The RPC transport_url for keystone was being set in the DEFAULT
section, even though keystone doesn't do anything with it. Instead,
keystone leans on the [oslo_messaging_notification] section from
oslo.messaging to register the transport_url option.
This change sets the transport_url in the proper section instead of
using the DEFAULT section.
Change-Id: I11590d0175da7ea310d5529f2d7c0bf8d7fb25b3
This patch provides a new mechanism to deploy Neutron using
WSGI script. This also starts a Neutron RPC server process
when the Neutron API is loaded via a WSGI entry point to
serve the agents.
Co-Authored-By: Victor Morales <victor.morales@intel.com>
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Change-Id: I16a199b04858bfc03ef50d9883154dba8b0d66ea
Depends-On: https://review.openstack.org/#/c/580049/
Partially-implements: blueprint run-in-wsgi-server
The tempest-multinode-full job is running the c-bak
service on the subnode where swift isn't running, and
because of the "is_enabled_service swift" check, cinder
on the subnode wasn't getting configured to talk to
swift so the c-bak service was down. Since chances are
good that we're running swift, just configure cinder
to always use it.
Change-Id: I86b090967dadeeefc017ff0311beeea9441b6ba6
Closes-Bug: #1783128
Recently, Keystone renamed "Member" role to "member"
(case-sensitive) with https://review.openstack.org/#/c/572243/14
Case-sensitivity role requirement in Keystone was recently
formalized with https://review.openstack.org/#/c/576640/
From the above reference:
"Role names are case-insensitive. for example, when keystone
bootstraps default roles, it creates `admin`, `member`, and
`reader`. If another role `Member` (note the upper case 'M') is
created, keystone will return a `409` Conflict since it considers
the name "Member" == "member". Note that case is preserved in these
cases."
It follows that Tempest should use "member" role by default.
Change-Id: Iebf04fdb4c195b6779c74f66da3f7822cf174494
token.provider.drvier.uuid and token.driver
has been removed from keystone[1].
Devstack has reference/setting of those config
options which is confusing for user and it can
lead to import error like[2]
This commit cleanup the devstack bits of removed
config options.
bp removed-as-of-rocky
[1] https://blueprints.launchpad.net/keystone/+spec/removed-as-of-rocky
[2] http://paste.openstack.org/show/725391/
Change-Id: I29b3b356622c485c4c1046679234a38e7b645071
With the move to flask, Keystone does not utilize paste-ini. This
patchset removes the paste-ini support from devstack for Keystone.
Change-Id: I8dd629937c9178660992fd648175dbef80ffa3c2
The commit e95f2a3664 broke
networking-ovn (and potentially other ml2 drivers) by making the config
parameter mandatory. It doesn't need to be.
Change-Id: I0d5738ac3a6d27ddb7655835d77689409a6ff6f4
The nova-conductor service running in the cell
needs to be configured to talk to neutron for
things like deallocating networks during server
build failure. This changes the configure_neutron_nova
flows such that the top-level nova.conf is configured
as before, but we also configure each nova_cell*.conf
cell conductor config files to also be able to talk
to neutron.
Change-Id: Ic5e17298996b5fb085272425bb3b68583247aa34
Closes-Bug: #1777505
Keystone now provides a set of default roles in addition to `admin`
by default [0]. This is done during the `keystone-manage bootstrap`
process.
This change aligns the `Member` role override from devstack with the
`member` role provided from keystone.
[0] https://review.openstack.org/#/c/572243/
Change-Id: I3da3530aa73a8a1500116bcefdcba7b947d5e05e
Closes-Bug: 1777359
This makes three changes:
1. The quota options set when using the fake
virt driver have been renamed so we're getting
deprecation warnings on using the old names.
Rather than set each quota limit value individually,
we can just use the noop quota driver for the same
effect.
2. The enabled_filters list for the scheduler was last
updated when using the fake virt driver back in Juno
via Ic7ec87e4d497d9db58eec93f2b304fe9770a2bbc - with
the Placement service, we don't need the CoreFilter,
RamFilter or DiskFilter. Also, in general, we just
don't need to hard-code a list of scheduler filters
when using the fake virt driver. If one needs to set
their own scheduler filter list, they can do so using
the $FILTERS variable (or post-config for nova.conf).
3. The largeops job, which ran the Tempest scenario tests,
has been gone for a few years now, as have the Tempest
scenario tests, so the API_WORKERS modification when
using the fake virt driver should be removed. If we had
a CI job like the largeops job today, we would set the
worker config via the job rather than in devstack.
Change-Id: I8d2bb2af40b5db8a555482a0852b1604aec29f15
We use $API_WORKERS to throttle the number of workers
in other services but were not doing it for g-reg for
some reason, which by default will run ncpu workers
up to a limit of 8.
Change-Id: Idc81ce05546e6d625c10e2229256eafbe7c057a5
Closes-Bug: #1774781
openvswitch firewall has been in Neutron tree since Newton and has gone
through lots of improvements since including simple upgrade path from
the iptables hybrid driver.
We have a tempest job running in Neutron tree with openvswitch firewall
that's been voting and stable for a while. For neutron_tempest_plugin,
we have had the openvswitch firewall in use since the beginning.
This patch proposes openvswitch firewall driver to become a default
driver for openvswitch agent deployments.
Change-Id: If26d0180e459210511f25f1faa83dd8ccea25ff4
Change 12579c3db7 moved console-related
settings from the global nova.conf to the per cell nova_cellN.conf
because of a recent change in nova that moved console token
authorizations from the nova-consoleauth service backend to the
database backend and thus changed the deployment layout requirements
from global console proxies to per cell console proxies.
The change erroneously also removed console configuration settings from
the nova-compute config file nova-cpu.conf because the nova-cpu.conf
begins as a copy of the global nova.conf.
This adds configuration of console proxies to the nova-cpu.conf in the
start_nova_compute routine. The settings have also been split up to
clarify which settings are used by the console proxy and which settings
are used by nova-compute.
Closes-Bug: #1770143
Change-Id: I2a98795674183e2c05c29e15a3a3bad1a22c0891
Change 969239029d4a13956747e6e0b850d6c6ab4035f0 completed the
conversion of console token authorization storage from the
nova-consoleauth service to the database backend. With this change,
console proxies need to be configured on a per cell basis instead
of globally.
There was a devstack change 6645cf7a26
following it that re-enabled the novnc tempest tests, but the nova-next
job that runs the console proxies with TLS is *not* part of the normal
set of jobs that run on devstack changes (it's in the experimental
queue), so it was able to merge without the nova-next job passing.
This configures the nova console proxies in the per cell configuration
file if cells v2 is configured for multiple cells in order to pass the
nova-next job.
Closes-Bug: #1769286
Change-Id: Ic4fff4c59eda43dd1bc6e7b645b513b46b57c235
Nova has dropped support for non-resource class
baremetal scheduling, so the IRONIC_USE_RESOURCE_CLASSES
flag is no longer useful and has been removed.
Depends-On: https://review.openstack.org/565805/
Change-Id: Ib2e6c96409c98877f6a43b76f176c1420d2d415e
cinder does not yet support operations without project_id in the url.
The unversioned endpoint is not a usable endpoint for a user that
requests the block-storage service. Although it would be lovely to have
the block-storage service have the unversioned endpoint in the catalog,
we need to get project-id out of the urls first.
Change-Id: I4246708b6ea31496ba4d565ab422abc76f730ee7
Needed-By: https://review.openstack.org/564494
Once the nova patch series that converts from the nova-consoleauth
backend -> cell database backend lands, we can re-enable the novnc
tests in tempest.
Depends-On: If1b6e5f20d2ea82d94f5f0550f13189fc9bc16c4
Change-Id: I2939191a1c3ce49fa2104b4ffdf795fc416a1c33
Along with converting to the database backend for console token auth,
the console proxies need to run per cell instead of globally. This way,
the instance UUID isn't needed in the access url as users will be
handed an access url local to the cell their instances is in. With
console proxies sharded across cells, a large cloud will no longer have
a bottleneck of one console proxy for the entire deployment.
This also disables the novnc tempest tests with a TODO to re-enable
them once the nova patch series that converts from the nova-consoleauth
backend -> cell database backend lands.
Change-Id: I67894a31b887a93de26f3d2d8a1fa84be5b9ea89
With change I7e1e89cd66397883453935dcf7172d977bf82e84 the placement
service may optionally use its own database. In order for this to
work, however, the ordering of how both nova and placement are
configured and initialized in stack.sh requires careful control.
* nova.conf must be created first
* then placement must make some adjustments to it
* then lib/placement needs to create the placement database
* before nova does a database sync (of both databases)
Otherwise, when the placement_database/connection is defined, the nova
db_sync command will fail because the placement database does not yet
exist. If we try to do a sync before the nova_api database is created
_that_ sync will fail.
This patch adjusts the ordering and also removes a comment that will
no longer be true when I7e1e89cd66397883453935dcf7172d977bf82e84 is
merged.
Change-Id: Id5b5911c04d198fe7b94c7d827afeb5cdf43a076
This commit just makes sure that the configuration file for keystone
exists on the system. We use iniset to actually populate the values
we want before we run keystone anyway.
This results in a cleaner configuration file that isn't bloated with
comments and help text.
Change-Id: I7a1f879e9e242a11e2c4663ec116e33da28db7f5
This commit applies the constraints for the tempest plugin installation
so they won't go over the upper reqs.
Closes-Bug: 1763436
Change-Id: I5cf91157bbdae79dec01d5b3db32efea21f1b2b7
In Tumbleweed genisoimage was dropped in favor of cdrtools,
so installing that no longer works. We can however install
mkisofs directly and switch to that as that is also available
in Leap 42.3 and Leap 15.0+ family distros.
Also drop dependency on libmysqlclient-devel which appears
unnecessary (and is no longer available with mariadb 10.2+)
Change-Id: Ie8402204b6cdf94c21865caba116d3fd1298c5ad
There is currently a OVS 2.9.0 update in Tumbleweed that
fails to start as it is having a race with systemd on creating
the home directory. Workaround is to run it as root for now.
Change-Id: Ief610c6473834b02a1d644d8f50d11138a48e6e6
In Queens and later, the application credentials feature is available on
keystone and enabled by default. It should be tested in devstack.
Depends-on: https://review.openstack.org/545627
Change-Id: I4b0dc823487e79df16e1e603012ba4a7dc438389
The [placement]/os_region_name config option is deprecated
and no longer required to be set (the default is fine for
devstack) with the dependent nova change.
Depends-On: I973180d6a384b32838ab61d4e6aaf73c255fd116
Change-Id: I6379acf179ed511f1cdadbd7fb09e2454182a5d3
Fix a few path issues where we didn't properly use NOVA_BIN_DIR /
SWIFT_BIN_DIR.
This is part of the effort to start using a virtualenv for openstack
services.
Change-Id: I6eb383db65cc902c67c43e5cb1a16a9716a914b2
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
When nova-manage db sync runs on cell1 in superconductor
mode, the [api_database]/connection config option isn't
set in the config file on purpose so the cell can't
reach the API database.
As a result, the db sync on the cell config can't hit
the API DB to sync cell0, which is not something we need
here anyway, but it results in an error message.
This tells the cell config db sync to just run it on the
cell database and not try to sync cell0.
Change-Id: Iac092762decd6de9e90e264f2998d255e8e40d00