Merge "Add additional project personas for secure RBAC"
diff --git a/.zuul.yaml b/.zuul.yaml
index cbcb863..7a85266 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -630,9 +630,7 @@
voting: false
timeout: 9000
vars:
- # NOTE(yoctozepto): With concurrency equal 2, there is a random event
- # that this job will run out of memory at some point.
- tempest_concurrency: 1
+ configure_swap_size: 4096
# NOTE(yoctozepto): Debian Bullseye does not yet offer OVN. Switch to OVS
# for the time being.
devstack_localrc:
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index d1144ae..b4fff4f 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -642,6 +642,12 @@
VOLUME_NAME_PREFIX="volume-"
VOLUME_BACKING_FILE_SIZE=24G
+When running highly concurrent tests, the default per-project quotas
+for volumes, backups, or snapshots may be too small. These can be
+adjusted by setting ``CINDER_QUOTA_VOLUMES``, ``CINDER_QUOTA_BACKUPS``,
+or ``CINDER_QUOTA_SNAPSHOTS`` to the desired value. (The default for
+each is 10.)
+
Keystone
~~~~~~~~
diff --git a/functions-common b/functions-common
index 996827f..147e949 100644
--- a/functions-common
+++ b/functions-common
@@ -602,7 +602,7 @@
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to 'required-projects' in the job definition."
- die $LINENO "Cloning not allowed in this configuration"
+ die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
git_timed clone $git_clone_flags $git_remote $git_dest
fi
@@ -614,7 +614,7 @@
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to the \$PROJECTS variable in the job definition."
- die $LINENO "Cloning not allowed in this configuration"
+ die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
# '--branch' can also take tags
git_timed clone $git_clone_flags $git_remote $git_dest --branch $git_ref
diff --git a/lib/cinder b/lib/cinder
index f3e2430..cefb609 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -286,6 +286,11 @@
iniset $CINDER_CONF DEFAULT allowed_direct_url_schemes $CINDER_ALLOWED_DIRECT_URL_SCHEMES
fi
+ # set default quotas
+ iniset $CINDER_CONF DEFAULT quota_volumes ${CINDER_QUOTA_VOLUMES:-10}
+ iniset $CINDER_CONF DEFAULT quota_backups ${CINDER_QUOTA_BACKUPS:-10}
+ iniset $CINDER_CONF DEFAULT quota_snapshots ${CINDER_QUOTA_SNAPSHOTS:-10}
+
# Avoid RPC timeouts in slow CI and test environments by doubling the
# default response timeout set by RPC clients. See bug #1873234 for more
# details and example failures.
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 7b20a96..a3f6f07 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -277,7 +277,9 @@
source $TOP_DIR/lib/neutron_plugins/services/l3
# Additional Neutron service plugins
+source $TOP_DIR/lib/neutron_plugins/services/placement
source $TOP_DIR/lib/neutron_plugins/services/trunk
+source $TOP_DIR/lib/neutron_plugins/services/qos
# Use security group or not
if has_neutron_plugin_security_group; then
@@ -374,9 +376,19 @@
fi
# Configure Neutron's advanced services
+ if is_service_enabled q-placement neutron-placement; then
+ configure_placement_extension
+ fi
if is_service_enabled q-trunk neutron-trunk; then
configure_trunk_extension
fi
+ if is_service_enabled q-qos neutron-qos; then
+ configure_qos
+ if is_service_enabled q-l3 neutron-l3; then
+ configure_l3_agent_extension_fip_qos
+ configure_l3_agent_extension_gateway_ip_qos
+ fi
+ fi
iniset $NEUTRON_CONF DEFAULT api_workers "$API_WORKERS"
# devstack is not a tool for running uber scale OpenStack
@@ -552,11 +564,7 @@
function start_mutnauq_other_agents {
run_process q-dhcp "$AGENT_DHCP_BINARY --config-file $NEUTRON_CONF --config-file $Q_DHCP_CONF_FILE"
- if is_service_enabled neutron-vpnaas; then
- : # Started by plugin
- else
- run_process q-l3 "$AGENT_L3_BINARY $(determine_config_files neutron-l3-agent)"
- fi
+ run_process q-l3 "$AGENT_L3_BINARY $(determine_config_files neutron-l3-agent)"
run_process q-meta "$AGENT_META_BINARY --config-file $NEUTRON_CONF --config-file $Q_META_CONF_FILE"
run_process q-metering "$AGENT_METERING_BINARY --config-file $NEUTRON_CONF --config-file $METERING_AGENT_CONF_FILENAME"
diff --git a/lib/neutron_plugins/services/placement b/lib/neutron_plugins/services/placement
new file mode 100644
index 0000000..3ec185b
--- /dev/null
+++ b/lib/neutron_plugins/services/placement
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+function configure_placement_service_plugin {
+ neutron_service_plugin_class_add "placement"
+}
+
+function configure_placement_neutron {
+ iniset $NEUTRON_CONF placement auth_type "$NEUTRON_PLACEMENT_AUTH_TYPE"
+ iniset $NEUTRON_CONF placement auth_url "$KEYSTONE_SERVICE_URI"
+ iniset $NEUTRON_CONF placement username "$NEUTRON_PLACEMENT_USERNAME"
+ iniset $NEUTRON_CONF placement password "$SERVICE_PASSWORD"
+ iniset $NEUTRON_CONF placement user_domain_name "$SERVICE_DOMAIN_NAME"
+ iniset $NEUTRON_CONF placement project_name "$SERVICE_TENANT_NAME"
+ iniset $NEUTRON_CONF placement project_domain_name "$SERVICE_DOMAIN_NAME"
+ iniset $NEUTRON_CONF placement region_name "$REGION_NAME"
+}
+
+function configure_placement_extension {
+ configure_placement_service_plugin
+ configure_placement_neutron
+}
diff --git a/lib/neutron_plugins/services/qos b/lib/neutron_plugins/services/qos
new file mode 100644
index 0000000..af9eb3d
--- /dev/null
+++ b/lib/neutron_plugins/services/qos
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+function configure_qos_service_plugin {
+ neutron_service_plugin_class_add "qos"
+}
+
+
+function configure_qos_core_plugin {
+ configure_qos_$NEUTRON_CORE_PLUGIN
+}
+
+
+function configure_qos_l2_agent {
+ plugin_agent_add_l2_agent_extension "qos"
+}
+
+
+function configure_qos {
+ configure_qos_service_plugin
+ configure_qos_core_plugin
+ configure_qos_l2_agent
+}
+
+function configure_l3_agent_extension_fip_qos {
+ plugin_agent_add_l3_agent_extension "fip_qos"
+}
+
+function configure_l3_agent_extension_gateway_ip_qos {
+ plugin_agent_add_l3_agent_extension "gateway_ip_qos"
+}
diff --git a/lib/swift b/lib/swift
index b376993..9c13701 100644
--- a/lib/swift
+++ b/lib/swift
@@ -866,12 +866,15 @@
function swift_configure_tempurls {
# note we are using swift credentials!
- OS_USERNAME=swift \
- OS_PASSWORD=$SERVICE_PASSWORD \
- OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
- OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
- OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
- openstack object store account \
+ openstack --os-cloud "" \
+ --os-region-name $REGION_NAME \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username=swift \
+ --os-password=$SERVICE_PASSWORD \
+ --os-user-domain-name=$SERVICE_DOMAIN_NAME \
+ --os-project-name=$SERVICE_PROJECT_NAME \
+ --os-project-domain-name=$SERVICE_DOMAIN_NAME \
+ object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}
diff --git a/stack.sh b/stack.sh
index b5ad81b..ead56e6 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1063,35 +1063,13 @@
# Keystone
# --------
-# Rather than just export these, we write them out to a
-# intermediate userrc file that can also be used to debug if
-# something goes wrong between here and running
-# tools/create_userrc.sh (this script relies on services other
-# than keystone being available, so we can't call it right now)
-cat > $TOP_DIR/userrc_early <<EOF
-# Use this for debugging issues before files in accrc are created
-
-# Set up password auth credentials now that Keystone is bootstrapped
-export OS_IDENTITY_API_VERSION=3
-export OS_AUTH_URL=$KEYSTONE_SERVICE_URI
-export OS_USERNAME=admin
-export OS_USER_DOMAIN_ID=default
-export OS_PASSWORD=$ADMIN_PASSWORD
-export OS_PROJECT_NAME=admin
-export OS_PROJECT_DOMAIN_ID=default
-export OS_REGION_NAME=$KEYSTONE_REGION_NAME
-
-EOF
-
if is_service_enabled tls-proxy; then
- echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
fi
-source $TOP_DIR/userrc_early
-
-# Write a clouds.yaml file
+# Write a clouds.yaml file and use the devstack-admin cloud
write_clouds_yaml
+export OS_CLOUD=devstack-admin
if is_service_enabled keystone; then
echo_summary "Starting Keystone"
@@ -1380,7 +1358,7 @@
# which is helpful in image bundle steps.
if is_service_enabled nova && is_service_enabled keystone; then
- USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc"
+ USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc --os-password $ADMIN_PASSWORD"
if [ -f $SSL_BUNDLE_FILE ]; then
USERRC_PARAMS="$USERRC_PARAMS --os-cacert $SSL_BUNDLE_FILE"