tox!=2.8.0,<4.0.0'
pushd $TEMPEST_DIR
# NOTE(gmann): checkout the TEMPEST_BRANCH in case TEMPEST_BRANCH
# is tag name not master. git_clone would not checkout tag because
+4 -4
View File
@@ -169,7 +169,7 @@ default_md = default
[ req ]
default_bits = 1024
default_md = sha1
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
@@ -261,7 +261,7 @@ function make_cert {
if [ ! -r "$ca_dir/$cert_name.crt" ]; then
# Generate a signing request
$OPENSSL req \
-sha1 \
-sha256 \
-newkey rsa \
-nodes \
-keyout $ca_dir/private/$cert_name.key \
@@ -301,7 +301,7 @@ function make_int_CA {
if [ ! -r "$ca_dir/cacert.pem" ]; then
# Create a signing certificate request
$OPENSSL req -config $ca_dir/ca.conf \
-sha1 \
-sha256 \
-newkey rsa \
-nodes \
-keyout $ca_dir/private/cacert.key \
@@ -557,7 +557,7 @@ $listen_string
ErrorLog $APACHE_LOG_DIR/tls-proxy_error.log
ErrorLogFormat "%{cu}t [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] [frontend\ %A] %M% ,\ referer\ %{Referer}i"
LogLevel info
CustomLog $APACHE_LOG_DIR/tls-proxy_access.log "%{%Y-%m-%d}t %{%T}t.%{msec_frac}t [%l] %a \"%r\" %>s %b"
CustomLog $APACHE_LOG_DIR/tls-proxy_access.log combined
</VirtualHost>
EOF
if is_suse ; then
+1 -1
View File
@@ -74,7 +74,7 @@ else
fi
# Identity API version
export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
export OS_IDENTITY_API_VERSION=3
# Ask keystoneauth1 to use keystone
export OS_AUTH_TYPE=password
+9
View File
@@ -17,9 +17,18 @@
dest: "{{ stage_dir }}/verify_tempest_conf.log"
state: hard
when: tempest_log.stat.exists
- name: Capture most recent qemu crash dump, if any
shell:
executable: /bin/bash
cmd: |
coredumpctl -o {{ devstack_log_dir }}/qemu.coredump dump /usr/bin/qemu-system-x86_64
ignore_errors: yes
roles:
- export-devstack-journal
- apache-logs-conf
# This should run as early as possible to make sure we don't skew
# the post-tempest results with other activities.
- capture-performance-data
- devstack-project-conf
# capture-system-logs should be the last role before stage-output
- capture-system-logs
+7 -1
View File
@@ -5,4 +5,10 @@
bindep_profile: test
bindep_dir: "{{ zuul_work_dir }}"
- test-setup
- ensure-tox
# NOTE(gmann): Pinning tox<4.0.0 for stable/zed and lower. Tox 4.0.0
# released after zed was released and has some incompatible changes
# and it is ok not to fix the issues caused by tox 4.0.0 in stable
# beanches jobs. We can continue testing the stable/zed and lower
# branches with tox<4.0.0
- role: ensure-tox
ensure_tox_version: "<4"
+7 -1
View File
@@ -6,6 +6,12 @@
bindep_profile: test
bindep_dir: "{{ zuul_work_dir }}"
- test-setup
- ensure-tox
# NOTE(gmann): Pinning tox<4.0.0 for stable/zed and lower. Tox 4.0.0
# released after zed was released and has some incompatible changes
# and it is ok not to fix the issues caused by tox 4.0.0 in stable
# beanches jobs. We can continue testing the stable/zed and lower
# branches with tox<4.0.0
- role: ensure-tox
ensure_tox_version: "<4"
- get-devstack-os-environment
- tox
+25
View File
@@ -0,0 +1,25 @@
Generate performance logs for staging
Captures usage information from mysql, systemd, apache logs, and other
parts of the system and generates a performance.json file in the
staging directory.
**Role Variables**
.. zuul:rolevar:: stage_dir
:default: {{ ansible_user_dir }}
The base stage directory
.. zuul:rolevar:: devstack_conf_dir
:default: /opt/stack
The base devstack destination directory
.. zuul:rolevar:: debian_suse_apache_deref_logs
The apache logs found in the debian/suse locations
.. zuul:rolevar:: redhat_apache_deref_logs
The apache logs found in the redhat locations
@@ -0,0 +1,3 @@
devstack_base_dir: /opt/stack
devstack_conf_dir: "{{ devstack_base_dir }}"
stage_dir: "{{ ansible_user_dir }}"
@@ -0,0 +1,16 @@
- name: Generate statistics
shell:
executable: /bin/bash
cmd: |
source {{ devstack_conf_dir }}/stackrc
python3 {{ devstack_conf_dir }}/tools/get-stats.py \
--db-user="$DATABASE_USER" \
--db-pass="$DATABASE_PASSWORD" \
--db-host="$DATABASE_HOST" \
{{ apache_logs }} > {{ stage_dir }}/performance.json
vars:
apache_logs: >-
{% for i in debian_suse_apache_deref_logs.results | default([]) + redhat_apache_deref_logs.results | default([]) %}
--apache-log="{{ i.stat.path }}"
{% endfor %}
ignore_errors: yes
+1
View File
@@ -9,6 +9,7 @@ Stage a number of different logs / reports:
- coredumps
- dns resolver
- listen53
- services
- unbound.log
- deprecation messages
@@ -19,6 +19,9 @@
rpm -qa | sort > {{ stage_dir }}/rpm-qa.txt
fi
# Services status
sudo systemctl status --all > services.txt 2>/dev/null
# NOTE(kchamart) The 'audit.log' can be useful in cases when QEMU
# failed to start due to denials from SELinux — useful for CentOS
# and Fedora machines. For Ubuntu (which runs AppArmor), DevStack
@@ -1,10 +1,10 @@
Verify the IPv6-only deployments
Verify all addresses in IPv6-only deployments
This role needs to be invoked from a playbook that
run tests. This role verifies the IPv6 setting on
devstack side and devstack deploy services on IPv6.
This role is invoked before tests are run so that
if any missing IPv6 setting or deployments can fail
runs tests. This role verifies the IPv6 settings on the
devstack side and that devstack deploys with all addresses
being IPv6. This role is invoked before tests are run so that
if there is any missing IPv6 setting, deployments can fail
the job early.
@@ -2,6 +2,7 @@
# This uses hard links to avoid using extra space.
command: "find {{ devstack_cache_dir }}/files -mindepth 1 -maxdepth 1 -exec cp -l {} {{ devstack_base_dir }}/devstack/files/ ;"
become: true
ignore_errors: yes
- name: Set ownership of cached files
file:
+1 -1
View File
@@ -49,7 +49,7 @@ SERVICE_PASSWORD=$ADMIN_PASSWORD
# path of the destination log file. A timestamp will be appended to the given name.
LOGFILE=$DEST/logs/stack.sh.log
# Old log files are automatically removed after 7 days to keep things neat. Change
# Old log files are automatically removed after 2 days to keep things neat. Change
# the number of days by setting ``LOGDAYS``.
LOGDAYS=2
-12
View File
@@ -1,12 +0,0 @@
[metadata]
name = DevStack
summary = OpenStack DevStack
description_file =
README.rst
author = OpenStack
author_email = openstack-discuss@lists.openstack.org
home_page = https://docs.openstack.org/devstack/latest
classifier =
Intended Audience :: Developers
License :: OSI Approved :: Apache Software License
Operating System :: POSIX :: Linux
-22
View File
@@ -1,22 +0,0 @@
#!/usr/bin/env python
# Copyright (c) 2013 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT
import setuptools
setuptools.setup(
setup_requires=['pbr'],
pbr=True)
+61 -46
View File
@@ -67,7 +67,9 @@ unset `env | grep -E '^OS_' | cut -d = -f 1`
umask 022
# Not all distros have sbin in PATH for regular users.
PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin
# osc will normally be installed at /usr/local/bin/openstack so ensure
# /usr/local/bin is also in the path
PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/sbin:/sbin
# Keep track of the DevStack directory
TOP_DIR=$(cd $(dirname "$0") && pwd)
@@ -227,7 +229,7 @@ write_devstack_version
# Warn users who aren't on an explicitly supported distro, but allow them to
# override check and attempt installation with ``FORCE=yes ./stack``
SUPPORTED_DISTROS="focal|f34|opensuse-15.2|opensuse-tumbleweed|rhel8"
SUPPORTED_DISTROS="bullseye|focal|jammy|f35|opensuse-15.2|opensuse-tumbleweed|rhel8|rhel9"
if [[ ! ${DISTRO} =~ $SUPPORTED_DISTROS ]]; then
echo "WARNING: this script has not been tested on $DISTRO"
@@ -278,7 +280,6 @@ chmod 0440 $TEMPFILE
sudo chown root:root $TEMPFILE
sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh
# Configure Distro Repositories
# -----------------------------
@@ -300,13 +301,32 @@ function _install_epel {
}
function _install_rdo {
if [[ "$TARGET_BRANCH" == "master" ]]; then
# rdo-release.el8.rpm points to latest RDO release, use that for master
sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
else
# For stable branches use corresponding release rpm
rdo_release=$(echo $TARGET_BRANCH | sed "s|stable/||g")
sudo dnf -y install https://rdoproject.org/repos/openstack-${rdo_release}/rdo-release-${rdo_release}.el8.rpm
if [[ $DISTRO == "rhel8" ]]; then
if [[ "$TARGET_BRANCH" == "master" ]]; then
# rdo-release.el8.rpm points to latest RDO release, use that for master
sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
else
# For stable branches use corresponding release rpm
rdo_release=$(echo $TARGET_BRANCH | sed "s|stable/||g")
sudo dnf -y install https://rdoproject.org/repos/openstack-${rdo_release}/rdo-release-${rdo_release}.el8.rpm
fi
elif [[ $DISTRO == "rhel9" ]]; then
install_package wget
# We need to download rdo-release package using wget as installing with dnf from repo.fedoraproject.org fails in
# FIPS enabled systems after https://bugzilla.redhat.com/show_bug.cgi?id=2157951
# Until we can pull rdo-release from a server which supports EMS, this workaround is doing wget, which does
# not relies on openssl but on gnutls, and then install it locally using rpm
TEMPRDODIR=$(mktemp -d)
if [[ "$TARGET_BRANCH" == "master" ]]; then
# rdo-release.el9.rpm points to latest RDO release, use that for master
wget -P $TEMPRDODIR https://rdoproject.org/repos/rdo-release.el9.rpm
else
# For stable branches use corresponding release rpm
rdo_release=$(echo $TARGET_BRANCH | sed "s|stable/||g")
wget -P $TEMPRDODIR https://rdoproject.org/repos/openstack-${rdo_release}/rdo-release-${rdo_release}.el9.rpm
fi
sudo rpm -ivh $TEMPRDODIR/rdo-release*rpm
rm -rf $TEMPRDODIR
fi
sudo dnf -y update
}
@@ -385,6 +405,10 @@ if [[ $DISTRO == "rhel8" ]]; then
# RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1154272
# Patch: https://github.com/rpm-software-management/dnf/pull/1448
echo "[]" | sudo tee /var/cache/dnf/expired_repos.json
elif [[ $DISTRO == "rhel9" ]]; then
sudo dnf config-manager --set-enabled crb
# rabbitmq and other packages are provided by RDO repositories.
_install_rdo
fi
# Ensure python is installed
@@ -683,6 +707,8 @@ if initialize_database_backends; then
# Last chance for the database password. This must be handled here
# because read_password is not a library function.
read_password DATABASE_PASSWORD "ENTER A PASSWORD TO USE FOR THE DATABASE."
define_database_baseurl
else
echo "No database enabled"
fi
@@ -749,7 +775,9 @@ save_stackenv $LINENO
# Bring down global requirements before any use of pip_install. This is
# necessary to ensure that the constraints file is in place before we
# attempt to apply any constraints to pip installs.
git_clone $REQUIREMENTS_REPO $REQUIREMENTS_DIR $REQUIREMENTS_BRANCH
# We always need the master branch in addition to any stable branch, so
# override GIT_DEPTH here.
GIT_DEPTH=0 git_clone $REQUIREMENTS_REPO $REQUIREMENTS_DIR $REQUIREMENTS_BRANCH
# Install package requirements
# Source it so the entire environment is available
@@ -876,7 +904,7 @@ fi
install_keystonemiddleware
if is_service_enabled keystone; then
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
if [ "$KEYSTONE_SERVICE_HOST" == "$SERVICE_HOST" ]; then
stack_install_service keystone
configure_keystone
fi
@@ -1063,37 +1091,18 @@ fi
# Keystone
# --------
# Rather than just export these, we write them out to a
# intermediate userrc file that can also be used to debug if
# something goes wrong between here and running
# tools/create_userrc.sh (this script relies on services other
# than keystone being available, so we can't call it right now)
cat > $TOP_DIR/userrc_early <<EOF
# Use this for debugging issues before files in accrc are created
# Set up password auth credentials now that Keystone is bootstrapped
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=$KEYSTONE_SERVICE_URI
export OS_USERNAME=admin
export OS_USER_DOMAIN_ID=default
export OS_PASSWORD=$ADMIN_PASSWORD
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_ID=default
export OS_REGION_NAME=$KEYSTONE_REGION_NAME
EOF
if is_service_enabled tls-proxy; then
echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
fi
source $TOP_DIR/userrc_early
# Write a clouds.yaml file and use the devstack-admin cloud
write_clouds_yaml
export OS_CLOUD=${OS_CLOUD:-devstack-admin}
if is_service_enabled keystone; then
echo_summary "Starting Keystone"
if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
if [ "$KEYSTONE_SERVICE_HOST" == "$SERVICE_HOST" ]; then
init_keystone
start_keystone
bootstrap_keystone
@@ -1118,9 +1127,6 @@ if is_service_enabled keystone; then
fi
# Write a clouds.yaml file
write_clouds_yaml
# Horizon
# -------
@@ -1161,7 +1167,8 @@ fi
# ----
if is_service_enabled q-dhcp; then
# Delete traces of nova networks from prior runs
# TODO(frickler): These are remnants from n-net, check which parts are really
# still needed for Neutron.
# Do not kill any dnsmasq instance spawned by NetworkManager
netman_pid=$(pidof NetworkManager || true)
if [ -z "$netman_pid" ]; then
@@ -1221,12 +1228,7 @@ if is_service_enabled nova; then
echo_summary "Configuring Nova"
init_nova
# Additional Nova configuration that is dependent on other services
# TODO(stephenfin): Is it possible for neutron to *not* be enabled now? If
# not, remove the if here
if is_service_enabled neutron; then
async_runfunc configure_neutron_nova
fi
async_runfunc configure_neutron_nova
fi
@@ -1380,7 +1382,7 @@ fi
# which is helpful in image bundle steps.
if is_service_enabled nova && is_service_enabled keystone; then
USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc"
USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc --os-password $ADMIN_PASSWORD"
if [ -f $SSL_BUNDLE_FILE ]; then
USERRC_PARAMS="$USERRC_PARAMS --os-cacert $SSL_BUNDLE_FILE"
@@ -1514,6 +1516,19 @@ async_cleanup
time_totals
async_print_timing
if is_service_enabled mysql; then
if [[ "$MYSQL_GATHER_PERFORMANCE" == "True" && "$MYSQL_HOST" ]]; then
echo ""
echo ""
echo "Post-stack database query stats:"
mysql -u $DATABASE_USER -p$DATABASE_PASSWORD -h $MYSQL_HOST stats -e \
'SELECT * FROM queries' -t 2>/dev/null
mysql -u $DATABASE_USER -p$DATABASE_PASSWORD -h $MYSQL_HOST stats -e \
'DELETE FROM queries' 2>/dev/null
fi
fi
# Using the cloud
# ===============
Executable → Regular
+51 -21
View File
@@ -15,7 +15,7 @@ source $RC_DIR/functions
# Set the target branch. This is used so that stable branching
# does not need to update each repo below.
TARGET_BRANCH=master
TARGET_BRANCH=stable/zed
# Cycle trailing projects need to branch later than the others.
TRAILING_TARGET_BRANCH=master
@@ -175,21 +175,13 @@ else
export PS4='+ $(short_source): '
fi
# Configure Identity API version: 2.0, 3
IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
# Configure Identity API version
# TODO(frickler): Drop this when plugins no longer need it
IDENTITY_API_VERSION=3
# Set the option ENABLE_IDENTITY_V2 to True. It defines whether the DevStack
# deployment will be deploying the Identity v2 pipelines. If this option is set
# to ``False``, DevStack will: i) disable Identity v2; ii) configure Tempest to
# skip Identity v2 specific tests; and iii) configure Horizon to use Identity
# v3. When this option is set to ``False``, the option IDENTITY_API_VERSION
# will to be set to ``3`` in order to make DevStack register the Identity
# endpoint as v3. This flag is experimental and will be used as basis to
# identify the projects which still have issues to operate with Identity v3.
ENABLE_IDENTITY_V2=$(trueorfalse False ENABLE_IDENTITY_V2)
if [ "$ENABLE_IDENTITY_V2" == "False" ]; then
IDENTITY_API_VERSION=3
fi
# Global option for enforcing scope. If enabled, ENFORCE_SCOPE overrides
# each services ${SERVICE}_ENFORCE_SCOPE variables
ENFORCE_SCOPE=$(trueorfalse False ENFORCE_SCOPE)
# Enable use of Python virtual environments. Individual project use of
# venvs are controlled by the PROJECT_VENV array; every project with
@@ -205,6 +197,15 @@ ADDITIONAL_VENV_PACKAGES=${ADITIONAL_VENV_PACKAGES:-""}
# (currently only implemented for MySQL backend)
DATABASE_QUERY_LOGGING=$(trueorfalse False DATABASE_QUERY_LOGGING)
# This can be used to turn on various non-default items in the
# performance_schema that are of interest to us
MYSQL_GATHER_PERFORMANCE=$(trueorfalse True MYSQL_GATHER_PERFORMANCE)
# This can be used to reduce the amount of memory mysqld uses while running.
# These are unscientifically determined, and could reduce performance or
# cause other issues.
MYSQL_REDUCE_MEMORY=$(trueorfalse False MYSQL_REDUCE_MEMORY)
# Set a timeout for git operations. If git is still running when the
# timeout expires, the command will be retried up to 3 times. This is
# in the format for timeout(1);
@@ -247,7 +248,7 @@ REQUIREMENTS_DIR=${REQUIREMENTS_DIR:-$DEST/requirements}
# Setting the variable to 'ALL' will activate the download for all
# libraries.
DEVSTACK_SERIES="xena"
DEVSTACK_SERIES="zed"
##############
#
@@ -415,6 +416,10 @@ GITBRANCH["oslo.db"]=${OSLODB_BRANCH:-$TARGET_BRANCH}
GITREPO["oslo.i18n"]=${OSLOI18N_REPO:-${GIT_BASE}/openstack/oslo.i18n.git}
GITBRANCH["oslo.i18n"]=${OSLOI18N_BRANCH:-$TARGET_BRANCH}
# oslo.limit
GITREPO["oslo.limit"]=${OSLOLIMIT_REPO:-${GIT_BASE}/openstack/oslo.limit.git}
GITBRANCH["oslo.limit"]=${OSLOLIMIT_BRANCH:-$TARGET_BRANCH}
# oslo.log
GITREPO["oslo.log"]=${OSLOLOG_REPO:-${GIT_BASE}/openstack/oslo.log.git}
GITBRANCH["oslo.log"]=${OSLOLOG_BRANCH:-$TARGET_BRANCH}
@@ -602,8 +607,8 @@ IRONIC_PYTHON_AGENT_REPO=${IRONIC_PYTHON_AGENT_REPO:-${GIT_BASE}/openstack/ironi
IRONIC_PYTHON_AGENT_BRANCH=${IRONIC_PYTHON_AGENT_BRANCH:-$TARGET_BRANCH}
# a websockets/html5 or flash powered VNC console for vm instances
NOVNC_REPO=${NOVNC_REPO:-https://github.com/novnc/noVNC.git}
NOVNC_BRANCH=${NOVNC_BRANCH:-v1.1.0}
NOVNC_REPO=${NOVNC_REPO:-https://github.com/novnc/novnc.git}
NOVNC_BRANCH=${NOVNC_BRANCH:-v1.3.0}
# a websockets/html5 or flash powered SPICE console for vm instances
SPICE_REPO=${SPICE_REPO:-http://anongit.freedesktop.org/git/spice/spice-html5.git}
@@ -623,7 +628,8 @@ VIRT_DRIVER=${VIRT_DRIVER:-$DEFAULT_VIRT_DRIVER}
case "$VIRT_DRIVER" in
ironic|libvirt)
LIBVIRT_TYPE=${LIBVIRT_TYPE:-kvm}
LIBVIRT_CPU_MODE=${LIBVIRT_CPU_MODE:-none}
LIBVIRT_CPU_MODE=${LIBVIRT_CPU_MODE:-custom}
LIBVIRT_CPU_MODEL=${LIBVIRT_CPU_MODEL:-Nehalem}
if [[ "$os_VENDOR" =~ (Debian|Ubuntu) ]]; then
# The groups change with newer libvirt. Older Ubuntu used
# 'libvirtd', but now uses libvirt like Debian. Do a quick check
@@ -670,7 +676,7 @@ esac
#IMAGE_URLS="http://download.cirros-cloud.net/${CIRROS_VERSION}/cirros-${CIRROS_VERSION}-${CIRROS_ARCH}-disk.img" # cirros full disk image
CIRROS_VERSION=${CIRROS_VERSION:-"0.5.2"}
CIRROS_ARCH=${CIRROS_ARCH:-"x86_64"}
CIRROS_ARCH=${CIRROS_ARCH:-$(uname -m)}
# Set default image based on ``VIRT_DRIVER`` and ``LIBVIRT_TYPE``, either of
# which may be set in ``local.conf``. Also allow ``DEFAULT_IMAGE_NAME`` and
@@ -876,7 +882,31 @@ SERVICE_HOST=${SERVICE_HOST:-${DEF_SERVICE_HOST}}
# This is either 127.0.0.1 for IPv4 or ::1 for IPv6
SERVICE_LOCAL_HOST=${SERVICE_LOCAL_HOST:-${DEF_SERVICE_LOCAL_HOST}}
REGION_NAME=${REGION_NAME:-RegionOne}
# TUNNEL IP version
# This is the IP version to use for tunnel endpoints
TUNNEL_IP_VERSION=${TUNNEL_IP_VERSION:-4}
# Validate TUNNEL_IP_VERSION
if [[ $TUNNEL_IP_VERSION != "4" ]] && [[ $TUNNEL_IP_VERSION != "6" ]]; then
die $LINENO "TUNNEL_IP_VERSION must be either 4 or 6"
fi
if [[ "$TUNNEL_IP_VERSION" == 4 ]]; then
DEF_TUNNEL_ENDPOINT_IP=$HOST_IP
fi
if [[ "$TUNNEL_IP_VERSION" == 6 ]]; then
# Only die if the user has not over-ridden the endpoint IP
if [[ "$HOST_IPV6" == "" ]] && [[ "$TUNNEL_ENDPOINT_IP" == "" ]]; then
die $LINENO "Could not determine host IPv6 address. See local.conf for suggestions on setting HOST_IPV6."
fi
DEF_TUNNEL_ENDPOINT_IP=$HOST_IPV6
fi
# Allow the use of an alternate address for tunnel endpoints.
# Default is dependent on TUNNEL_IP_VERSION above.
TUNNEL_ENDPOINT_IP=${TUNNEL_ENDPOINT_IP:-${DEF_TUNNEL_ENDPOINT_IP}}
# Configure services to use syslog instead of writing to individual log files
SYSLOG=$(trueorfalse False SYSLOG)
+11 -1
View File
@@ -44,6 +44,9 @@ empty =
multi = foo1
multi = foo2
[fff]
ampersand =
[key_with_spaces]
rgw special key = something
@@ -85,7 +88,7 @@ fi
# test iniget_sections
VAL=$(iniget_sections "${TEST_INI}")
assert_equal "$VAL" "default aaa bbb ccc ddd eee key_with_spaces \
assert_equal "$VAL" "default aaa bbb ccc ddd eee fff key_with_spaces \
del_separate_options del_same_option del_missing_option \
del_missing_option_multi del_no_options"
@@ -124,6 +127,13 @@ iniset ${SUDO_ARG} ${TEST_INI} bbb handlers "33,44"
VAL=$(iniget ${TEST_INI} bbb handlers)
assert_equal "$VAL" "33,44" "inset at EOF"
# Test with ampersand in values
for i in `seq 3`; do
iniset ${TEST_INI} fff ampersand '&y'
done
VAL=$(iniget ${TEST_INI} fff ampersand)
assert_equal "$VAL" "&y" "iniset ampersands in option"
# test empty option
if ini_has_option ${SUDO_ARG} ${TEST_INI} ddd empty; then
passed "ini_has_option: ddd.empty present"
+1 -12
View File
@@ -45,6 +45,7 @@ ALL_LIBS+=" oslo.cache oslo.reports osprofiler cursive"
ALL_LIBS+=" keystoneauth ironic-lib neutron-lib oslo.privsep"
ALL_LIBS+=" diskimage-builder os-vif python-brick-cinderclient-ext"
ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken os-resource-classes"
ALL_LIBS+=" oslo.limit"
# Generate the above list with
# echo ${!GITREPO[@]}
@@ -95,19 +96,7 @@ function test_libs_exist {
echo "test_libs_exist PASSED"
}
function test_branch_master {
for lib in $ALL_LIBS; do
if [[ ${GITBRANCH[$lib]} != "master" ]]; then
echo "GITBRANCH for $lib not master (${GITBRANCH[$lib]})"
exit 1
fi
done
echo "test_branch_master PASSED"
}
set -o errexit
test_libs_exist
test_branch_master
test_all_libs_upto_date
+9
View File
@@ -44,6 +44,15 @@ fi
if ! getent passwd $STACK_USER >/dev/null; then
echo "Creating a user called $STACK_USER"
useradd -g $STACK_USER -s /bin/bash -d $DEST -m $STACK_USER
# RHEL based distros create home dir with 700 permissions,
# And Ubuntu 21.04+ with 750, i.e missing executable
# permission for either group or others
# Devstack deploy will have issues with this, fix it by
# adding executable permission
if [[ $(stat -c '%A' $DEST|grep -o x|wc -l) -lt 3 ]]; then
echo "Executable permission missing for $DEST, adding it"
chmod +x $DEST
fi
fi
echo "Giving stack user passwordless sudo privileges"
+120
View File
@@ -0,0 +1,120 @@
import json
import logging
import os
import threading
import time
import queue
import sqlalchemy
from sqlalchemy.engine import CreateEnginePlugin
from sqlalchemy import event
# https://docs.sqlalchemy.org/en/14/core/connections.html?
# highlight=createengineplugin#sqlalchemy.engine.CreateEnginePlugin
LOG = logging.getLogger(__name__)
# The theory of operation here is that we register this plugin with
# sqlalchemy via an entry_point. It gets loaded by virtue of plugin=
# being in the database connection URL, which gives us an opportunity
# to hook the engines that get created.
#
# We opportunistically spawn a thread, which we feed "hits" to over a
# queue, and which occasionally writes those hits to a special
# database called 'stats'. We access that database with the same user,
# pass, and host as the main connection URL for simplicity.
class LogCursorEventsPlugin(CreateEnginePlugin):
def __init__(self, url, kwargs):
self.db_name = url.database
LOG.info('Registered counter for database %s' % self.db_name)
new_url = sqlalchemy.engine.URL.create(url.drivername,
url.username,
url.password,
url.host,
url.port,
'stats')
self.engine = sqlalchemy.create_engine(new_url)
self.queue = queue.Queue()
self.thread = None
def engine_created(self, engine):
"""Hook the engine creation process.
This is the plug point for the sqlalchemy plugin. Using
plugin=$this in the URL causes this method to be called when
the engine is created, giving us a chance to hook it below.
"""
event.listen(engine, "before_cursor_execute", self._log_event)
def ensure_writer_thread(self):
self.thread = threading.Thread(target=self.stat_writer, daemon=True)
self.thread.start()
def _log_event(self, conn, cursor, statement, parameters, context,
executemany):
"""Queue a "hit" for this operation to be recorded.
Attepts to determine the operation by the first word of the
statement, or 'OTHER' if it cannot be determined.
"""
# Start our thread if not running. If we were forked after the
# engine was created and this plugin was associated, our
# writer thread is gone, so respawn.
if not self.thread or not self.thread.is_alive():
self.ensure_writer_thread()
try:
op = statement.strip().split(' ', 1)[0] or 'OTHER'
except Exception:
op = 'OTHER'
self.queue.put((self.db_name, op))
def do_incr(self, db, op, count):
"""Increment the counter for (db,op) by count."""
query = ('INSERT INTO queries (db, op, count) '
' VALUES (%s, %s, %s) '
' ON DUPLICATE KEY UPDATE count=count+%s')
try:
with self.engine.begin() as conn:
r = conn.execute(query, (db, op, count, count))
except Exception as e:
LOG.error('Failed to account for access to database %r: %s',
db, e)
def stat_writer(self):
"""Consume messages from the queue and write them in batches.
This reads "hists" from from a queue fed by _log_event() and
writes (db,op)+=count stats to the database after ten seconds
of no activity to avoid triggering a write for every SELECT
call. Write no less often than every thirty seconds and/or 100
pending hits to avoid being starved by constant activity.
"""
LOG.debug('[%i] Writer thread running' % os.getpid())
while True:
to_write = {}
total = 0
last = time.time()
while time.time() - last < 30 and total < 100:
try:
item = self.queue.get(timeout=10)
to_write.setdefault(item, 0)
to_write[item] += 1
total += 1
except queue.Empty:
break
if to_write:
LOG.debug('[%i] Writing DB stats %s' % (
os.getpid(),
','.join(['%s:%s=%i' % (db, op, count)
for (db, op), count in to_write.items()])))
for (db, op), count in to_write.items():
self.do_incr(db, op, count)
+3
View File
@@ -0,0 +1,3 @@
[build-system]
requires = ["sqlalchemy", "setuptools>=42"]
build-backend = "setuptools.build_meta"
+14
View File
@@ -0,0 +1,14 @@
[metadata]
name = dbcounter
author = Dan Smith
author_email = dms@danplanet.com
version = 0.1
description = A teeny tiny dbcounter plugin for use with devstack
url = http://github.com/openstack/devstack
license = Apache
[options]
py_modules = dbcounter
entry_points =
[sqlalchemy.plugins]
dbcounter = dbcounter:LogCursorEventsPlugin
+17 -34
View File
@@ -26,39 +26,6 @@ if [[ -z "$TOP_DIR" ]]; then
FILES=$TOP_DIR/files
fi
# Keystone Port Reservation
# -------------------------
# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from
# being used as ephemeral ports by the system. The default(s) are 35357 and
# 35358 which are in the Linux defined ephemeral port range (in disagreement
# with the IANA ephemeral port range). This is a workaround for bug #1253482
# where Keystone will try and bind to the port and the port will already be
# in use as an ephemeral port by another process. This places an explicit
# exception into the Kernel for the Keystone AUTH ports.
function fixup_keystone {
keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}
# Only do the reserved ports when available, on some system (like containers)
# where it's not exposed we are almost pretty sure these ports would be
# exclusive for our DevStack.
if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then
# Get any currently reserved ports, strip off leading whitespace
reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')
if [[ -z "${reserved_ports}" ]]; then
# If there are no currently reserved ports, reserve the keystone ports
sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}
else
# If there are currently reserved ports, keep those and also reserve the
# Keystone specific ports. Duplicate reservations are merged into a single
# reservation (or range) automatically by the kernel.
sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}
fi
else
echo_summary "WARNING: unable to reserve keystone ports"
fi
}
# Python Packages
# ---------------
@@ -106,6 +73,21 @@ function fixup_fedora {
# overwriting works. So this hacks around those packages that
# have been dragged in by some other system dependency
sudo rm -rf /usr/lib64/python3*/site-packages/PyYAML-*.egg-info
# After updating setuptools based on the requirements, the files from the
# python3-setuptools RPM are deleted, it breaks some tools such as semanage
# (used in diskimage-builder) that use the -s flag of the python
# interpreter, enforcing the use of the packages from /usr/lib.
# Importing setuptools/pkg_resources in a such environment fails.
# Enforce the package re-installation to fix those applications.
if is_package_installed python3-setuptools; then
sudo dnf reinstall -y python3-setuptools
fi
# Workaround CentOS 8-stream iputils and systemd Bug
# https://bugzilla.redhat.com/show_bug.cgi?id=2037807
if [[ $os_VENDOR == "CentOSStream" && $os_RELEASE -eq 8 ]]; then
sudo sysctl -w net.ipv4.ping_group_range='0 2147483647'
fi
}
function fixup_suse {
@@ -167,10 +149,11 @@ function fixup_ubuntu {
# overwriting works. So this hacks around those packages that
# have been dragged in by some other system dependency
sudo rm -rf /usr/lib/python3/dist-packages/PyYAML-*.egg-info
sudo rm -rf /usr/lib/python3/dist-packages/pyasn1_modules-*.egg-info
sudo rm -rf /usr/lib/python3/dist-packages/simplejson-*.egg-info
}
function fixup_all {
fixup_keystone
fixup_ubuntu
fixup_fedora
fixup_suse
+220
View File
@@ -0,0 +1,220 @@
#!/usr/bin/python3
import argparse
import csv
import datetime
import glob
import itertools
import json
import logging
import os
import re
import socket
import subprocess
import sys
try:
import psutil
except ImportError:
psutil = None
print('No psutil, process information will not be included',
file=sys.stderr)
try:
import pymysql
except ImportError:
pymysql = None
print('No pymysql, database information will not be included',
file=sys.stderr)
LOG = logging.getLogger('perf')
# https://www.elastic.co/blog/found-crash-elasticsearch#mapping-explosion
def tryint(value):
try:
return int(value)
except (ValueError, TypeError):
return value
def get_service_stats(service):
stats = {'MemoryCurrent': 0}
output = subprocess.check_output(['/usr/bin/systemctl', 'show', service] +
['-p%s' % stat for stat in stats])
for line in output.decode().split('\n'):
if not line:
continue
stat, val = line.split('=')
stats[stat] = tryint(val)
return stats
def get_services_stats():
services = [os.path.basename(s) for s in
glob.glob('/etc/systemd/system/devstack@*.service')] + \
['apache2.service']
return [dict(service=service, **get_service_stats(service))
for service in services]
def get_process_stats(proc):
cmdline = proc.cmdline()
if 'python' in cmdline[0]:
cmdline = cmdline[1:]
return {'cmd': cmdline[0],
'pid': proc.pid,
'args': ' '.join(cmdline[1:]),
'rss': proc.memory_info().rss}
def get_processes_stats(matches):
me = os.getpid()
procs = psutil.process_iter()
def proc_matches(proc):
return me != proc.pid and any(
re.search(match, ' '.join(proc.cmdline()))
for match in matches)
return [
get_process_stats(proc)
for proc in procs
if proc_matches(proc)]
def get_db_stats(host, user, passwd):
dbs = []
try:
db = pymysql.connect(host=host, user=user, password=passwd,
database='stats',
cursorclass=pymysql.cursors.DictCursor)
except pymysql.err.OperationalError as e:
if 'Unknown database' in str(e):
print('No stats database; assuming devstack failed',
file=sys.stderr)
return []
raise
with db:
with db.cursor() as cur:
cur.execute('SELECT db,op,count FROM queries')
for row in cur:
dbs.append({k: tryint(v) for k, v in row.items()})
return dbs
def get_http_stats_for_log(logfile):
stats = {}
apache_fields = ('host', 'a', 'b', 'date', 'tz', 'request', 'status',
'length', 'c', 'agent')
ignore_agents = ('curl', 'uwsgi', 'nova-status')
ignored_services = set()
for line in csv.reader(open(logfile), delimiter=' '):
fields = dict(zip(apache_fields, line))
if len(fields) != len(apache_fields):
# Not a combined access log, so we can bail completely
return []
try:
method, url, http = fields['request'].split(' ')
except ValueError:
method = url = http = ''
if 'HTTP' not in http:
# Not a combined access log, so we can bail completely
return []
# Tempest's User-Agent is unchanged, but client libraries and
# inter-service API calls use proper strings. So assume
# 'python-urllib' is tempest so we can tell it apart.
if 'python-urllib' in fields['agent'].lower():
agent = 'tempest'
else:
agent = fields['agent'].split(' ')[0]
if agent.startswith('python-'):
agent = agent.replace('python-', '')
if '/' in agent:
agent = agent.split('/')[0]
if agent in ignore_agents:
continue
try:
service, rest = url.strip('/').split('/', 1)
except ValueError:
# Root calls like "GET /identity"
service = url.strip('/')
rest = ''
if not service.isalpha():
ignored_services.add(service)
continue
method_key = '%s-%s' % (agent, method)
try:
length = int(fields['length'])
except ValueError:
LOG.warning('[%s] Failed to parse length %r from line %r' % (
logfile, fields['length'], line))
length = 0
stats.setdefault(service, {'largest': 0})
stats[service].setdefault(method_key, 0)
stats[service][method_key] += 1
stats[service]['largest'] = max(stats[service]['largest'],
length)
if ignored_services:
LOG.warning('Ignored services: %s' % ','.join(
sorted(ignored_services)))
# Flatten this for ES
return [{'service': service, 'log': os.path.basename(logfile),
**vals}
for service, vals in stats.items()]
def get_http_stats(logfiles):
return list(itertools.chain.from_iterable(get_http_stats_for_log(log)
for log in logfiles))
def get_report_info():
return {
'timestamp': datetime.datetime.now().isoformat(),
'hostname': socket.gethostname(),
'version': 2,
}
if __name__ == '__main__':
process_defaults = ['privsep', 'mysqld', 'erlang', 'etcd']
parser = argparse.ArgumentParser()
parser.add_argument('--db-user', default='root',
help=('MySQL user for collecting stats '
'(default: "root")'))
parser.add_argument('--db-pass', default=None,
help='MySQL password for db-user')
parser.add_argument('--db-host', default='localhost',
help='MySQL hostname')
parser.add_argument('--apache-log', action='append', default=[],
help='Collect API call stats from this apache log')
parser.add_argument('--process', action='append',
default=process_defaults,
help=('Include process stats for this cmdline regex '
'(default is %s)' % ','.join(process_defaults)))
args = parser.parse_args()
logging.basicConfig(level=logging.WARNING)
data = {
'services': get_services_stats(),
'db': pymysql and args.db_pass and get_db_stats(args.db_host,
args.db_user,
args.db_pass) or [],
'processes': psutil and get_processes_stats(args.process) or [],
'api': get_http_stats(args.apache_log),
'report': get_report_info(),
}
print(json.dumps(data, indent=2))
+30 -16
View File
@@ -38,7 +38,7 @@ FILES=$TOP_DIR/files
# [1] https://opendev.org/openstack/project-config/src/branch/master/nodepool/elements/cache-devstack/source-repository-pip
PIP_GET_PIP_URL=${PIP_GET_PIP_URL:-"https://bootstrap.pypa.io/get-pip.py"}
LOCAL_PIP="$FILES/$(basename $PIP_GET_PIP_URL)"
PIP_GET_PIP36_URL=${PIP_GET_PIP36_URL:-"https://bootstrap.pypa.io/pip/3.6/get-pip.py"}
GetDistro
echo "Distro: $DISTRO"
@@ -57,12 +57,21 @@ function get_versions {
function install_get_pip {
if [[ "$PYTHON3_VERSION" = "3.6" ]]; then
_pip_url=$PIP_GET_PIP36_URL
_local_pip="$FILES/$(basename $_pip_url)-py36"
else
_pip_url=$PIP_GET_PIP_URL
_local_pip="$FILES/$(basename $_pip_url)"
fi
# If get-pip.py isn't python, delete it. This was probably an
# outage on the server.
if [[ -r $LOCAL_PIP ]]; then
if ! head -1 $LOCAL_PIP | grep -q '#!/usr/bin/env python'; then
echo "WARNING: Corrupt $LOCAL_PIP found removing"
rm $LOCAL_PIP
if [[ -r $_local_pip ]]; then
if ! head -1 $_local_pip | grep -q '#!/usr/bin/env python'; then
echo "WARNING: Corrupt $_local_pip found removing"
rm $_local_pip
fi
fi
@@ -76,20 +85,20 @@ function install_get_pip {
# Thus we use curl's "-z" feature to always check the modified
# since and only download if a new version is out -- but only if
# it seems we downloaded the file originally.
if [[ ! -r $LOCAL_PIP || -r $LOCAL_PIP.downloaded ]]; then
if [[ ! -r $_local_pip || -r $_local_pip.downloaded ]]; then
# only test freshness if LOCAL_PIP is actually there,
# otherwise we generate a scary warning.
local timecond=""
if [[ -r $LOCAL_PIP ]]; then
timecond="-z $LOCAL_PIP"
if [[ -r $_local_pip ]]; then
timecond="-z $_local_pip"
fi
curl -f --retry 6 --retry-delay 5 \
$timecond -o $LOCAL_PIP $PIP_GET_PIP_URL || \
$timecond -o $_local_pip $_pip_url || \
die $LINENO "Download of get-pip.py failed"
touch $LOCAL_PIP.downloaded
touch $_local_pip.downloaded
fi
sudo -H -E python${PYTHON3_VERSION} $LOCAL_PIP
sudo -H -E python${PYTHON3_VERSION} $_local_pip
}
@@ -118,7 +127,7 @@ if [[ -n $PYPI_ALTERNATIVE_URL ]]; then
configure_pypi_alternative_url
fi
if is_fedora && [[ ${DISTRO} == f* ]]; then
if is_fedora && [[ ${DISTRO} == f* || ${DISTRO} == rhel9 ]]; then
# get-pip.py will not install over the python3-pip package in
# Fedora 34 any more.
# https://bugzilla.redhat.com/show_bug.cgi?id=1988935
@@ -128,15 +137,20 @@ if is_fedora && [[ ${DISTRO} == f* ]]; then
# if python3-pip is later installed.
# For general sanity, we just use the packaged pip. It should be
# recent enough anyway. This is included via rpms/general
continue
: # Simply fall through
elif is_ubuntu; then
# pip on Ubuntu 20.04 is new enough, too
# drop setuptools from u-c
sed -i -e '/setuptools/d' $REQUIREMENTS_DIR/upper-constraints.txt
else
install_get_pip
# Note setuptools is part of requirements.txt and we want to make sure
# we obey any versioning as described there.
pip_install_gr setuptools
fi
set -x
# Note setuptools is part of requirements.txt and we want to make sure
# we obey any versioning as described there.
pip_install_gr setuptools
get_versions
+3 -3
View File
@@ -27,7 +27,7 @@ function usage {
}
CN=$1
if [ -z "$CN" ]]; then
if [ -z "$CN" ]; then
usage
fi
ORG_UNIT_NAME=${2:-$ORG_UNIT_NAME}
@@ -52,5 +52,5 @@ init_CA
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME
# Create a cert bundle
cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key \
$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
+1 -1
View File
@@ -65,7 +65,7 @@ class UpdateCloudsYaml(object):
def _read_clouds(self):
try:
with open(self._clouds_path) as clouds_file:
self._clouds = yaml.load(clouds_file)
self._clouds = yaml.safe_load(clouds_file)
except IOError:
# The user doesn't have a clouds.yaml file.
print("The user clouds.yaml file didn't exist.")
+18 -7
View File
@@ -23,32 +23,43 @@ function verify_devstack_ipv6_setting {
_service_listen_address=$(echo $SERVICE_LISTEN_ADDRESS | tr -d [])
local _service_local_host=''
_service_local_host=$(echo $SERVICE_LOCAL_HOST | tr -d [])
local _tunnel_endpoint_ip=''
_tunnel_endpoint_ip=$(echo $TUNNEL_ENDPOINT_IP | tr -d [])
if [[ "$SERVICE_IP_VERSION" != 6 ]]; then
echo $SERVICE_IP_VERSION "SERVICE_IP_VERSION is not set to 6 which is must for devstack to deploy services with IPv6 address."
exit 1
fi
if [[ "$TUNNEL_IP_VERSION" != 6 ]]; then
echo $TUNNEL_IP_VERSION "TUNNEL_IP_VERSION is not set to 6 so TUNNEL_ENDPOINT_IP cannot be an IPv6 address."
exit 1
fi
is_service_host_ipv6=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_service_host'"))')
if [[ "$is_service_host_ipv6" != "True" ]]; then
echo $SERVICE_HOST "SERVICE_HOST is not ipv6 which means devstack cannot deploy services on IPv6 address."
echo $SERVICE_HOST "SERVICE_HOST is not IPv6 which means devstack cannot deploy services on IPv6 addresses."
exit 1
fi
is_host_ipv6=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_host_ipv6'"))')
if [[ "$is_host_ipv6" != "True" ]]; then
echo $HOST_IPV6 "HOST_IPV6 is not ipv6 which means devstack cannot deploy services on IPv6 address."
echo $HOST_IPV6 "HOST_IPV6 is not IPv6 which means devstack cannot deploy services on IPv6 addresses."
exit 1
fi
is_service_listen_address=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_service_listen_address'"))')
if [[ "$is_service_listen_address" != "True" ]]; then
echo $SERVICE_LISTEN_ADDRESS "SERVICE_LISTEN_ADDRESS is not ipv6 which means devstack cannot deploy services on IPv6 address."
echo $SERVICE_LISTEN_ADDRESS "SERVICE_LISTEN_ADDRESS is not IPv6 which means devstack cannot deploy services on IPv6 addresses."
exit 1
fi
is_service_local_host=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_service_local_host'"))')
if [[ "$is_service_local_host" != "True" ]]; then
echo $SERVICE_LOCAL_HOST "SERVICE_LOCAL_HOST is not ipv6 which means devstack cannot deploy services on IPv6 address."
echo $SERVICE_LOCAL_HOST "SERVICE_LOCAL_HOST is not IPv6 which means devstack cannot deploy services on IPv6 addresses."
exit 1
fi
is_tunnel_endpoint_ip=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_tunnel_endpoint_ip'"))')
if [[ "$is_tunnel_endpoint_ip" != "True" ]]; then
echo $TUNNEL_ENDPOINT_IP "TUNNEL_ENDPOINT_IP is not IPv6 which means devstack will not deploy with an IPv6 endpoint address."
exit 1
fi
echo "Devstack is properly configured with IPv6"
echo "SERVICE_IP_VERSION: " $SERVICE_IP_VERSION "HOST_IPV6: " $HOST_IPV6 "SERVICE_HOST: " $SERVICE_HOST "SERVICE_LISTEN_ADDRESS: " $SERVICE_LISTEN_ADDRESS "SERVICE_LOCAL_HOST: " $SERVICE_LOCAL_HOST
echo "SERVICE_IP_VERSION:" $SERVICE_IP_VERSION "HOST_IPV6:" $HOST_IPV6 "SERVICE_HOST:" $SERVICE_HOST "SERVICE_LISTEN_ADDRESS:" $SERVICE_LISTEN_ADDRESS "SERVICE_LOCAL_HOST:" $SERVICE_LOCAL_HOST "TUNNEL_IP_VERSION:" $TUNNEL_IP_VERSION "TUNNEL_ENDPOINT_IP:" $TUNNEL_ENDPOINT_IP
}
function sanity_check_system_ipv6_enabled {
@@ -72,7 +83,7 @@ function verify_service_listen_address_is_ipv6 {
is_endpoint_ipv6=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$endpoint_address'"))')
if [[ "$is_endpoint_ipv6" != "True" ]]; then
all_ipv6=False
echo $endpoint ": This is not ipv6 endpoint which means corresponding service is not listening on IPv6 address."
echo $endpoint ": This is not an IPv6 endpoint which means corresponding service is not listening on an IPv6 address."
continue
fi
endpoints_verified=True
@@ -80,7 +91,7 @@ function verify_service_listen_address_is_ipv6 {
if [[ "$all_ipv6" == "False" ]] || [[ "$endpoints_verified" == "False" ]]; then
exit 1
fi
echo "All services deployed by devstack is on IPv6 endpoints"
echo "All services deployed by devstack are on IPv6 endpoints"
echo $endpoints
}
+1 -1
View File
@@ -35,7 +35,7 @@ commands = bash -c "find {toxinidir} \
[testenv:docs]
deps =
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed}
-r{toxinidir}/doc/requirements.txt
allowlist_externals = bash
setenv =
+5 -4
View File
@@ -176,12 +176,13 @@ fi
# enabled backends. So if Cinder is enabled, and installed successfully we are
# sure lvm2 (lvremove, /etc/lvm/lvm.conf, etc.) is here.
if is_service_enabled cinder && is_package_installed lvm2; then
# Using /bin/true here indicates a BUG - maybe the
# DEFAULT_VOLUME_GROUP_NAME doesn't exist? We should
# isolate this further down in lib/cinder cleanup.
clean_lvm_volume_group $DEFAULT_VOLUME_GROUP_NAME || /bin/true
clean_lvm_filter
fi
clean_pyc_files
rm -Rf $DEST/async
# Clean any safe.directory items we wrote into the global
# gitconfig. We can identify the relevant ones by checking that they
# point to somewhere in our $DEST directory.
sudo sed -i "\+directory = ${DEST}+ d" /etc/gitconfig