Merge "Switch fedora-latest to use fedora-34"
diff --git a/.zuul.yaml b/.zuul.yaml
index 968d79f..8c275d8 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -1,3 +1,11 @@
+- pragma:
+ # NOTE(gtema): this is required for the changes in SDK feature/r1 branch to
+ # be using devstack
+ # TODO(gtema): delete this once r1 branch is merged into master
+ implied-branches:
+ - master
+ - feature/r1
+
- nodeset:
name: openstack-single-node
nodes:
@@ -328,6 +336,7 @@
/var/log/postgresql: logs
/var/log/mysql: logs
/var/log/libvirt: logs
+ /etc/libvirt: logs
/etc/sudoers: logs
/etc/sudoers.d: logs
'{{ stage_dir }}/iptables.txt': logs
@@ -722,11 +731,11 @@
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-grenade-multinode:
+ - neutron-ovs-grenade-multinode:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-linuxbridge:
+ - neutron-linuxbridge-tempest:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
@@ -759,11 +768,11 @@
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
- - neutron-grenade-multinode:
+ - neutron-ovs-grenade-multinode:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-linuxbridge:
+ - neutron-linuxbridge-tempest:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
@@ -816,11 +825,11 @@
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-dvr:
+ - neutron-ovs-tempest-dvr:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-dvr-ha-multinode-full:
+ - neutron-ovs-tempest-dvr-ha-multinode-full:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 2d0c894..6745614 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -689,6 +689,24 @@
ENABLE_IDENTITY_V2=False
+
+Glance
+++++++
+
+The default image size quota of 1GiB may be too small if larger images
+are to be used. Change the default at setup time with:
+
+::
+
+ GLANCE_LIMIT_IMAGE_SIZE_TOTAL=5000
+
+or at runtime via:
+
+::
+
+ openstack --os-cloud devstack-system-admin registered limit update \
+ --service glance --default-limit 5000 --region RegionOne image_size_total
+
.. _arch-configuration:
Architectures
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 9f477ab..08ce4cb 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -63,7 +63,7 @@
.. code-block:: console
$ echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
- $ sudo su - stack
+ $ sudo -u stack -i
Download DevStack
-----------------
diff --git a/functions-common b/functions-common
index 340da75..11679e4 100644
--- a/functions-common
+++ b/functions-common
@@ -1037,6 +1037,11 @@
return 1
}
+function is_ironic_enforce_scope {
+ is_service_enabled ironic && [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]] && return 0
+ return 1
+}
+
# Package Functions
# =================
diff --git a/lib/cinder b/lib/cinder
index f6fd095..7f2f29f 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -144,6 +144,12 @@
# enable the cache for all cinder backends.
CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS}
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Volume API policies to start checking the scope of token. by default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+CINDER_ENFORCE_SCOPE=$(trueorfalse False CINDER_ENFORCE_SCOPE)
+
# Functions
# ---------
@@ -347,6 +353,11 @@
elif is_service_enabled etcd3; then
iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
fi
+
+ if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
+ iniset $CINDER_CONF oslo_policy enforce_scope true
+ iniset $CINDER_CONF oslo_policy enforce_new_defaults true
+ fi
}
# create_cinder_accounts() - Set up common required cinder accounts
diff --git a/lib/glance b/lib/glance
index e789aff..cd26d97 100644
--- a/lib/glance
+++ b/lib/glance
@@ -84,6 +84,13 @@
GLANCE_TASKS_DIR=${GLANCE_MULTISTORE_FILE_IMAGE_DIR:=$DATA_DIR/os_glance_tasks_store}
GLANCE_USE_IMPORT_WORKFLOW=$(trueorfalse False GLANCE_USE_IMPORT_WORKFLOW)
+GLANCE_ENABLE_QUOTAS=$(trueorfalse True GLANCE_ENABLE_QUOTAS)
+
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Image API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+GLANCE_ENFORCE_SCOPE=$(trueorfalse False GLANCE_ENFORCE_SCOPE)
GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance}
GLANCE_METADEF_DIR=$GLANCE_CONF_DIR/metadefs
@@ -107,6 +114,10 @@
GLANCE_SERVICE_PROTOCOL=${GLANCE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
GLANCE_UWSGI=$GLANCE_BIN_DIR/glance-wsgi-api
GLANCE_UWSGI_CONF=$GLANCE_CONF_DIR/glance-uwsgi.ini
+
+# Glance default limit for Devstack
+GLANCE_LIMIT_IMAGE_SIZE_TOTAL=${GLANCE_LIMIT_IMAGE_SIZE_TOTAL:-1000}
+
# If wsgi mode is uwsgi run glance under uwsgi, else default to eventlet
# TODO(mtreinish): Remove the eventlet path here and in all the similar
# conditionals below after the Pike release
@@ -263,6 +274,45 @@
fi
}
+function configure_glance_quotas {
+
+ # NOTE(danms): We need to have some of the OS_ things unset in
+ # order to use system scope, which is required for creating these
+ # limits. This is a hack, but I dunno how else to get osc to use
+ # system scope.
+
+ bash -c "unset OS_USERNAME OS_TENANT_NAME OS_PROJECT_NAME;
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL \
+ --region $REGION_NAME image_size_total; \
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL \
+ --region $REGION_NAME image_stage_total; \
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit 100 --region $REGION_NAME \
+ image_count_total; \
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit 100 --region $REGION_NAME \
+ image_count_uploading"
+
+ # Tell glance to use these limits
+ iniset $GLANCE_API_CONF DEFAULT use_keystone_limits True
+
+ # Configure oslo_limit so it can talk to keystone
+ iniset $GLANCE_API_CONF oslo_limit user_domain_name $SERVICE_DOMAIN_NAME
+ iniset $GLANCE_API_CONF oslo_limit password $SERVICE_PASSWORD
+ iniset $GLANCE_API_CONF oslo_limit username glance
+ iniset $GLANCE_API_CONF oslo_limit auth_type password
+ iniset $GLANCE_API_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI
+ iniset $GLANCE_API_CONF oslo_limit system_scope "'all'"
+ iniset $GLANCE_API_CONF oslo_limit endpoint_id \
+ $(openstack endpoint list --service glance -f value -c ID)
+
+ # Allow the glance service user to read quotas
+ openstack role add --user glance --user-domain Default --system all \
+ reader
+}
+
# configure_glance() - Set config files, create data dirs, etc
function configure_glance {
sudo install -d -o $STACK_USER $GLANCE_CONF_DIR $GLANCE_METADEF_DIR
@@ -373,6 +423,12 @@
iniset $GLANCE_API_CONF DEFAULT bind_port $GLANCE_SERVICE_PORT_INT
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
fi
+
+ if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then
+ iniset $GLANCE_API_CONF oslo_policy enforce_scope true
+ iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
+ iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
+ fi
}
# create_glance_accounts() - Set up common required glance accounts
@@ -403,6 +459,11 @@
service_domain_id=$(get_or_create_domain $SERVICE_DOMAIN_NAME)
iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id $service_domain_id
iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id $service_domain_id
+
+ if [[ "$GLANCE_ENABLE_QUOTAS" = True ]]; then
+ configure_glance_quotas
+ fi
+
fi
}
diff --git a/lib/keystone b/lib/keystone
index 66e867c..e282db0 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -134,6 +134,12 @@
# Cache settings
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Identity API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
+
# Functions
# ---------
@@ -281,6 +287,11 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
+ if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+ iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+ iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
+ iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+ fi
}
# create_keystone_accounts() - Sets up common required keystone accounts
diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent
index 948fede..cfcb01e 100644
--- a/lib/neutron_plugins/ovn_agent
+++ b/lib/neutron_plugins/ovn_agent
@@ -262,48 +262,10 @@
ERROR_ON_CLONE=false git_clone $repo $dir $branch
}
-function get_ext_gw_interface {
- # Get ext_gw_interface depending on value of Q_USE_PUBLIC_VETH
- # This function is copied directly from the devstack neutron-legacy script
- if [[ "$Q_USE_PUBLIC_VETH" == "True" ]]; then
- echo $Q_PUBLIC_VETH_EX
- else
- # Disable in-band as we are going to use local port
- # to communicate with VMs
- sudo ovs-vsctl set Bridge $PUBLIC_BRIDGE \
- other_config:disable-in-band=true
- echo $PUBLIC_BRIDGE
- fi
-}
-
function create_public_bridge {
# Create the public bridge that OVN will use
- # This logic is based on the devstack neutron-legacy _neutron_configure_router_v4 and _v6
- local ext_gw_ifc
- ext_gw_ifc=$(get_ext_gw_interface)
-
- sudo ovs-vsctl --may-exist add-br $ext_gw_ifc -- set bridge $ext_gw_ifc protocols=OpenFlow13,OpenFlow15
- sudo ovs-vsctl set open . external-ids:ovn-bridge-mappings=$PHYSICAL_NETWORK:$ext_gw_ifc
- if [ -n "$FLOATING_RANGE" ]; then
- local cidr_len=${FLOATING_RANGE#*/}
- sudo ip addr replace $PUBLIC_NETWORK_GATEWAY/$cidr_len dev $ext_gw_ifc
- fi
-
- # Ensure IPv6 RAs are accepted on the interface with the default route.
- # This is needed for neutron-based devstack clouds to work in
- # IPv6-only clouds in the gate. Please do not remove this without
- # talking to folks in Infra. This fix is based on a devstack fix for
- # neutron L3 agent: https://review.openstack.org/#/c/359490/.
- default_route_dev=$(ip route | grep ^default | awk '{print $5}')
- sudo sysctl -w net.ipv6.conf.$default_route_dev.accept_ra=2
-
- sudo sysctl -w net.ipv6.conf.all.forwarding=1
- if [ -n "$IPV6_PUBLIC_RANGE" ]; then
- local ipv6_cidr_len=${IPV6_PUBLIC_RANGE#*/}
- sudo ip -6 addr replace $IPV6_PUBLIC_NETWORK_GATEWAY/$ipv6_cidr_len dev $ext_gw_ifc
- fi
-
- sudo ip link set $ext_gw_ifc up
+ sudo ovs-vsctl --may-exist add-br $PUBLIC_BRIDGE -- set bridge $PUBLIC_BRIDGE protocols=OpenFlow13,OpenFlow15
+ sudo ovs-vsctl set open . external-ids:ovn-bridge-mappings=$PHYSICAL_NETWORK:$PUBLIC_BRIDGE
}
function _disable_libvirt_apparmor {
diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3
index 5d339a0..b6bc028 100644
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@@ -343,8 +343,8 @@
# Configure the external network as the default router gateway
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
- # This logic is specific to using the l3-agent for layer 3
- if is_service_enabled q-l3 || is_service_enabled neutron-l3; then
+ # This logic is specific to using OVN or the l3-agent for layer 3
+ if ([[ $Q_AGENT == "ovn" ]] && [[ "$OVN_L3_CREATE_PUBLIC_NETWORK" == "True" ]] && is_service_enabled q-svc neutron-server) || is_service_enabled q-l3 neutron-l3; then
# Configure and enable public bridge
local ext_gw_interface="none"
if is_neutron_ovs_base_plugin; then
@@ -393,7 +393,7 @@
fi
# This logic is specific to using OVN or the l3-agent for layer 3
- if ([[ $Q_AGENT == "ovn" ]] && is_service_enabled q-svc neutron-server) || is_service_enabled q-l3 neutron-l3; then
+ if ([[ $Q_AGENT == "ovn" ]] && [[ "$OVN_L3_CREATE_PUBLIC_NETWORK" == "True" ]] && is_service_enabled q-svc neutron-server) || is_service_enabled q-l3 neutron-l3; then
# if the Linux host considers itself to be a router then it will
# ignore all router advertisements
# Ensure IPv6 RAs are accepted on interfaces with a default route.
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index 58adde7..e9ceae4 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -58,13 +58,10 @@
function install_libvirt {
if is_ubuntu; then
- install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev
+ install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev python3-libvirt
if is_arch "aarch64"; then
install_package qemu-efi
fi
- # uninstall in case the libvirt version changed
- pip_uninstall libvirt-python
- pip_install_gr libvirt-python
#pip_install_gr <there-si-no-guestfs-in-pypi>
elif is_fedora || is_suse; then
@@ -79,24 +76,11 @@
# as the base system version is too old. We should have
# pre-installed these
install_package qemu-kvm
+ install_package libvirt libvirt-devel python3-libvirt
- install_package libvirt libvirt-devel
- if is_arch "x86_64"; then
- # NOTE(yoctozepto): recent edk2-ovmf on CentOS Stream 8 x86_64 started failing with
- # "libvirt.libvirtError: internal error: unknown feature amd-sev-es",
- # so reinstall a known working version until the relevant bugs get fixed:
- # * https://bugzilla.redhat.com/show_bug.cgi?id=1961558
- # * https://bugzilla.redhat.com/show_bug.cgi?id=1961562
- # TODO(yoctozepto): Remove this code when the time is right.
- if [ "$os_VENDOR" = "CentOSStream" ]; then
- install_package edk2-ovmf-20200602gitca407c7246bf-4.el8
- fi
- elif is_arch "aarch64"; then
+ if is_arch "aarch64"; then
install_package edk2.git-aarch64
fi
-
- pip_uninstall libvirt-python
- pip_install_gr libvirt-python
fi
if [[ $DEBUG_LIBVIRT_COREDUMPS == True ]]; then
diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic
index bda6ef6..f058e9b 100644
--- a/lib/nova_plugins/hypervisor-ironic
+++ b/lib/nova_plugins/hypervisor-ironic
@@ -47,9 +47,13 @@
iniset $NOVA_CONF ironic username admin
iniset $NOVA_CONF ironic password $ADMIN_PASSWORD
iniset $NOVA_CONF ironic auth_url $KEYSTONE_SERVICE_URI
- iniset $NOVA_CONF ironic project_domain_id default
+ if is_ironic_enforce_scope; then
+ iniset $NOVA_CONF ironic system_scope all
+ else
+ iniset $NOVA_CONF ironic project_domain_id default
+ iniset $NOVA_CONF ironic project_name demo
+ fi
iniset $NOVA_CONF ironic user_domain_id default
- iniset $NOVA_CONF ironic project_name demo
iniset $NOVA_CONF ironic region_name $REGION_NAME
# These are used with crufty legacy ironicclient
@@ -82,7 +86,6 @@
:
}
-
# Restore xtrace
$_XTRACE_HYP_IRONIC
diff --git a/lib/os-vif b/lib/os-vif
new file mode 100644
index 0000000..865645c
--- /dev/null
+++ b/lib/os-vif
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# support vsctl or native.
+# until bug #1929446 is resolved we override the os-vif default
+# and fall back to the legacy "vsctl" driver.
+OS_VIF_OVS_OVSDB_INTERFACE=${OS_VIF_OVS_OVSDB_INTERFACE:="vsctl"}
+
+function is_ml2_ovs {
+ if [[ "${Q_AGENT}" == "openvswitch" ]]; then
+ echo "True"
+ fi
+ echo "False"
+}
+
+# This should be true for any ml2/ovs job but should be set to false for
+# all other ovs based jobs e.g. ml2/ovn
+OS_VIF_OVS_ISOLATE_VIF=${OS_VIF_OVS_ISOLATE_VIF:=$(is_ml2_ovs)}
+OS_VIF_OVS_ISOLATE_VIF=$(trueorfalse False OS_VIF_OVS_ISOLATE_VIF)
+
+function configure_os_vif {
+ if [[ -e ${NOVA_CONF} ]]; then
+ iniset ${NOVA_CONF} os_vif_ovs ovsdb_interface ${OS_VIF_OVS_OVSDB_INTERFACE}
+ iniset ${NOVA_CONF} os_vif_ovs isolate_vif ${OS_VIF_OVS_ISOLATE_VIF}
+ fi
+ if [[ -e ${NEUTRON_CONF} ]]; then
+ iniset ${NEUTRON_CONF} os_vif_ovs ovsdb_interface ${OS_VIF_OVS_OVSDB_INTERFACE}
+ iniset ${NEUTRON_CONF} os_vif_ovs isolate_vif ${OS_VIF_OVS_ISOLATE_VIF}
+ fi
+}
diff --git a/lib/tempest b/lib/tempest
index d835c68..3fa7ce0 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -107,7 +107,7 @@
# Takes an image ID parameter as input
function image_size_in_gib {
local size
- size=$(openstack image show $1 -c size -f value)
+ size=$(openstack --os-cloud devstack-admin image show $1 -c size -f value)
echo $size | python3 -c "import math; print(int(math.ceil(float(int(input()) / 1024.0 ** 3))))"
}
@@ -173,7 +173,7 @@
image_uuid_alt="$IMAGE_UUID"
fi
images+=($IMAGE_UUID)
- done < <(openstack image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }')
+ done < <(openstack --os-cloud devstack-admin image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }')
case "${#images[*]}" in
0)
@@ -209,23 +209,23 @@
local alt_username=${ALT_USERNAME:-alt_demo}
local alt_project_name=${ALT_TENANT_NAME:-alt_demo}
local admin_project_id
- admin_project_id=$(openstack project list | awk "/ admin / { print \$2 }")
+ admin_project_id=$(openstack --os-cloud devstack-admin project list | awk "/ admin / { print \$2 }")
if is_service_enabled nova; then
# If ``DEFAULT_INSTANCE_TYPE`` is not declared, use the new behavior
# Tempest creates its own instance types
- available_flavors=$(nova flavor-list)
+ available_flavors=$(openstack --os-cloud devstack-admin flavor list)
if [[ -z "$DEFAULT_INSTANCE_TYPE" ]]; then
if [[ ! ( $available_flavors =~ 'm1.nano' ) ]]; then
# Determine the flavor disk size based on the image size.
disk=$(image_size_in_gib $image_uuid)
- openstack flavor create --id 42 --ram 128 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.nano
+ openstack --os-cloud devstack-admin flavor create --id 42 --ram 128 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.nano
fi
flavor_ref=42
if [[ ! ( $available_flavors =~ 'm1.micro' ) ]]; then
# Determine the alt flavor disk size based on the alt image size.
disk=$(image_size_in_gib $image_uuid_alt)
- openstack flavor create --id 84 --ram 192 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.micro
+ openstack --os-cloud devstack-admin flavor create --id 84 --ram 192 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.micro
fi
flavor_ref_alt=84
else
@@ -251,7 +251,7 @@
fi
flavor_ref=${flavors[0]}
flavor_ref_alt=$flavor_ref
- flavor_ref_size=$(openstack flavor show --format value --column disk "${flavor_ref}")
+ flavor_ref_size=$(openstack --os-cloud devstack-admin flavor show --format value --column disk "${flavor_ref}")
# Ensure ``flavor_ref`` and ``flavor_ref_alt`` have different values.
# Some resize instance in tempest tests depends on this.
@@ -264,7 +264,7 @@
# flavor selected as default, e.g. m1.small,
# we need to perform additional check.
#
- flavor_ref_alt_size=$(openstack flavor show --format value --column disk "${f}")
+ flavor_ref_alt_size=$(openstack --os-cloud devstack-admin flavor show --format value --column disk "${f}")
if [[ "${flavor_ref_alt_size}" -lt "${flavor_ref_size}" ]]; then
continue
fi
@@ -285,10 +285,10 @@
# If NEUTRON_CREATE_INITIAL_NETWORKS is not true, there is no network created
# and the public_network_id should not be set.
if [[ "$NEUTRON_CREATE_INITIAL_NETWORKS" == "True" ]] && is_networking_extension_supported 'external-net'; then
- public_network_id=$(openstack network show -f value -c id $PUBLIC_NETWORK_NAME)
+ public_network_id=$(openstack --os-cloud devstack-admin network show -f value -c id $PUBLIC_NETWORK_NAME)
# make sure shared network presence does not confuses the tempest tests
- openstack network create --share shared
- openstack subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
+ openstack --os-cloud devstack-admin network create --share shared
+ openstack --os-cloud devstack-admin subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
fi
iniset $TEMPEST_CONFIG DEFAULT use_syslog $SYSLOG
@@ -419,6 +419,9 @@
iniset $TEMPEST_CONFIG compute-feature-enabled live_migrate_back_and_forth ${LIVE_MIGRATE_BACK_AND_FORTH:-False}
iniset $TEMPEST_CONFIG compute-feature-enabled attach_encrypted_volume ${ATTACH_ENCRYPTED_VOLUME_AVAILABLE:-True}
+ # Starting Wallaby, nova sanitizes instance hostnames having freeform characters with dashes
+ iniset $TEMPEST_CONFIG compute-feature-enabled hostname_fqdn_sanitization True
+
if [[ -n "$NOVA_FILTERS" ]]; then
iniset $TEMPEST_CONFIG compute-feature-enabled scheduler_enabled_filters ${NOVA_FILTERS}
fi
@@ -597,6 +600,19 @@
fi
done
+ # ``enforce_scope``
+ # If services enable the enforce_scope for their policy
+ # we need to enable the same on Tempest side so that
+ # test can be run with scoped token.
+ if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+ iniset $TEMPEST_CONFIG enforce_scope keystone true
+ iniset $TEMPEST_CONFIG auth admin_system 'all'
+ iniset $TEMPEST_CONFIG auth admin_project_name ''
+ fi
+ iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
+
+ iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
+
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
# libvirt-lxc does not support boot from volume or attaching volumes
# so basically anything with cinder is out of the question.
diff --git a/stack.sh b/stack.sh
index 6858ab8..c439a72 100755
--- a/stack.sh
+++ b/stack.sh
@@ -597,6 +597,7 @@
source $TOP_DIR/lib/dstat
source $TOP_DIR/lib/tcpdump
source $TOP_DIR/lib/etcd3
+source $TOP_DIR/lib/os-vif
# Extras Source
# --------------
@@ -1159,6 +1160,11 @@
sudo sysctl -w net.ipv4.ip_forward=1
fi
+# os-vif
+# ------
+if is_service_enabled nova neutron; then
+ configure_os_vif
+fi
# Storage Service
# ---------------
@@ -1341,6 +1347,7 @@
done
fi
+async_wait create_flavors
if is_service_enabled horizon; then
echo_summary "Starting Horizon"
@@ -1348,8 +1355,6 @@
start_horizon
fi
-async_wait create_flavors
-
# Create account rc files
# =======================
diff --git a/tools/worlddump.py b/tools/worlddump.py
index 22770f1..e292173 100755
--- a/tools/worlddump.py
+++ b/tools/worlddump.py
@@ -134,7 +134,7 @@
def ebtables_dump():
- tables = ['filter', 'nat', 'broute']
+ tables = ['filter', 'nat']
_header("EB Tables Dump")
if not _find_cmd('ebtables'):
return