Glance has enabled the scope checks and new defaults in
antelope release and now devstack is switching the testing
to new defaults by default (depends-on). With that all the
jobs will run the the new defaults.
As old defaults are still supported (as deprecated), we should
test those at least in a single integrated job. Enable the old
defaults in glance-multistore-cinder-import job.
Keeping existing job enabling the new defaults because other services
have not switched to new defaults yet to this job enable new defaults
for those service and test Glance against that.
Depends-On: https://review.opendev.org/c/openstack/devstack/+/883601/
Change-Id: I470e3b8c1106d88e85343508a8e5891c88861c98
zuul.yaml file contain many jobs definition and base class.
Any change in this file can impact other job definition. Also,
many times we want to test the full integrated gate if this
file is changed or if depends-on is changing some global setting,
for example: https://review.opendev.org/c/openstack/glance/+/883602/1
Change-Id: I14abd88944407da17ca81b77c079262565ff71c6
Based on the python runtimes for 2023.2 [0], we should be running
functional jobs on python 3.9 and python 3.10. This patch adds
functional testenvs for python 3.10 and 3.11 (the latter for local
testing) to tox.ini so the appropriate zuul jobs can be defined.
The functional-py38 testenv is not removed from tox.ini, as it may
be useful locally.
Functional py39 and py310 jobs are added to the check and the gate.
The current openstack-functional-py38-fips job is not removed; a
py39 job has not yet been defined to replace it [1].
[0] https://governance.openstack.org/tc/reference/runtimes/2023.2.html
[1] b3cad4f7a3/zuul.d/jobs.yaml
Change-Id: Ibc21b107878f5ba50137da4082a7cbc6342d2aa9
Tempest change [1] has broken glance srbac tempest tests, so
in order to unblock the gate we need to turn the job non-voting and
once we fix those tests we will re-enable the same.
[1] https://review.opendev.org/c/openstack/tempest/+/871018
Change-Id: Ibbfd8904b3a87b870ed8cde26245176c5b8e74aa
Since openstack release naming conventions has changed, current test
which check data migration version will not work as expected and same
is also blocking our gate. Removing this job and test to unblock the
gate.
NOTE: Going forward glance PTL/team needs to change the database
migration version without fail at the start of release cycle.
Change-Id: Idcb12a6c450d4ce4ee859e6e1f02fb71adf8c1d5
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for antelope. Also,
updating the template name to generic one.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I9c3e19cf1a2c74381395d49ee3d792bbd92b603a
The ecdsa usage for ssh is supposed to be the default right now.
Also, a new role paramter nslookup_target is required for the fips role
Depends-On: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/847193
Change-Id: I795c751edd1403d23aa1de5cda194aada80d05b2
This reverts commit d7fa7a0321ea5a56ec130aa0bd346749459ccaf2.
Reason for revert: This is no longer needed as the devstack patch is merged to fix this issue https://review.opendev.org/c/openstack/devstack/+/841804
Change-Id: I214c9a6017f66d3eb6589496726e8c8f895d56aa
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Moving the py36 job to py38 based as well as
updating the python classifier also to reflect the same.
openstack-tox-functional-py36-fips job is left which can be moved
to py38|py39 based once that job is defined in openatck-zuul-jobs
repo.
openstack-tox-functional-py36-fips job will be migrated to py38 or py39
in followup patch as that need openstack-zuul-config changes too.
[1] https://governance.openstack.org/tc/reference/runtimes/zed.html
Change-Id: Id0813d9dc553dd424732079039349b42f6f3201b
This reverts commit 025ba83c470fd58425273ad10975a1eb3d095452.
Reason for revert: This is no longer needed as the devstack patch is merged to fix this issue https://review.opendev.org/c/openstack/devstack/+/841804
Change-Id: Ie72a2531172208e32626ad2060737257663eba46
Some projects like cinder have dropped support for Python 3.6 and are
no longer compatible with CentOS Stream 8 which uses Python 3.6 as
the default runtime.
Change-Id: I48f88c188f830f61c03ec5570cd95731636a0396
With change[1], we moved glance cinder jobs parent from
tempest-integrated-storage-import to regular
tempest-integrated-storage job but this job also has
import workflow enabled[2].
In this patch we are overriding GLANCE_USE_IMPORT_WORKFLOW
to False in cinder jobs to ensure that import workflow
is disabled in those jobs.
Also removing -import from job names since it's not using
import plugin anymore.
[1] https://review.opendev.org/c/openstack/glance/+/841548
[2] https://opendev.org/openstack/tempest/src/branch/master/zuul.d/integrated-gate.yaml#L195
Related-Bug: #1973136
Change-Id: I2775e007f942feed8fa6ae5e385c03992859edc1
Recently, glance-multistore-cinder-import job started failing.
As per the RCA done here[1], the reason is glance is using
import workflow to create images which is an async operation.
As in case of glance cinder configuration, there are a lot of
external APIs (cinder) called like volume create, attachment
create, attachment update, attachment delete etc which takes
time to process hence the image doesn't get available in the
expected time (as per devstack) hence the failure.
Disabling import workflow will cause the images to be created
synchronously which should pass the glance cinder jobs.
To disable import workflow, we are inheriting from
tempest-integrated-storage and not
tempest-integrated-storage-import (which has import plugin enabled).
[1] https://review.opendev.org/c/openstack/glance/+/841278/1#message-456096e48b28e5b866deb8bf53e9258ee08219a0
Closes-Bug: 1973136
Change-Id: I524dfeb05c078773aa77020d4a6a9991a7eb75c2
Temporarily make the FIPS job non-voting till we figure out why
its failing. Restore the non-fips version of the cinder job so
we keep the coverage.
Change-Id: I1a9dbd087cca52798f0d01c62ebb47e37f52d87a
Some jobs have been modified to run to confirm that functionality is
still working when FIPS is enabled on the nodes.
As the FIPS tests currently run on centos nodes, code is added
to the test-setup script to set up the databases correctly. Also had
to increase the swap space on the nodes; see [0] for an explanation.
The current FIPS jobs run using python 3.6 on centos-8-stream. We will
modify these to run on centos-9-stream and python 3.9 in a
subsequent patch.
[0] https://review.opendev.org/c/openstack/devstack/+/803706
Change-Id: I060d8247c7b09f63990ea411e6c6a056bb50410d
This adds a new tox target called functional-py38-rbac which enables
the new secure RBAC policy defaults for all functional tests. To do
this, the functional tests needed a little bit of extra work to
actually set those, and a new non-voting job is added to run these
in CI.
Related to blueprint policy-refactor
Change-Id: Id376193521671bdb0ebc08ea8e563578bbaa541f
Provide some literature on what we introduced for operators in wallaby,
how they can configure it, and actions we recommend they take. Since
this marks the point at which we consider the feature implemented,
this also removes the legacy-rbac job and makes the secure-rbac job
voting.
Implements: blueprint secure-rbac
Change-Id: I8f980cf7731d26b92b5392fdada21e5be0f541c4
This commit updates glance's zuul configuration to tack on a job
dedicated to protecting API authroization. The tests for this job live
in glance-tempest-plugin and they currently test full support for
project-reader and project-admin against the images API.
Future changes will update the policies in glance to consume
system-scope and additional test coverage will be added to
glance-tempest-plugin. But, until that happens, having protection
testing as part of the check and gate jobs is vital to ensuring we don't
inadvertently expose sensitive information or APIs to users.
This level of testing will also be useful in the future if we decide to
refactor authorization logic out of various parts of glance and into a
consistent layer.
Depends-On: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742
Change-Id: Iddee8144fb21b7ac2dec4e7fbc62c132c186fa89
This enables the g-api-r service in devstack, which allows tempest
to run the remote import test, causing it to stage and import an
image across two different workers. Note we disable it for the
standalone mode, since devstack does not support starting another
standalone glance.
Depends-On: https://review.opendev.org/c/openstack/devstack/+/770487
Depends-On: https://review.opendev.org/c/openstack/tempest/+/770520
Change-Id: Ica715fc1922f4b36dd0bb008ef6706b86115ec05
Devstack is switching the default glance operational model back to pure-WSGI
mode for parity with the rest of the services. This adjusts our jobs to fit
with that so that we're testing the default, but also the standalone case.
After this change, we end up with the following for the vanilla devstack
jobs:
- The "-import" job, which takes the devstack default of WSGI mode,
with all the tweaks required for import to be enabled. It configures
import conversion to raw, metadata injection, and confirms that with a
post-run check for that metadata.
- The "-import-standalone" job, which inherits all the behaviors from
the job above, but configures glance in standalone mode.
Depends-On: https://review.opendev.org/#/c/742884
Change-Id: Ia3fb8aba83bbd7a1399aef136ce8857b14d08435
Nova has a job where both nova and glance are configured for multistore
ceph, and where the image gets automatically copied from the file to
rbd stores on first use. Run that on glance to get the coverage for
it as well.
Change-Id: I9c734fabaabe78ea8f7e77d0aa2112ebe867ecb6
This enables image conversion on the import-workflow job so that we at
least run those code paths somewhere in CI.
Change-Id: Ie4a9171f002b42a13c1786268057bdc0ab3804d0
The old job name is still available as an alias for a while,
but it is time to switch away from it.
Change-Id: I8083c097516c14274ddb29d1696e25b90c01271e