Based on the agreed steps to implement the SRBAC community goal, this
enables the new policy defaults and scope checks by default.
Change-Id: I315893150549d1174c3270c37c031e6a519f9a28
This is a prep work to enforce new default policy rules and scope
checking, and allows users to enable/disable the enforcement by setting
the single knob.
Change-Id: I8248f825a90b50fe874224c7ee06a1de299f1feb
Since we bumped Fedora version used in CI from 36 to 37, we've
seen timeout during boot process more frequently, which results
in job failure. This increases core and ram assigned to Fedora
VMs, to reduce failure rate.
To avoid consuming too much resources, this limits concurrency
of test runner.
Change-Id: I12e8ee0861629fd42a6bd03ec8705751da12ff61
Fedora 36 is already EOLed so we should use more recent version.
Because guest enters to emergency shell when Fedora 38 (latest at
the time of writing) is used, we select Fedora 37 for now.
Change-Id: Ie0876080c771fb124d4dd36f803fbfd3b108e240
This introduces non-voting CentOS 9 Stream functional jobs, to restore
some tests which were disabled because of the known libvirt bug. Though
the bug also affects CentOS 9 Stream, we observe much low failure rate
in CentOS 9 Stream so we can restore these test cases in CentOS 9
Stream. The job is kept non-voting until it is proven to be stable
after a while.
Change-Id: I37211aa941be1892ad0ddf0694a758972a0aebba
Some test have been unstable in Ubuntu Jammy because of the known
libvirt bug, and we have disabled these in functional jobs.
Let's disable the test case in grenade jobs, because these test cases
now cause frequent job failures.
Related-Bug: #1998274
Change-Id: I7038ce3ec2840b133e9ae5eb09a96dc8a5f3abc2
This test is very frequently failing now. The test case creates a stack
with an instance but the stack can't be deleted within timeout because
of the known libvirt bug in Ubuntu Jammy. Because the release deadline
is already over, we'll disable this test so that we can merge some
changes now. We'll revisit this (and the other test cases we disabled)
later.
Related-Bug: #1998274
Story: 2010631
Task: 47589
Change-Id: I87c4b1e7a911fd78e327393b1af200667e89c999
Heat upgrade script set the env var TOX_CONSTRAINTS_FILE/UPPER_CONSTRAINTS_FILE
which are used to use the constraints during Tempest virtual env
installation. Those env var are set to non-master constraint when
we need to use non-master constraints but when we need to use the
master constraints we do not set/reset them point to master constraints.
This create the issue when this grenade script install the tempest with
stable constraints but with master Tempest and as there is mismatch of
constraints now with fasteners of stable branches. Below is failure
of heat greande job on stable/yoga
- https://zuul.opendev.org/t/openstack/build/3aaec4d59bb84068bb4d4428ea747cbd/log/controller/logs/grenade.sh_log.txt#3245
Similar way, role should set stable constraints only for the stable EM branch
not for all otherwise it fail when constraints/requirements are bumped.
- https://zuul.opendev.org/t/openstack/build/74f86b8097f44c35acaffdcfe41d9693
We should set/reset those constraint env var to master constraints if configuration
tell to use the master constraints.
Closes-Bug: #2003993
Change-Id: I024cd134577338fc1075e7742df7f006dc914646
This test case is frequently failing because of a known libvirt issue
in Ubuntu Jammy. We already disabled one functional test case, but will
disable this test case as well, to reduce failure rate of CI runs and
unblock gate.
The existing skip for a different test case[1] is re-implemented using
the proper configuration knob.
This also fixes tox.ini to adapt to new tox 4.0.
- Update how passenv is defined because space-separated list is no
longer allowed. Also the values are not case sensitive.
- skipdist=True breaks installation so is removed.
[1] https://review.opendev.org/c/openstack/heat/+/866545
Co-Authored-By: Rabi Mishra <ramishra@redhat.com>
Related-Bug: #1998274
Story: 2010487
Task: 47056
Change-Id: I915dc83ccde6b6b8497642857292f9974fd84e98
stestr has removed whitelist / blacklist. This change updates the
devstack upgrade tests to ensure we use the new include-list instead.
9ffeb470fb
Change-Id: Ia0df9b3468fee9382c42c8bd6a35b76ed7f2b4e5
As a followup for change I6a8cffdc86c895eebe4269c5cd37841325566c54
let's use branch specific upper constraints when running tests in
grenade.
Change-Id: I71f8398b6aa57b7c1910750b8e048825383e3d9a
When tls-proxy is enabled, devstack enables SSL for the core services
(Cinder, Glance, Keystone, Nova, Neutron and Swift). This change
ensures that the ca_file parameter is properly defined in clients_*
section for these options, so that requests to these services pick up
the CA certificate.
Change-Id: Ib6278d95d1ce31dc86aa8784a621227e17dc0fe7
The is_ssl_enabled_service function is kept for backword compatibility,
and now returns the same value as `is_service_enabled tls-proxy`
since [1] was merged.
[1] f3b2f4c85307b14f115a020f5eaf6c92026b55b4
Change-Id: I5a3311121e56a7cfaefb73be39d3f60809bafb06
OpenDev infra only keep around the latest two Fedora releases in their
mirrors. Probe for the image from the local test mirror, but if not
found, fallback to upstream. This will be much less reliable, but can
avoid gate breakage until new images can be used.
Also, use endpoint_type when creating keystoneclient
Keystone admin endpoint has been removed from devstack with[1].
This would use the public endpoint by default.
Change-Id: I96ab14871ee8c5d5b83cc0cd4abc840ef0218ca8
Fedora 31 was retired and the image is gone from mirrors.
heat-cfntools have been dropped from fedora images, disable
the test till that's resolved.
Also makes grenade job non-voting, till this is backported
to stable/victoria.
Change-Id: Id869f83a46454897c2fe7a532eebfa2863befe5e
This function has been deprecated for a long time, let's finally
remove it. It is only generating a warning anyway.
Change-Id: I0f69076ef7c288c113f4e7739c7e12fcfb11d91d
Ceilometer uses gnocchi as the default backend. Also we use
gnocchi based aodh alarms in tests.
gnocchi seems unmaintained with last commit a year or so ago and
does not look like the openstack telemetry team is involved in
that project.
It's better to disable the services and tests in heat to avoid
broken gate like last time, where we fixed it by banning latest
pecan release[1] that does not work with python-gnocchiclient.
[1] https://review.opendev.org/#/c/746261/
Change-Id: Id2ffdf6b9d342e800bab4a94ec46742228361ee8
It conforms with API_WORKERS default calculation to avoid too much
processes consuming the memory.
Change-Id: If2b483711668715047662a286cb0f0e3b52bbdac
Signed-off-by: Cédric Ollivier <ollivier.cedric@gmail.com>
Fedora-Cloud-Base-29-1.2.x86_64 is removed from openstack local mirror.
Update to use Fedora-Cloud-Base-30-1.2.x86_64 for test jobs.
Change-Id: Id3026a115e3a044b3dc00030fd6d82549dc189b6
It's not enabled by default[1] in devstack, is
deprecated and not needed for glance v2.
[1] https://review.opendev.org/#/c/702709/
Change-Id: I01514d8639e7604cca9846e05904ebe062393550
Something are introduced in this patch:
* As devstack-gate/devstack-vm-gate-wrap.sh is not really zuul v3
native, we move all configs in to `devstack/lib/heat` and .zuul.yaml.
* Remove extra configs process in devstack. Like setup tempest(which
is well covered by tempest itself.) or overlapping heat test configs setup.
Use tempest config for all heat_integration tests. Also remove
heat_integrationtests/common/configs since they're no longer required.
* copy post.yaml for grenade jobs. As we migrate to zuul v3 for
functional tests but not grenade (not yet), the post.yaml should exists
under grenade dir. since it's only required by grenade jobs.
* Use post.yaml in functional tests for cleanup test environments.
Story: #2007056
Task: #37908
Depends-On: https://review.opendev.org/701105
Change-Id: I4f531161a7222e2c2a21f8d483f9c2a1d91dc38d
We don't need admin or internal endpoints in a normal devstack setup,
other basic projects are also only creating the public endpoint now.
Change-Id: I9bd6007509214c7a7ed7f7f4e391b609da4408a5
devstack already clones the source from the repo/ref provided to
enable_plugin function.
Having to re-clone heat effectively requires to also set HEAT_BRANCH
separately which is unnecessary repetition and make it less obvious
how to deploy Devstack+Heat from stable branches locally w/o Zuul Cloner
with RECLONE=true.
Change-Id: I91b5048efa4606e86094e0a458e320216f66ce3e
Our cgit instance will be going away and opendev.org is the new
preferred URL for browsing our git repos. Redirects will exist for the
foreseeable future, but it's more efficient to just go directly to the
new locations.
Change-Id: Ic5fa1a8436f57836ad37b752a0cca1cd4f3a21a7
Setting RUN_HEAT_INTEGRATION_TESTS=False disables the Heat
integration tests which are normally executed by Grenade
after the deployment of the base environment and after the upgrade.
This is useful when Heat is used in a Grenade job of another
component, where the focus of the testing is not Heat itself,
thus shortening the run-time of the overall Grenade job.
The default behavior is unchanged.
Change-Id: I47b258fecd45ebc08c82df179625bcfb57a32894
Tempest's service_availability config option includes all the service
availability which is further used by tests to take decision of skip
or run the test.
For example, [service_availability].heat is true then, heat test will run
or if [service_availability].heat is false then, all the heat related tests either
in heat tempest plugin or any other plugins will be skipped.
Currently this setting for heat service[1] is in devstack lib/tempest
which is being removed by - https://review.openstack.org/#/c/619973/
For better maintenance, we are moving all tempest non-owned service setting
to service devstack plugin side.
This commit add the setting of heat service on ceilometer devstack plugin.
Related-Bug: #1743688
[1] d6b253502a/heat_tempest_plugin/config.py (L15)
Depends-On: https://review.openstack.org/#/c/619990/
Change-Id: I5013ce8be1a4fb5219ea89a63add812558191025
Needed-By: https://review.openstack.org/#/c/619973/
We are updating all Python projects to publish artifacts to PyPI. The
name "heat" is already taken there by another project, and they have
rejected our request to claim the name. We therefore need to change the
dist name used to package heat. We have some other projects publishing
using an "openstack-" prefix, so I propose using the name
"openstack-heat". This will not change the imports or anything else
about how the code works, just how it is packaged.
Add a grenade plugin for upgrading between the packages with different
names so that we can clean up the old version of the code and avoid
discovering the heat plugins multiple times in different locations.
Change-Id: I59b55cffd9e648f842eb286b936f09c5b55a76db
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
This patch defines the specified set of tests & runs these during
upgrade in grenade-multinode job.
Change-Id: I99fa1717f4bf46afc8dd989a3aae129e5c4ab9d7
* Change transport_url to test Heat's upgrade strategy [1] in gate.
[1] https://review.openstack.org/475853/
Change-Id: I08770d2ae09891d7983345616186cff7c26df4ce
We won't have policy.json file by default anymore, so we don't need
this `cp` command.
Implements: bp policy-in-code
Change-Id: I84c99e38c34dc41cc33126291563ea90038ce107
Add cloudformation and cloudwatch policy in code rules.
Remove policy.json. We don't keep any default policy rules in
policy.json from now. Still they can create policy.json file and
add any rules they try to override.
Partially-Implements: bp policy-in-code
Change-Id: I610115dc1974b2182ce673bb086a1da15b022de3