OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.
When the default CI node Ubuntu version was changed from Xenial =>
Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.
This sets the ownership of the /etc/pki/<console> files to the
user:group intended to read them.
Closes-Bug: #1819794
Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
This makes three changes:
1. The quota options set when using the fake
virt driver have been renamed so we're getting
deprecation warnings on using the old names.
Rather than set each quota limit value individually,
we can just use the noop quota driver for the same
effect.
2. The enabled_filters list for the scheduler was last
updated when using the fake virt driver back in Juno
via Ic7ec87e4d497d9db58eec93f2b304fe9770a2bbc - with
the Placement service, we don't need the CoreFilter,
RamFilter or DiskFilter. Also, in general, we just
don't need to hard-code a list of scheduler filters
when using the fake virt driver. If one needs to set
their own scheduler filter list, they can do so using
the $FILTERS variable (or post-config for nova.conf).
3. The largeops job, which ran the Tempest scenario tests,
has been gone for a few years now, as have the Tempest
scenario tests, so the API_WORKERS modification when
using the fake virt driver should be removed. If we had
a CI job like the largeops job today, we would set the
worker config via the job rather than in devstack.
Change-Id: I8d2bb2af40b5db8a555482a0852b1604aec29f15
Nova has dropped support for non-resource class
baremetal scheduling, so the IRONIC_USE_RESOURCE_CLASSES
flag is no longer useful and has been removed.
Depends-On: https://review.openstack.org/565805/
Change-Id: Ib2e6c96409c98877f6a43b76f176c1420d2d415e
There is no way to upgrade ironic before nova because of
grenade design. In multinode job we do not restart nova
as we test partial upgrade of ironic there.
On slow nodes upgrading ironic takes time and nova looses
ironic connectivity
This patch increases api_retry_interval and api_max_retries
to make sure we have a time to upgrade ironic before nova
compute stuck.
Change-Id: I3b1429d6561431a82edda04a0e574cac38771837
The kvmibm removal I009ae4779588615633bff81d0c47a1b879ec9279
incorrectly removed this (the check was install if *not* kvmibm).
Since we don't support kvmibm any more, it should be safe to install
everywhere as done here.
For the full history, it started with us installing qemu-kvm-ev with
Ide91b261f35fb19d8bd7155ca016fa3b76a45ea1, then we fixed it to be more
generic and just install qemu-kvm with
I46da627c0da8925064862fdc283db81591979285, then Fedora 26 support in
I5c79ad1ef0b11dba30c931a59786f9eb7e7f8587 made this install everywhere
*but* kvmibm.
Change-Id: If3e9661451ad1055e7c8d670605a53095f0aeda4
Nova is gaining the ability to run TLS over the connection between the
novnc proxy service and the QEMU/KVM compute node VNC server.
This adds a new config param - 'NOVA_CONSOLE_PROXY_COMPUTE_TLS=True' -
which instructs devstack to configure libvirt/QEMU to enable TLS for the
VNC server, and to configure the novncproxy to use TLS when connecting.
NB this use of TLS is distinct from use of TLS for the public facing API
controlled by USE_SSL, they can be enabled independently.
This is done in a generic manner so that it is easy to extend to cover
use of TLS with the SPICE and serial console proxy services too.
Change-Id: Ib29d3f5f18533115b9c51e27b373e92fc0a28d1a
Depends-on: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2
Implements bp: websocket-proxy-to-host-security
This makes the condition that chooses which daemon name libvirt to call
the same as for choosing the livirt package names.
Without this fix the condition checking for a directory is incorrect
when livirt is not yet installed, but is used before installing the
packages.
Change-Id: Ib5eb12769128527a6f4b3b5f7674bd2dad0ed160
As the following commit has renamed the two vnc options; let's
use the new options in devstack:
https://review.openstack.org/#/c/498387/
Change-Id: Id125666814ea9bb8a22b579aee0f6bc1c65ade80
The IBM hypervisor distro "KVM for IBM z Systems" gets discontiued,
like announced in March 2017 [1]. The key dates are:
* 03/2017: announcement
* 08/2017: the last day to order (EOM)
* 03/2018: the End of Service (EOL)
As the CI which tests OpenStack with KVM on IBM Z doesn't rely on this
distro anymore and EOM has reached, we remove the Devstack support for
this distro.
This basically reverts commit a5ea08b of Dec 2015.
NOTE: This doesn't affect other distros which have KVM on Z support.
References:
[1] FAQ for KVM for IBM z Systems Delivery Strategy Change
https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSQ03110USEN&
Change-Id: I009ae4779588615633bff81d0c47a1b879ec9279
When using resource classes to schedule baremetal nodes the baremetal
filters like ExactRam etc should not be used. This patch disables them
in the nova config if devstack is configured to enable ironic resource
classes.
Change-Id: Ic262ccaf8b541308042d61113a953653d2261964
The only mentionable diff is the kvm alias
does not exists so we will install
qemu-kvm as with rhel7 which also exists
in the older supported fedoras.
kvm also just an alias in suse so
switching to qemu-kvm in suse as well.
Change-Id: I5c79ad1ef0b11dba30c931a59786f9eb7e7f8587
With libguestfs usage for file injection now being enabled by
default as part of I568c56dbcb62ec541661364c142eff2397e3eed7
the opensuse job started to fail due to lack of guestfs images
being available.
The error in question was
NovaException: libguestfs installed but not usable (cannot
find any suitable libguestfs supermin, fixed or old-style
appliance on LIBGUESTFS_PATH (search path: /usr/lib64/guestfs)
This part is being fixed by explicitly adding the missing package
dependencies to the compute node rpm package list while the maintenance
update for Leap 42.2 is in preparation.
Change-Id: Ie76ac0a51c1ee2ad6559917825dee1c7a91a3a76
When installing OpenStack via DevStack on XenServer, we need to
some preparation operations in dom0 which will refer the function
in devstack/tools/xen/functions file, but we are planning to move
the whole folder of tools/xen from devstack to os-xenapi, so it
this patch is to moving the dom0 related operation to os-xenapi
repo first.
Change-Id: Ib59d802a7a4eab4ccce0e29d80f29efa4655bc0b
Depends-On: I712ee74ce945859ba5118e09b7d9436ca2686cb7
The scheduler_default_filters config option moved out of the
DEFAULT option group into a more specific group, and the old
option is deprecated as a result so we need to update our usage.
Change-Id: I5d6574d19c3f16abadddb19f34cb645dcdcc07f4
This logic has been tied to OVS since it was introduced in [1] and
revised in [2]. However, many other backends may use tap devices that
aren't related to OVS, such as Calico[3] and Linux Bridge after [4]
merges.
This patch just removes the dependency on OVS specifically so
/dev/net/tun is added to cgroups whenever any Neutron backend is used.
This is done in other deployment tools like Juju[5] so it's not
unprecedented.
1. Ifab268f739b004db13024633e8abeb17691b9e46
2. Ic1da132fa421f1c70c10a319ee3239831b0f956f
3.
http://docs.projectcalico.org/master/getting-started/openstack/installation/ubuntu#compute-node-install
4. I23c5faaeab69aede1fd038a36f4a0b8f928498ce
5.
2790f81ecd/templates/qemu.conf
Change-Id: I075595158d8f3b5a6811c4794aa7b91912940db5
Partial-Bug: #1675343
libvirt-python compiles against the currently installed libvirt. If
you upgrade that, it needs to rebuild, however it won't change
versions, so pip install just noops. Force an uninstall / reinstall of
it every time to handle potential upgrades of libvirt.
Change-Id: If34541b34aa6d55eedaf6c603fd1fe92eb887308
This adds a flag and basic config for enabling coredumps for libvirt.
Partial-Bug: 1643911
Co-Authored-By: Matthew Booth <mbooth@redhat.com>
Change-Id: If7cd54e804a5a389a0d82a325b58f5b41b8ef0db
Now that we don't support Ubuntu Trusty anymore, we can remove
the ebtables race workaround.
Closes-Bug: #1675714
Change-Id: I70483f871e35fcaa933d1b7bac7dbb396aa22cef
The package libvirt-bin is a transitional package in Debian and should
not be used anymore.
Ubuntu Xenial is an exception here.
Because of that this change also adds the possibility to use "not:" to
exclude distros in files/debs/* just as "dist:" limits distros.
Depends-On: Icc59ea79f54d4ff8751f2e353ee3530fff3d961e
Closes-Bug: #1673840
Change-Id: I3998a7178d14ec40eae5cb199d66da9546cd6ccf
Previously we use a specific integration bridge for neutron ovs agent
which is running in compute node, but this isn't necessary, this
patch is to remove the specific integration bridge for XenSever and
remove the custom integration bridge definition
Depends-On: I675565e1ea6c887d40d7a53f62968c4aa385ecca
Change-Id: If5886e3711765a97f40f20e478f958b988b5a620
With XenServer we have two neutron-openvswitch-agent(q-agt, q-domua)
For the q-domua it is specific for XenServer, this patch is to move
the specific configurations to os-xenapi which we have devstack plugin
in that repo
Depends-On: Ic816404c84f6a8899d01a77cb67fbfb421653e6b
Change-Id: I8a31c81d9475387fe4ed7030b70b26098e588771
Since https://review.openstack.org/#/c/438325 landed
it only works for Centos 7, but not for other
RHEL-based distributions: Virtuozzo and, probably, RHEV.
Both of above have own version for qemu-kvm package: qemu-kvm-vz and qemu-kvm-rhev,
accordingly. These packages provide "qemu-kvm", like qemu-kvm-ev,
and, when you call "yum install qemu-kvm", they replace the default OS package.
Change-Id: I46da627c0da8925064862fdc283db81591979285
For the latest qemu-kvm, you have to use the qemu-kvm-ev package,
which is based off the qemu-kvm-rhev package, which is explained in
[1] but you probably can't read it. The gist is, that qemu-kvm-rhev
is a later build of kvm that is incompatible with the base version
provided. qemu-kvm-rhev is only provided with the RHV (ovirt) and
RHOS (openstack) products. CentOS rebuilds this package as
qemu-kvm-ev as part of it's virtualisation SIG.
I9a972e3fde2e4e552f6fc98350820c07873c3de3 has bumped up the minimum
qemu version to 2.1.0. It seems there is a an issue (bug #1668164)
where having the qemu-system package installed gets picked up if
installed, and reports the incorrect version to nova, causing failure.
This removes the installs from files/rpms/nova as it is all being done
in function-libvirt. We only install the qemu-kvm-ev package on
centos and remove the old work-around.
[1] https://access.redhat.com/solutions/629513
[2] https://wiki.centos.org/SpecialInterestGroup/Virtualization
Change-Id: Ide91b261f35fb19d8bd7155ca016fa3b76a45ea1
Hypervisor XenServer will change to use os-xenapi in the future,
this will need DevStack changes, this patch is to remove install
Dom0 plugins part to our own DevStack plugins.
Change-Id: Ic327135b893a77672fd42af919f47f181e932773
libguestfs does not work on ubuntu because the kernel is not
world readable. This breaks file injection with libvirt.
See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
for more details.
The workaround proposed by Ubuntu is to relax the kernel ACL
if needed, so we need to do that in case file injection is
enabled on an Ubuntu host running libvirt.
Partial-bug: #1646002
Change-Id: I405793b9e145308e51a08710d8e5df720aec6fde
Neutron has changed to use ovs native interface by default, but when
the hypervisor is XenServer, we cannot use ovs native interface without
extra configurations in neutron-openvswitch-agent(q-agt) in compute
node.
This patch is to add the needed configurations automatically during
deployment, so user needn't to do it manually and restart q-agt.
Change-Id: Ibc69d3cdb4d75833f2ac16840c62bcacf460dd4f
When using neutron network under xenserver, we must enable linux bridge
in Dom0 as neutron will use linux bridge qbr in compute node for
security group. But by default XenServer use openvswitch and disabled
linux bridge. This patch is to remove this restriction.
Change-Id: I0e8124ff2323810fdc46c717a750ce7e8f4aa0c6
As long as nova already supports an Identity v3 auth flow when talking
to ironic (Id837d26bb21c158de0504627e488c0692aef1e24), make it use
v3 by default.
This way we don't fail in a keystone v3-only situation, for
example.
Change-Id: I028dfb52108d0630f47a53f8b420b70d4979eb55
In Debian jessie and later release,there is no packages
called "qemu-kvm" for AArch64. Also modify the libguestfs0
packages for AArch64
Closes-bug: #1612182
Change-Id: I5eb6bd137896eb9abfc4f8dbb41b41105e4820cd
Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
The use_usb_tablet option is replaced by the pointer_model
option.
Depends-On: Id18b5503799922e4096bde296a9e7bb4f2a994aa
Change-Id: Ic2a49f88df988c6404c1c72e9ee28a487e4f7908
There is a bit of a weird history here, but the net is we're not
installing python-guestfs when ENABLE_FILE_INJECTION is set, which
it is in the gate-tempest-dsvm-neutron-full-ssh job, which makes
file injection (personality) tests fail.
The history:
Commit 0ae942b41c6dcd0fe7353e7d68574194fb72a66d moved installing
python-guestfs to the hypervisor-libvirt file and it was conditional
on a flag to enable file injection and the backing distro.
Commit a3c94468baa159840a47c34cf94d97d816208313 removed the ability
to configure nova for file injection, which never made any Tempest
tests fail because we didn't have a job that tested file injection
with ssh, which is what gate-tempest-dsvm-neutron-full-ssh does.
Commit 6d3670a65280d71529f8aad8ca5a0422abffebd0 added the ability
back to enable file injection and the gate-tempest-dsvm-neutron-full-ssh
job uses it, but missed added the condition back in from 0ae942b41
which installed the python-guestfs package. This change adds that
back in.
Change-Id: I1c1ef093b70007100646c086dc5724cd64751d00
Closes-Bug: #1622649