195 Commits

Author SHA1 Message Date
melanie witt
e2853bf2d0 Set ownership of /etc/pki/<console> files for TLS
OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.

When the default CI node Ubuntu version was changed from Xenial =>
Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.

This sets the ownership of the /etc/pki/<console> files to the
user:group intended to read them.

Closes-Bug: #1819794

Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
2019-03-25 03:42:18 +00:00
Matt Riedemann
5e832d3061 Modernize VIRT_DRIVER=fake usage
This makes three changes:

1. The quota options set when using the fake
   virt driver have been renamed so we're getting
   deprecation warnings on using the old names.
   Rather than set each quota limit value individually,
   we can just use the noop quota driver for the same
   effect.

2. The enabled_filters list for the scheduler was last
   updated when using the fake virt driver back in Juno
   via Ic7ec87e4d497d9db58eec93f2b304fe9770a2bbc - with
   the Placement service, we don't need the CoreFilter,
   RamFilter or DiskFilter. Also, in general, we just
   don't need to hard-code a list of scheduler filters
   when using the fake virt driver. If one needs to set
   their own scheduler filter list, they can do so using
   the $FILTERS variable (or post-config for nova.conf).

3. The largeops job, which ran the Tempest scenario tests,
   has been gone for a few years now, as have the Tempest
   scenario tests, so the API_WORKERS modification when
   using the fake virt driver should be removed. If we had
   a CI job like the largeops job today, we would set the
   worker config via the job rather than in devstack.

Change-Id: I8d2bb2af40b5db8a555482a0852b1604aec29f15
2018-06-02 12:40:58 -04:00
Matt Riedemann
59e6ff10ce Remove IRONIC_USE_RESOURCE_CLASSES check
Nova has dropped support for non-resource class
baremetal scheduling, so the IRONIC_USE_RESOURCE_CLASSES
flag is no longer useful and has been removed.

Depends-On: https://review.openstack.org/565805/
Change-Id: Ib2e6c96409c98877f6a43b76f176c1420d2d415e
2018-05-02 11:45:09 -04:00
Zuul
96abf696f5 Merge "Increse api_max_retries and api_retry_interval for ironic" 2018-03-05 12:48:00 +00:00
Zuul
9f71c4ad4e Merge "nova: add support for TLS between novnc proxy & compute nodes" 2018-02-20 09:39:19 +00:00
Vasyl Saienko
64039ef300 Increse api_max_retries and api_retry_interval for ironic
There is no way to upgrade ironic before nova because of
grenade design. In multinode job we do not restart nova
as we test partial upgrade of ironic there.
On slow nodes upgrading ironic takes time and nova looses
ironic connectivity

This patch increases api_retry_interval and api_max_retries
to make sure we have a time to upgrade ironic before nova
compute stuck.

Change-Id: I3b1429d6561431a82edda04a0e574cac38771837
2018-01-23 12:07:19 +02:00
Zuul
c19d0cbb27 Merge "Fix libvirt daemon name condition" 2017-11-21 20:04:34 +00:00
Ian Wienand
0d0b69027b Restore qemu-kvm install for CentOS
The kvmibm removal I009ae4779588615633bff81d0c47a1b879ec9279
incorrectly removed this (the check was install if *not* kvmibm).
Since we don't support kvmibm any more, it should be safe to install
everywhere as done here.

For the full history, it started with us installing qemu-kvm-ev with
Ide91b261f35fb19d8bd7155ca016fa3b76a45ea1, then we fixed it to be more
generic and just install qemu-kvm with
I46da627c0da8925064862fdc283db81591979285, then Fedora 26 support in
I5c79ad1ef0b11dba30c931a59786f9eb7e7f8587 made this install everywhere
*but* kvmibm.

Change-Id: If3e9661451ad1055e7c8d670605a53095f0aeda4
2017-11-17 10:41:55 +11:00
Zuul
2647fc2ac1 Merge "Drop support for "kvmibm" distro" 2017-11-15 00:05:24 +00:00
Daniel P. Berrange
e9870eb18d nova: add support for TLS between novnc proxy & compute nodes
Nova is gaining the ability to run TLS over the connection between the
novnc proxy service and the QEMU/KVM compute node VNC server.

This adds a new config param - 'NOVA_CONSOLE_PROXY_COMPUTE_TLS=True' -
which instructs devstack to configure libvirt/QEMU to enable TLS for the
VNC server, and to configure the novncproxy to use TLS when connecting.
NB this use of TLS is distinct from use of TLS for the public facing API
controlled by USE_SSL, they can be enabled independently.

This is done in a generic manner so that it is easy to extend to cover
use of TLS with the SPICE and serial console proxy services too.

Change-Id: Ib29d3f5f18533115b9c51e27b373e92fc0a28d1a
Depends-on: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2
Implements bp: websocket-proxy-to-host-security
2017-10-19 18:32:51 +00:00
Jan Zerebecki
2c2ca80ce0 Fix libvirt daemon name condition
This makes the condition that chooses which daemon name libvirt to call
the same as for choosing the livirt package names.

Without this fix the condition checking for a directory is incorrect
when livirt is not yet installed, but is used before installing the
packages.

Change-Id: Ib5eb12769128527a6f4b3b5f7674bd2dad0ed160
2017-10-17 18:34:30 +02:00
jianghua wang
843b039b3c Use the renamed vnc options
As the following commit has renamed the two vnc options; let's
use the new options in devstack:
https://review.openstack.org/#/c/498387/

Change-Id: Id125666814ea9bb8a22b579aee0f6bc1c65ade80
2017-10-13 07:25:43 +00:00
Markus Zoeller
b8335eebe8 Drop support for "kvmibm" distro
The IBM hypervisor distro "KVM for IBM z Systems" gets discontiued,
like announced in March 2017 [1]. The key dates are:

* 03/2017: announcement
* 08/2017: the last day to order (EOM)
* 03/2018: the End of Service (EOL)

As the CI which tests OpenStack with KVM on IBM Z doesn't rely on this
distro anymore and EOM has reached, we remove the Devstack support for
this distro.

This basically reverts commit a5ea08b of Dec 2015.

NOTE: This doesn't affect other distros which have KVM on Z support.

References:
[1] FAQ for KVM for IBM z Systems Delivery Strategy Change
    https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03110USEN&

Change-Id: I009ae4779588615633bff81d0c47a1b879ec9279
2017-10-10 11:08:09 +02:00
Jenkins
401f43d4e1 Merge "Stop using ironic host manager with resource classes" 2017-10-06 03:17:02 +00:00
Vladyslav Drok
b79be36cdb Remove setting some of the scheduler settings
It makes sense to set them only if resource classes are not used.

Change-Id: I76d8501a1d1a20357acadad4cd8f2d6cef3896c1
2017-08-30 19:19:56 +03:00
Sam Betts
def67a47e8 Stop using ironic host manager with resource classes
There should be no needs to use the ironic host manager when using
resource classes.

Change-Id: I9a51ea6582dfef28e4da5f8510742230d88cbaf3
2017-08-30 11:39:16 +01:00
Vasyl Saienko
0525e77d9f Increase host_subset_size for ironic
This patch increase host_subset_size when ironic is used to 999
to minimize race conditions.

Change-Id: I0874fe3b3628cb3e662ee01f24c4599247fdc82d
2017-08-15 22:03:23 +03:00
Sam Betts
801494550a Disable baremetal sched filters when using resource classes
When using resource classes to schedule baremetal nodes the baremetal
filters like ExactRam etc should not be used. This patch disables them
in the nova config if devstack is configured to enable ironic resource
classes.

Change-Id: Ic262ccaf8b541308042d61113a953653d2261964
2017-08-04 12:19:47 +01:00
Attila Fazekas
7bbd4e95d0 Add f26 to the supported distros
The only mentionable diff is the kvm alias
does not exists so we will install
qemu-kvm as with rhel7 which also exists
in the older supported fedoras.

kvm also just an alias in suse so
switching to qemu-kvm  in suse as well.

Change-Id: I5c79ad1ef0b11dba30c931a59786f9eb7e7f8587
2017-07-24 07:32:15 +02:00
Dirk Mueller
a6467d36db Prepare guestfs-support for openSUSE
With libguestfs usage for file injection now being enabled by
default as part of I568c56dbcb62ec541661364c142eff2397e3eed7
the opensuse job started to fail due to lack of guestfs images
being available.

The error in question was
NovaException: libguestfs installed but not usable (cannot
find any suitable libguestfs supermin, fixed or old-style
appliance on LIBGUESTFS_PATH (search path: /usr/lib64/guestfs)

This part is being fixed by explicitly adding the missing package
dependencies to the compute node rpm package list while the maintenance
update for Leap 42.2 is in preparation.

Change-Id: Ie76ac0a51c1ee2ad6559917825dee1c7a91a3a76
2017-07-18 11:32:02 +02:00
Huan Xie
f15fd26943 XenAPI: Move dom0 related operations to os-xenapi devstack plugin
When installing OpenStack via DevStack on XenServer, we need to
some preparation operations in dom0 which will refer the function
in devstack/tools/xen/functions file, but we are planning to move
the whole folder of tools/xen from devstack to os-xenapi, so it
this patch is to moving the dom0 related operation to os-xenapi
repo first.

Change-Id: Ib59d802a7a4eab4ccce0e29d80f29efa4655bc0b
Depends-On: I712ee74ce945859ba5118e09b7d9436ca2686cb7
2017-06-07 22:02:56 -07:00
Matt Riedemann
1ade00da55 Fix scheduler_default_filters usage
The scheduler_default_filters config option moved out of the
DEFAULT option group into a more specific group, and the old
option is deprecated as a result so we need to update our usage.

Change-Id: I5d6574d19c3f16abadddb19f34cb645dcdcc07f4
2017-06-05 11:01:45 -04:00
Kevin Benton
d1fe0e62e7 Always setup libvirt for tap devices when using Neutron
This logic has been tied to OVS since it was introduced in [1] and
revised in [2]. However, many other backends may use tap devices that
aren't related to OVS, such as Calico[3] and Linux Bridge after [4]
merges.

This patch just removes the dependency on OVS specifically so
/dev/net/tun is added to cgroups whenever any Neutron backend is used.
This is done in other deployment tools like Juju[5] so it's not
unprecedented.

1. Ifab268f739b004db13024633e8abeb17691b9e46
2. Ic1da132fa421f1c70c10a319ee3239831b0f956f
3.
http://docs.projectcalico.org/master/getting-started/openstack/installation/ubuntu#compute-node-install
4. I23c5faaeab69aede1fd038a36f4a0b8f928498ce
5.
2790f81ecd/templates/qemu.conf

Change-Id: I075595158d8f3b5a6811c4794aa7b91912940db5
Partial-Bug: #1675343
2017-05-17 06:07:35 +00:00
Sean Dague
f28e7ef6ba uninstall libvirt-python and reinstall
libvirt-python compiles against the currently installed libvirt. If
you upgrade that, it needs to rebuild, however it won't change
versions, so pip install just noops. Force an uninstall / reinstall of
it every time to handle potential upgrades of libvirt.

Change-Id: If34541b34aa6d55eedaf6c603fd1fe92eb887308
2017-05-08 07:30:20 -04:00
Sean Dague
c13b8a1f33 try to use unversioned keystone endpoints everywhere
Change-Id: Iad2a3654d8ba181a7ad452d8aba872a8313d4ece
2017-05-01 09:12:20 -04:00
Jenkins
03fbc0d71b Merge "Do not use libvirt-bin package anymore" 2017-04-07 00:37:36 +00:00
Jenkins
ec60d050f5 Merge "Remove the EBTABLES_RACE_FIX added for Trusty" 2017-04-07 00:33:30 +00:00
Jenkins
9b6080d859 Merge "Use br-int when XenServer is hypervisor" 2017-04-06 23:30:03 +00:00
Jenkins
4df8d6d425 Merge "Remove XenServer specific ovs agent config" 2017-04-05 11:54:39 +00:00
Ian Wienand
bfcc760b96 Enable libvirt coredumps
This adds a flag and basic config for enabling coredumps for libvirt.

Partial-Bug: 1643911
Co-Authored-By: Matthew Booth <mbooth@redhat.com>

Change-Id: If7cd54e804a5a389a0d82a325b58f5b41b8ef0db
2017-03-30 17:29:29 +11:00
Jordan Pittier
1298f1bacd Remove the EBTABLES_RACE_FIX added for Trusty
Now that we don't support Ubuntu Trusty anymore, we can remove
the ebtables race workaround.

Closes-Bug: #1675714
Change-Id: I70483f871e35fcaa933d1b7bac7dbb396aa22cef
2017-03-28 08:16:07 +11:00
David Rabel
682e0abe1a Do not use libvirt-bin package anymore
The package libvirt-bin is a transitional package in Debian and should
not be used anymore.

Ubuntu Xenial is an exception here.

Because of that this change also adds the possibility to use "not:" to
exclude distros in files/debs/* just as "dist:" limits distros.

Depends-On: Icc59ea79f54d4ff8751f2e353ee3530fff3d961e
Closes-Bug: #1673840
Change-Id: I3998a7178d14ec40eae5cb199d66da9546cd6ccf
2017-03-24 10:44:10 +01:00
Huan Xie
9e64bad03a Use br-int when XenServer is hypervisor
Previously we use a specific integration bridge for neutron ovs agent
which is running in compute node, but this isn't necessary, this
patch is to remove the specific integration bridge for XenSever and
remove the custom integration bridge definition

Depends-On: I675565e1ea6c887d40d7a53f62968c4aa385ecca

Change-Id: If5886e3711765a97f40f20e478f958b988b5a620
2017-03-22 19:11:34 -07:00
Huan Xie
c779b00840 Remove XenServer specific ovs agent config
With XenServer we have two neutron-openvswitch-agent(q-agt, q-domua)
For the q-domua it is specific for XenServer, this patch is to move
the specific configurations to os-xenapi which we have devstack plugin
in that repo

Depends-On: Ic816404c84f6a8899d01a77cb67fbfb421653e6b

Change-Id: I8a31c81d9475387fe4ed7030b70b26098e588771
2017-03-21 20:56:58 -07:00
Jim Rollenhagen
983cccb75b Enable baremetal scheduler filters when using ironic
These are recommended for all ironic deploys; turn them on.

Change-Id: Ia3df144e626266ed1774c4cd9863aedb876c409f
2017-03-21 18:37:24 -04:00
Evgeny Antyshev
008aa3e095 Fix install_libvirt for other RHEL-based distros
Since https://review.openstack.org/#/c/438325 landed
it only works for Centos 7, but not for other
RHEL-based distributions: Virtuozzo and, probably, RHEV.

Both of above have own version for qemu-kvm package: qemu-kvm-vz and qemu-kvm-rhev,
accordingly. These packages provide "qemu-kvm", like qemu-kvm-ev,
and, when you call "yum install qemu-kvm", they replace the default OS package.

Change-Id: I46da627c0da8925064862fdc283db81591979285
2017-03-02 11:14:25 +00:00
Ian Wienand
52bb64105f Use qemu-kvm-ev package on centos
For the latest qemu-kvm, you have to use the qemu-kvm-ev package,
which is based off the qemu-kvm-rhev package, which is explained in
[1] but you probably can't read it.  The gist is, that qemu-kvm-rhev
is a later build of kvm that is incompatible with the base version
provided.  qemu-kvm-rhev is only provided with the RHV (ovirt) and
RHOS (openstack) products.  CentOS rebuilds this package as
qemu-kvm-ev as part of it's virtualisation SIG.

I9a972e3fde2e4e552f6fc98350820c07873c3de3 has bumped up the minimum
qemu version to 2.1.0.  It seems there is a an issue (bug #1668164)
where having the qemu-system package installed gets picked up if
installed, and reports the incorrect version to nova, causing failure.

This removes the installs from files/rpms/nova as it is all being done
in function-libvirt.  We only install the qemu-kvm-ev package on
centos and remove the old work-around.

[1] https://access.redhat.com/solutions/629513
[2] https://wiki.centos.org/SpecialInterestGroup/Virtualization

Change-Id: Ide91b261f35fb19d8bd7155ca016fa3b76a45ea1
2017-02-27 18:59:49 +11:00
Sean Dague
999dd7e989 only apply ebtables race fix on trusty
Change-Id: Ifc83e7301d9d921ce9ceed349f116584ce03842b
2017-02-09 17:56:40 -05:00
Huan Xie
c608184211 XenAPI: Use XenServer DevStack plugins
Hypervisor XenServer will change to use os-xenapi in the future,
this will need DevStack changes, this patch is to remove install
Dom0 plugins part to our own DevStack plugins.

Change-Id: Ic327135b893a77672fd42af919f47f181e932773
2017-01-09 17:43:24 -08:00
Jenkins
d0df7c88f2 Merge "Fix libguestfs on Ubuntu" 2016-12-05 17:34:29 +00:00
Andrea Frittoli
1c442eebc8 Fix libguestfs on Ubuntu
libguestfs does not work on ubuntu because the kernel is not
world readable. This breaks file injection with libvirt.
See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
for more details.

The workaround proposed by Ubuntu is to relax the kernel ACL
if needed, so we need to do that in case file injection is
enabled on an Ubuntu host running libvirt.

Partial-bug: #1646002
Change-Id: I405793b9e145308e51a08710d8e5df720aec6fde
2016-12-01 17:00:41 +00:00
Huan Xie
2864150940 Make neutron ml2 use ovs native interface
Neutron has changed to use ovs native interface by default, but when
the hypervisor is XenServer, we cannot use ovs native interface without
extra configurations in neutron-openvswitch-agent(q-agt) in compute
node.

This patch is to add the needed configurations automatically during
deployment, so user needn't to do it manually and restart q-agt.

Change-Id: Ibc69d3cdb4d75833f2ac16840c62bcacf460dd4f
2016-11-30 17:19:36 +00:00
Huan Xie
f881a0e4ee XenAPI: Enable linux bridge in Dom0 for neturon
When using neutron network under xenserver, we must enable linux bridge
in Dom0 as neutron will use linux bridge qbr in compute node for
security group. But by default XenServer use openvswitch and disabled
linux bridge. This patch is to remove this restriction.

Change-Id: I0e8124ff2323810fdc46c717a750ce7e8f4aa0c6
2016-11-02 20:50:41 -07:00
Jenkins
8caeb035f4 Merge "Make Nova/Ironic communication use Identity v3" 2016-10-13 19:55:06 +00:00
Jenkins
c330a8a661 Merge "nova: stop setting deprecated use_usb_tablet option" 2016-10-12 02:24:04 +00:00
Jenkins
1c13be860b Merge "Modify the default Qemu packages name for AArch64." 2016-10-10 13:58:17 +00:00
Clenimar Filemon
57df186c13 Make Nova/Ironic communication use Identity v3
As long as nova already supports an Identity v3 auth flow when talking
to ironic (Id837d26bb21c158de0504627e488c0692aef1e24), make it use
v3 by default.

This way we don't fail in a keystone v3-only situation, for
example.

Change-Id: I028dfb52108d0630f47a53f8b420b70d4979eb55
2016-10-04 16:27:02 +00:00
Kevin Zhao
a80d4097a9 Modify the default Qemu packages name for AArch64.
In Debian jessie and later release,there is no packages
called "qemu-kvm" for AArch64. Also modify the libguestfs0
packages for AArch64

Closes-bug: #1612182

Change-Id: I5eb6bd137896eb9abfc4f8dbb41b41105e4820cd
Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2016-09-22 07:44:43 +00:00
Matt Riedemann
14cb490d1e nova: stop setting deprecated use_usb_tablet option
The use_usb_tablet option is replaced by the pointer_model
option.

Depends-On: Id18b5503799922e4096bde296a9e7bb4f2a994aa

Change-Id: Ic2a49f88df988c6404c1c72e9ee28a487e4f7908
2016-09-13 15:51:23 -04:00
Matt Riedemann
6390d5ef82 libvirt: install python-guestfs when ENABLE_FILE_INJECTION=True
There is a bit of a weird history here, but the net is we're not
installing python-guestfs when ENABLE_FILE_INJECTION is set, which
it is in the gate-tempest-dsvm-neutron-full-ssh job, which makes
file injection (personality) tests fail.

The history:

Commit 0ae942b41c6dcd0fe7353e7d68574194fb72a66d moved installing
python-guestfs to the hypervisor-libvirt file and it was conditional
on a flag to enable file injection and the backing distro.

Commit a3c94468baa159840a47c34cf94d97d816208313 removed the ability
to configure nova for file injection, which never made any Tempest
tests fail because we didn't have a job that tested file injection
with ssh, which is what gate-tempest-dsvm-neutron-full-ssh does.

Commit 6d3670a65280d71529f8aad8ca5a0422abffebd0 added the ability
back to enable file injection and the gate-tempest-dsvm-neutron-full-ssh
job uses it, but missed added the condition back in from 0ae942b41
which installed the python-guestfs package. This change adds that
back in.

Change-Id: I1c1ef093b70007100646c086dc5724cd64751d00
Closes-Bug: #1622649
2016-09-12 11:35:22 -04:00