Merge "Remove unnecessary unset for project-scoped token in glance"
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index b4fff4f..dd8f21f 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -684,17 +684,6 @@
KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
it in the configuration of RegionOne.
-Disabling Identity API v2
-+++++++++++++++++++++++++
-
-The Identity API v2 is deprecated as of Mitaka and it is recommended to only
-use the v3 API. It is possible to setup keystone without v2 API, by doing:
-
-::
-
- ENABLE_IDENTITY_V2=False
-
-
Glance
++++++
diff --git a/functions-common b/functions-common
index 111d339..147e949 100644
--- a/functions-common
+++ b/functions-common
@@ -85,7 +85,7 @@
if [ -f "$SSL_BUNDLE_FILE" ]; then
CA_CERT_ARG="--os-cacert $SSL_BUNDLE_FILE"
fi
- # demo -> devstack
+ # devstack: user with the member role on demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack \
@@ -96,18 +96,7 @@
--os-password $ADMIN_PASSWORD \
--os-project-name demo
- # alt_demo -> devstack-alt
- $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
- --file $CLOUDS_YAML \
- --os-cloud devstack-alt \
- --os-region-name $REGION_NAME \
- $CA_CERT_ARG \
- --os-auth-url $KEYSTONE_SERVICE_URI \
- --os-username alt_demo \
- --os-password $ADMIN_PASSWORD \
- --os-project-name alt_demo
-
- # admin -> devstack-admin
+ # devstack-admin: user with the admin role on the admin project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-admin \
@@ -118,7 +107,51 @@
--os-password $ADMIN_PASSWORD \
--os-project-name admin
- # admin with a system-scoped token -> devstack-system
+ # devstack-alt: user with the member role on alt_demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-alt \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username alt_demo \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name alt_demo
+
+ # devstack-alt-member: user with the member role on alt_demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-alt-member \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username alt_demo_member \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name alt_demo
+
+ # devstack-alt-reader: user with the reader role on alt_demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-alt-reader \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username alt_demo_reader \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name alt_demo
+
+ # devstack-reader: user with the reader role on demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-reader \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username demo_reader \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name demo
+
+ # devstack-system-admin: user with the admin role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-admin \
@@ -129,7 +162,7 @@
--os-password $ADMIN_PASSWORD \
--os-system-scope all
- # system member
+ # devstack-system-member: user with the member role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-member \
@@ -140,7 +173,7 @@
--os-password $ADMIN_PASSWORD \
--os-system-scope all
- # system reader
+ # devstack-system-reader: user with the reader role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-reader \
@@ -569,7 +602,7 @@
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to 'required-projects' in the job definition."
- die $LINENO "Cloning not allowed in this configuration"
+ die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
git_timed clone $git_clone_flags $git_remote $git_dest
fi
@@ -581,7 +614,7 @@
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to the \$PROJECTS variable in the job definition."
- die $LINENO "Cloning not allowed in this configuration"
+ die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
# '--branch' can also take tags
git_timed clone $git_clone_flags $git_remote $git_dest --branch $git_ref
diff --git a/lib/keystone b/lib/keystone
index 065ca70..aebc7de 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -9,7 +9,6 @@
# - ``tls`` file
# - ``DEST``, ``STACK_USER``
# - ``FILES``
-# - ``IDENTITY_API_VERSION``
# - ``BASE_SQL_CONN``
# - ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
# - ``S3_SERVICE_PORT`` (template backend only)
@@ -214,14 +213,11 @@
service_port=$KEYSTONE_SERVICE_PORT_INT
fi
- # Override the endpoints advertised by keystone (the public_endpoint and
- # admin_endpoint) so that clients use the correct endpoint. By default, the
- # keystone server uses the public_port and admin_port which isn't going to
- # work when you want to use a different port (in the case of proxy), or you
- # don't want the port (in the case of putting keystone on a path in
- # apache).
+ # Override the endpoints advertised by keystone so that clients use the correct
+ # endpoint. By default, the keystone server uses the public_port which isn't
+ # going to work when you want to use a different port (in the case of proxy),
+ # or you don't want the port (in the case of putting keystone on a path in apache).
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
- iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_SERVICE_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
@@ -346,19 +342,39 @@
async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project
async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project
- # alt_demo
+ # Create a user to act as a reader on project demo
+ local demo_reader
+ demo_reader=$(get_or_create_user "demo_reader" \
+ "$ADMIN_PASSWORD" "default" "demo_reader@example.com")
+
+ async_run ks-demo-reader get_or_add_user_project_role $reader_role $demo_reader $demo_project
+
+ # Create a different project called alt_demo
local alt_demo_project
alt_demo_project=$(get_or_create_project "alt_demo" default)
+ # Create a user to act as member, admin and anotherrole on project alt_demo
local alt_demo_user
alt_demo_user=$(get_or_create_user "alt_demo" \
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
async_run ks-alt-member get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
- async_run ks-alt-admin get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
+ async_run ks-alt-admin get_or_add_user_project_role $admin_role $alt_demo_user $alt_demo_project
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
- # Create two users, give one the member role on the system and the other
- # the reader role on the system. These two users model system-member and
+ # Create another user to act as a member on project alt_demo
+ local alt_demo_member
+ alt_demo_member=$(get_or_create_user "alt_demo_member" \
+ "$ADMIN_PASSWORD" "default" "alt_demo_member@example.com")
+ async_run ks-alt-member-user get_or_add_user_project_role $member_role $alt_demo_member $alt_demo_project
+
+ # Create another user to act as a reader on project alt_demo
+ local alt_demo_reader
+ alt_demo_reader=$(get_or_create_user "alt_demo_reader" \
+ "$ADMIN_PASSWORD" "default" "alt_demo_reader@example.com")
+ async_run ks-alt-reader-user get_or_add_user_project_role $reader_role $alt_demo_reader $alt_demo_project
+
+ # Create two users, give one the member role on the system and the other the
+ # reader role on the system. These two users model system-member and
# system-reader personas. The admin user already has the admin role on the
# system and we can re-use this user as a system-admin.
system_member_user=$(get_or_create_user "system_member" \
@@ -383,8 +399,8 @@
async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project
- async_wait ks-demo-{member,admin,another,invis}
- async_wait ks-alt-{member,admin,another}
+ async_wait ks-demo-{member,admin,another,invis,reader}
+ async_wait ks-alt-{member,admin,another,member-user,reader-user}
async_wait ks-system-{member,reader}
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
@@ -540,7 +556,7 @@
# unencryted traffic at this point.
# If running in Apache, use the path rather than port.
- local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
+ local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v3/
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
die $LINENO "keystone did not start"
@@ -569,7 +585,6 @@
# This function uses the following GLOBAL variables:
# - ``KEYSTONE_BIN_DIR``
# - ``ADMIN_PASSWORD``
-# - ``IDENTITY_API_VERSION``
# - ``REGION_NAME``
# - ``KEYSTONE_SERVICE_URI``
function bootstrap_keystone {
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 704d2e8..a5a608d 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -277,7 +277,9 @@
source $TOP_DIR/lib/neutron_plugins/services/l3
# Additional Neutron service plugins
+source $TOP_DIR/lib/neutron_plugins/services/placement
source $TOP_DIR/lib/neutron_plugins/services/trunk
+source $TOP_DIR/lib/neutron_plugins/services/qos
# Use security group or not
if has_neutron_plugin_security_group; then
@@ -374,9 +376,19 @@
fi
# Configure Neutron's advanced services
+ if is_service_enabled q-placement neutron-placement; then
+ configure_placement_extension
+ fi
if is_service_enabled q-trunk neutron-trunk; then
configure_trunk_extension
fi
+ if is_service_enabled q-qos neutron-qos; then
+ configure_qos
+ if is_service_enabled q-l3 neutron-l3; then
+ configure_l3_agent_extension_fip_qos
+ configure_l3_agent_extension_gateway_ip_qos
+ fi
+ fi
iniset $NEUTRON_CONF DEFAULT api_workers "$API_WORKERS"
# devstack is not a tool for running uber scale OpenStack
@@ -1027,6 +1039,15 @@
test_with_retry "$testcmd" "server $ip didn't become ssh-able" $timeout_sec
}
+function plugin_agent_add_l2_agent_extension {
+ local l2_agent_extension=$1
+ if [[ -z "$L2_AGENT_EXTENSIONS" ]]; then
+ L2_AGENT_EXTENSIONS=$l2_agent_extension
+ elif [[ ! ,${L2_AGENT_EXTENSIONS}, =~ ,${l2_agent_extension}, ]]; then
+ L2_AGENT_EXTENSIONS+=",$l2_agent_extension"
+ fi
+}
+
# Restore xtrace
$_XTRACE_NEUTRON
diff --git a/lib/neutron_plugins/ml2 b/lib/neutron_plugins/ml2
index e1f868f..f00feac 100644
--- a/lib/neutron_plugins/ml2
+++ b/lib/neutron_plugins/ml2
@@ -156,5 +156,9 @@
return 0
}
+function configure_qos_ml2 {
+ neutron_ml2_extension_driver_add "qos"
+}
+
# Restore xtrace
$_XTRACE_NEUTRON_ML2
diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent
index 1f737fb..3fc3828 100644
--- a/lib/neutron_plugins/ovn_agent
+++ b/lib/neutron_plugins/ovn_agent
@@ -119,7 +119,13 @@
OVS_DATADIR=$DATA_DIR/ovs
OVS_SYSCONFDIR=${OVS_SYSCONFDIR:-$OVS_PREFIX/etc/openvswitch}
-OVN_DATADIR=$DATA_DIR/ovn
+if [[ "$OVN_BUILD_FROM_SOURCE" == "True" ]]; then
+ OVN_DATADIR=$DATA_DIR/ovn
+else
+ # When using OVN from packages, the data dir for OVN DBs is
+ # /var/lib/ovn
+ OVN_DATADIR=/var/lib/ovn
+fi
OVN_SHAREDIR=$OVS_PREFIX/share/ovn
OVN_SCRIPTDIR=$OVN_SHAREDIR/scripts
OVN_RUNDIR=$OVS_PREFIX/var/run/ovn
@@ -561,14 +567,19 @@
# create new ones on each devstack run.
_disable_libvirt_apparmor
+ local mkdir_cmd="mkdir -p ${OVN_DATADIR}"
- mkdir -p $OVN_DATADIR
+ if [[ "$OVN_BUILD_FROM_SOURCE" == "False" ]]; then
+ mkdir_cmd="sudo ${mkdir_cmd}"
+ fi
+
+ $mkdir_cmd
mkdir -p $OVS_DATADIR
rm -f $OVS_DATADIR/*.db
rm -f $OVS_DATADIR/.*.db.~lock~
- rm -f $OVN_DATADIR/*.db
- rm -f $OVN_DATADIR/.*.db.~lock~
+ sudo rm -f $OVN_DATADIR/*.db
+ sudo rm -f $OVN_DATADIR/.*.db.~lock~
}
function _start_ovs {
diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3
index 98b96ac..72f7a32 100644
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@@ -427,3 +427,12 @@
EXT_LIST=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" extension list --network -c Alias -f value)
[[ $EXT_LIST =~ $extension ]] && return 0
}
+
+function plugin_agent_add_l3_agent_extension {
+ local l3_agent_extension=$1
+ if [[ -z "$L3_AGENT_EXTENSIONS" ]]; then
+ L3_AGENT_EXTENSIONS=$l3_agent_extension
+ elif [[ ! ,${L3_AGENT_EXTENSIONS}, =~ ,${l3_agent_extension}, ]]; then
+ L3_AGENT_EXTENSIONS+=",$l3_agent_extension"
+ fi
+}
diff --git a/lib/neutron_plugins/services/placement b/lib/neutron_plugins/services/placement
new file mode 100644
index 0000000..3ec185b
--- /dev/null
+++ b/lib/neutron_plugins/services/placement
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+function configure_placement_service_plugin {
+ neutron_service_plugin_class_add "placement"
+}
+
+function configure_placement_neutron {
+ iniset $NEUTRON_CONF placement auth_type "$NEUTRON_PLACEMENT_AUTH_TYPE"
+ iniset $NEUTRON_CONF placement auth_url "$KEYSTONE_SERVICE_URI"
+ iniset $NEUTRON_CONF placement username "$NEUTRON_PLACEMENT_USERNAME"
+ iniset $NEUTRON_CONF placement password "$SERVICE_PASSWORD"
+ iniset $NEUTRON_CONF placement user_domain_name "$SERVICE_DOMAIN_NAME"
+ iniset $NEUTRON_CONF placement project_name "$SERVICE_TENANT_NAME"
+ iniset $NEUTRON_CONF placement project_domain_name "$SERVICE_DOMAIN_NAME"
+ iniset $NEUTRON_CONF placement region_name "$REGION_NAME"
+}
+
+function configure_placement_extension {
+ configure_placement_service_plugin
+ configure_placement_neutron
+}
diff --git a/lib/neutron_plugins/services/qos b/lib/neutron_plugins/services/qos
new file mode 100644
index 0000000..af9eb3d
--- /dev/null
+++ b/lib/neutron_plugins/services/qos
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+function configure_qos_service_plugin {
+ neutron_service_plugin_class_add "qos"
+}
+
+
+function configure_qos_core_plugin {
+ configure_qos_$NEUTRON_CORE_PLUGIN
+}
+
+
+function configure_qos_l2_agent {
+ plugin_agent_add_l2_agent_extension "qos"
+}
+
+
+function configure_qos {
+ configure_qos_service_plugin
+ configure_qos_core_plugin
+ configure_qos_l2_agent
+}
+
+function configure_l3_agent_extension_fip_qos {
+ plugin_agent_add_l3_agent_extension "fip_qos"
+}
+
+function configure_l3_agent_extension_gateway_ip_qos {
+ plugin_agent_add_l3_agent_extension "gateway_ip_qos"
+}
diff --git a/openrc b/openrc
index beeaebe..6d488bb 100644
--- a/openrc
+++ b/openrc
@@ -74,7 +74,7 @@
fi
# Identity API version
-export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
+export OS_IDENTITY_API_VERSION=3
# Ask keystoneauth1 to use keystone
export OS_AUTH_TYPE=password
diff --git a/stack.sh b/stack.sh
index ead56e6..b5dc0ee 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1069,7 +1069,7 @@
# Write a clouds.yaml file and use the devstack-admin cloud
write_clouds_yaml
-export OS_CLOUD=devstack-admin
+export OS_CLOUD=${OS_CLOUD:-devstack-admin}
if is_service_enabled keystone; then
echo_summary "Starting Keystone"
diff --git a/stackrc b/stackrc
index ebe472c..62749a7 100755
--- a/stackrc
+++ b/stackrc
@@ -175,21 +175,9 @@
export PS4='+ $(short_source): '
fi
-# Configure Identity API version: 2.0, 3
-IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
-
-# Set the option ENABLE_IDENTITY_V2 to True. It defines whether the DevStack
-# deployment will be deploying the Identity v2 pipelines. If this option is set
-# to ``False``, DevStack will: i) disable Identity v2; ii) configure Tempest to
-# skip Identity v2 specific tests; and iii) configure Horizon to use Identity
-# v3. When this option is set to ``False``, the option IDENTITY_API_VERSION
-# will to be set to ``3`` in order to make DevStack register the Identity
-# endpoint as v3. This flag is experimental and will be used as basis to
-# identify the projects which still have issues to operate with Identity v3.
-ENABLE_IDENTITY_V2=$(trueorfalse False ENABLE_IDENTITY_V2)
-if [ "$ENABLE_IDENTITY_V2" == "False" ]; then
- IDENTITY_API_VERSION=3
-fi
+# Configure Identity API version
+# TODO(frickler): Drop this when plugins no longer need it
+IDENTITY_API_VERSION=3
# Enable use of Python virtual environments. Individual project use of
# venvs are controlled by the PROJECT_VENV array; every project with