As set out in bug #1933096 these bindings are dynamically built against
the version of libvirt present in the environment at build time.
As a result using a pre-built wheel can cause AttributeError's when the
bindings have previously been built elsewhere against an older version
of libvirt installed on the host. This is currently the case in CentOS 8
stream based CI jobs where we try to use 7.4.0 bindings that appear to
be built against libvirt <= 6.10 leading to bug #1933096.
This change seeks to avoid this by installing the bindings from packages
that will always be built against the correct corresponding version of
libvirt.
Change-Id: I76184c17a776c4e1ecaab9549d9d36c8c07c60fa
Closes-Bug: #1933096
The Secure RBAC effort has updated Ironic such that it
can support a mode where it is scope enforcing for all
interactions with the API. Due to the design, and operating
nature of Ironic's API, services speaking with it must
authenticate with a system scope to have a full picture
of the universe.
In this case, we need to update the nova configuration
accordingly such that the compute service understands
how to talk to ironic so that it can see the nodes under
management.
Ironic will likely update this again at a later point in
time to enable a "hybrid" mixed-mode as the operating model
and related permissions *should* allow nova to use a project
scoped "owner" account with Ironic, in order to access
and command nodes to deploy. But at this time, we're
focusing on the exclusive operating mode.
Change-Id: I1946725ce08c495178c419eaf38829f921c91bbe
Needed-By: https://review.opendev.org/c/openstack/ironic/+/778957
CentOS Stream 8 (aka CentOS 8 Stream) is the currently
supported runtime platform. [0]
Some background history:
The Manila team has asked QA to test centos-8-stream
in the common gate.
A bit later it turned out the point releases of CentOS 8 (aka
CentOS Linux 8) will stop happening entirely by the end of 2021.
[1]
Includes a workaround to the edk2-ovmf issue on CentOS Stream 8
x86_64.
[0] https://governance.openstack.org/tc/reference/runtimes/xena.html
[1] https://lists.centos.org/pipermail/centos-devel/2020-December/075451.html
Change-Id: Iee5a262af757f27f79ba1d6f790e949427dca190
The XenAPI driver was removed during the Victoria release [1], while the
libvirt+xen driver has been removed in the Wallaby release [2]. Remove
references to Xen from DevStack since its all a no-op now.
[1] I42b302afbb1cfede7a0f7b16485a596cd70baf17
[2] I73305e82da5d8da548961b801a8e75fb0e8c4cf1
Change-Id: If7055feb88391f496a5e5e4c72008bf0050c5356
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Keystone no longer has any special functionality hidden behind the admin
endpoint. Stop referencing it in consumers, so it can later be dropped
completely.
Change-Id: I04a5d77908005268cc7c59e7e9ddeea70f6732e2
The bug has been fixed since a while, also in recent distributions,
for example Ubuntu 20.04, the sgabios.bin ROM is provided directly
by qemu-system-data as an actual file under /usr/share/qemu and
it conflicts with the one provided by sgabios, so removing the
workaround is actually needed to prevent failures.
Change-Id: Ib5f23dbd8839a0927418692054f4ed4abd76babc
The virt-preview repo provides the latest rawhide versions of QEMU,
Libvirt and other virt tools for older releases of Fedora. This repo is
extremely useful when testing features in OpenStack that rely on these
latest builds well in advance of them landing in full Fedora, CentOS or
RHEL releases.
This change adds a ``ENABLE_FEDORA_VIRT_PREVIEW_REPO`` configurable
to control when this repo is enabled and used when deploying on Fedora.
Change-Id: I5c3e1b7b632fd73310c462530990cdb0e0c0ceea
In same cases, the hypervisor presents to the guest OS a named CPU model
is similar to the host CPU and adds extra features to approximate the
host model. However, this does not guarantee all features will be
precisely match.
This patch adds LIBVIRT_CPU_MODE to allow users to define the CPU mode
they want to use, for example "host-passthrough".
Change-Id: I83792c776b50d1d22584be2a37cc6a166f09c72b
This option has default to the 'NoopFirewallDriver' for some time and
will soon be removed. Stop configuring it entirely.
Change-Id: I4dbc0015cf26d7edf51d0d5fd978ccd3a1ad1b79
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
With the goals of Ussuri being Python 3.6 [1], the python 3.5
environment on Xenial is too old. Remove testing and the most obvious
bits of support from devstack.
Also drop claimed support for artful, which is long EOL.
[1] https://governance.openstack.org/tc/reference/runtimes/ussuri.html
Change-Id: Iefcca99904dde76b34efbbfc0e04515dfa5a09e5
When configuring TLS between the console proxy (where the n-novnc
service runs) and the compute host, some configuration for QEMU needs
to be done on the compute host. The existing code for this requires the
n-novnc service to be running, which it is in a single node all-in-one
deployment. However, when running in a multinode deployment, the
n-novnc service runs only on the controller and not on the subnode.
Yet, we need to configure QEMU on the subnode compute host as well.
This removes the n-novnc service requirement to enable TLS QEMU
configuration to occur on a compute subnode in a multinode deployment.
Closes-Bug: #1849418
Change-Id: I8b6970e91ad7f52ff489cb9f776ca216d8f86aa4
We're trying to get nova to talk to ironic through openstacksdk and need
to be able to specify retry limits/intervals there. We could reuse the
existing conf options, but better to support the standard ones exposed
from keystoneauth1 via [1] and [2].
Note that these will be ignored unless you have keystoneauth1 3.15.0
(for [1]) or 3.16.0 ([1] and [2]) and are building your adapter using
ksa-derived conf options (see the Needed-By).
Needed-By: https://review.opendev.org/642899
[1] https://review.opendev.org/#/c/666287/
[2] https://review.opendev.org/#/c/672930/
Change-Id: I79c416e25d635b0ffa419640b4bd91e36f78b1ab
Trying to deploy OpenStack environment consisting of ironic nova
hypervisor & hardware Ironic node (not VM Ironic node) with devstack
got failed.
Devstack error says error occurred while calling configure_libvirt
in configure_nova_hypervisor. This happens because libvirt related
packages are not installed when specifying "VIRT_DRIVER=ironic"
and "IRONIC_IS_HARDWARE=True".
To fix this problem, this commit add "if" statement to check
Ironic node is hardware or not using "is_ironic_hardware" function
in "function-common" file.
Change-Id: I1113478175fadec79d0f8bf6ae842ed86e5e686b
Closes-Bug: #1834985
Remove nova cells v1 support, which also allows/necessitates removing
support for nova networks (which was only supported with cells v1) and
nova-consoleauth (which was required by cells v1 but is unnecessary
otherwise).
The Depends-On isn't really necessary, but it's here to make sure this
doesn't merge until we _really_ have killed cells v1.
I honestly expected this patch would be bigger.
Change-Id: I90316208d1af42c1659d3bee386f95e38aaf2c56
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Depends-On: Ib0e0b708c46e4330e51f8f8fdfbb02d45aaf0f44
We should always pass on a region when talking to
ironic. This will also help detect and test issues
specific to regions.
Change-Id: Iaab3c1bcedc5aaa2106c0758cbb43bade3de2cf5
OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.
When the default CI node Ubuntu version was changed from Xenial =>
Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.
This sets the ownership of the /etc/pki/<console> files to the
user:group intended to read them.
Closes-Bug: #1819794
Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
The read_password function is defined inside stack.sh
and it cannot be used inside the "public library interface"
provided by DevStack.
Move the calls found inside library files to stack.sh,
following the same pattern of the other calls to read_password.
Change-Id: I8adc6723b677dfac2bef735f660e056c498bf773
This makes three changes:
1. The quota options set when using the fake
virt driver have been renamed so we're getting
deprecation warnings on using the old names.
Rather than set each quota limit value individually,
we can just use the noop quota driver for the same
effect.
2. The enabled_filters list for the scheduler was last
updated when using the fake virt driver back in Juno
via Ic7ec87e4d497d9db58eec93f2b304fe9770a2bbc - with
the Placement service, we don't need the CoreFilter,
RamFilter or DiskFilter. Also, in general, we just
don't need to hard-code a list of scheduler filters
when using the fake virt driver. If one needs to set
their own scheduler filter list, they can do so using
the $FILTERS variable (or post-config for nova.conf).
3. The largeops job, which ran the Tempest scenario tests,
has been gone for a few years now, as have the Tempest
scenario tests, so the API_WORKERS modification when
using the fake virt driver should be removed. If we had
a CI job like the largeops job today, we would set the
worker config via the job rather than in devstack.
Change-Id: I8d2bb2af40b5db8a555482a0852b1604aec29f15
Nova has dropped support for non-resource class
baremetal scheduling, so the IRONIC_USE_RESOURCE_CLASSES
flag is no longer useful and has been removed.
Depends-On: https://review.openstack.org/565805/
Change-Id: Ib2e6c96409c98877f6a43b76f176c1420d2d415e
There is no way to upgrade ironic before nova because of
grenade design. In multinode job we do not restart nova
as we test partial upgrade of ironic there.
On slow nodes upgrading ironic takes time and nova looses
ironic connectivity
This patch increases api_retry_interval and api_max_retries
to make sure we have a time to upgrade ironic before nova
compute stuck.
Change-Id: I3b1429d6561431a82edda04a0e574cac38771837
The kvmibm removal I009ae4779588615633bff81d0c47a1b879ec9279
incorrectly removed this (the check was install if *not* kvmibm).
Since we don't support kvmibm any more, it should be safe to install
everywhere as done here.
For the full history, it started with us installing qemu-kvm-ev with
Ide91b261f35fb19d8bd7155ca016fa3b76a45ea1, then we fixed it to be more
generic and just install qemu-kvm with
I46da627c0da8925064862fdc283db81591979285, then Fedora 26 support in
I5c79ad1ef0b11dba30c931a59786f9eb7e7f8587 made this install everywhere
*but* kvmibm.
Change-Id: If3e9661451ad1055e7c8d670605a53095f0aeda4
Nova is gaining the ability to run TLS over the connection between the
novnc proxy service and the QEMU/KVM compute node VNC server.
This adds a new config param - 'NOVA_CONSOLE_PROXY_COMPUTE_TLS=True' -
which instructs devstack to configure libvirt/QEMU to enable TLS for the
VNC server, and to configure the novncproxy to use TLS when connecting.
NB this use of TLS is distinct from use of TLS for the public facing API
controlled by USE_SSL, they can be enabled independently.
This is done in a generic manner so that it is easy to extend to cover
use of TLS with the SPICE and serial console proxy services too.
Change-Id: Ib29d3f5f18533115b9c51e27b373e92fc0a28d1a
Depends-on: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2
Implements bp: websocket-proxy-to-host-security
This makes the condition that chooses which daemon name libvirt to call
the same as for choosing the livirt package names.
Without this fix the condition checking for a directory is incorrect
when livirt is not yet installed, but is used before installing the
packages.
Change-Id: Ib5eb12769128527a6f4b3b5f7674bd2dad0ed160
As the following commit has renamed the two vnc options; let's
use the new options in devstack:
https://review.openstack.org/#/c/498387/
Change-Id: Id125666814ea9bb8a22b579aee0f6bc1c65ade80
The IBM hypervisor distro "KVM for IBM z Systems" gets discontiued,
like announced in March 2017 [1]. The key dates are:
* 03/2017: announcement
* 08/2017: the last day to order (EOM)
* 03/2018: the End of Service (EOL)
As the CI which tests OpenStack with KVM on IBM Z doesn't rely on this
distro anymore and EOM has reached, we remove the Devstack support for
this distro.
This basically reverts commit a5ea08b of Dec 2015.
NOTE: This doesn't affect other distros which have KVM on Z support.
References:
[1] FAQ for KVM for IBM z Systems Delivery Strategy Change
https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03110USEN&
Change-Id: I009ae4779588615633bff81d0c47a1b879ec9279
When using resource classes to schedule baremetal nodes the baremetal
filters like ExactRam etc should not be used. This patch disables them
in the nova config if devstack is configured to enable ironic resource
classes.
Change-Id: Ic262ccaf8b541308042d61113a953653d2261964
The only mentionable diff is the kvm alias
does not exists so we will install
qemu-kvm as with rhel7 which also exists
in the older supported fedoras.
kvm also just an alias in suse so
switching to qemu-kvm in suse as well.
Change-Id: I5c79ad1ef0b11dba30c931a59786f9eb7e7f8587
With libguestfs usage for file injection now being enabled by
default as part of I568c56dbcb62ec541661364c142eff2397e3eed7
the opensuse job started to fail due to lack of guestfs images
being available.
The error in question was
NovaException: libguestfs installed but not usable (cannot
find any suitable libguestfs supermin, fixed or old-style
appliance on LIBGUESTFS_PATH (search path: /usr/lib64/guestfs)
This part is being fixed by explicitly adding the missing package
dependencies to the compute node rpm package list while the maintenance
update for Leap 42.2 is in preparation.
Change-Id: Ie76ac0a51c1ee2ad6559917825dee1c7a91a3a76
When installing OpenStack via DevStack on XenServer, we need to
some preparation operations in dom0 which will refer the function
in devstack/tools/xen/functions file, but we are planning to move
the whole folder of tools/xen from devstack to os-xenapi, so it
this patch is to moving the dom0 related operation to os-xenapi
repo first.
Change-Id: Ib59d802a7a4eab4ccce0e29d80f29efa4655bc0b
Depends-On: I712ee74ce945859ba5118e09b7d9436ca2686cb7
The scheduler_default_filters config option moved out of the
DEFAULT option group into a more specific group, and the old
option is deprecated as a result so we need to update our usage.
Change-Id: I5d6574d19c3f16abadddb19f34cb645dcdcc07f4
This logic has been tied to OVS since it was introduced in [1] and
revised in [2]. However, many other backends may use tap devices that
aren't related to OVS, such as Calico[3] and Linux Bridge after [4]
merges.
This patch just removes the dependency on OVS specifically so
/dev/net/tun is added to cgroups whenever any Neutron backend is used.
This is done in other deployment tools like Juju[5] so it's not
unprecedented.
1. Ifab268f739b004db13024633e8abeb17691b9e46
2. Ic1da132fa421f1c70c10a319ee3239831b0f956f
3.
http://docs.projectcalico.org/master/getting-started/openstack/installation/ubuntu#compute-node-install
4. I23c5faaeab69aede1fd038a36f4a0b8f928498ce
5.
2790f81ecd/templates/qemu.conf
Change-Id: I075595158d8f3b5a6811c4794aa7b91912940db5
Partial-Bug: #1675343
libvirt-python compiles against the currently installed libvirt. If
you upgrade that, it needs to rebuild, however it won't change
versions, so pip install just noops. Force an uninstall / reinstall of
it every time to handle potential upgrades of libvirt.
Change-Id: If34541b34aa6d55eedaf6c603fd1fe92eb887308