Merge "Remove duplicate entry for flat_networks"
diff --git a/lib/glance b/lib/glance
index da9cd43..4ba1d20 100644
--- a/lib/glance
+++ b/lib/glance
@@ -161,6 +161,9 @@
if is_service_enabled s-proxy; then
iniset $GLANCE_API_CONF glance_store default_store swift
iniset $GLANCE_API_CONF glance_store swift_store_create_container_on_put True
+ if python3_enabled; then
+ iniset $GLANCE_API_CONF glance_store swift_store_auth_insecure True
+ fi
iniset $GLANCE_API_CONF glance_store swift_store_config_file $GLANCE_SWIFT_STORE_CONF
iniset $GLANCE_API_CONF glance_store default_swift_reference ref1
@@ -186,7 +189,13 @@
fi
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
- iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
+ if python3_enabled; then
+ # NOTE(dims): Currently the glance_store+swift does not support either an insecure flag
+ # or ability to specify the CACERT. So fallback to http:// url
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address ${KEYSTONE_SERVICE_URI/https/http}/v3
+ else
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
+ fi
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
# commenting is not strictly necessary but it's confusing to have bad values in conf
diff --git a/lib/keystone b/lib/keystone
index 825fe44..34730b8 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -131,6 +131,12 @@
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
+# Security compliance
+KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True}
+KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2}
+KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5}
+KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
+
# Functions
# ---------
@@ -339,6 +345,12 @@
# allows policy changes in order to clarify the adminess scope.
#iniset $KEYSTONE_CONF resource admin_project_domain_name Default
#iniset $KEYSTONE_CONF resource admin_project_name admin
+
+ if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
+ iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
+ iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
+ iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
+ fi
}
# create_keystone_accounts() - Sets up common required keystone accounts
diff --git a/lib/neutron b/lib/neutron
index 852787d..1c47829 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -163,9 +163,9 @@
# Configure VXLAN
# TODO(sc68cal) not hardcode?
iniset $NEUTRON_CORE_PLUGIN_CONF ml2 tenant_network_types vxlan
- iniset $NEUTRON_CORE_PLUGIN_CONF ml2 type_drivers vxlan
iniset $NEUTRON_CORE_PLUGIN_CONF ml2 mechanism_drivers openvswitch,linuxbridge
iniset $NEUTRON_CORE_PLUGIN_CONF ml2_type_vxlan vni_ranges 1001:2000
+ iniset $NEUTRON_CORE_PLUGIN_CONF ml2_type_flat flat_networks public
if [[ "$NEUTRON_PORT_SECURITY" = "True" ]]; then
iniset $NEUTRON_CORE_PLUGIN_CONF ml2 extension_drivers port_security
fi
@@ -178,10 +178,10 @@
# Configure the neutron agent
if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
- iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables
+ iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver iptables
iniset $NEUTRON_CORE_PLUGIN_CONF vxlan local_ip $HOST_IP
else
- iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
+ iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup firewall_driver iptables_hybrid
iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
fi
diff --git a/lib/neutron_plugins/ml2 b/lib/neutron_plugins/ml2
index d798929..c5a4c02 100644
--- a/lib/neutron_plugins/ml2
+++ b/lib/neutron_plugins/ml2
@@ -63,7 +63,7 @@
function neutron_plugin_configure_common {
Q_PLUGIN_CONF_PATH=etc/neutron/plugins/ml2
Q_PLUGIN_CONF_FILENAME=ml2_conf.ini
- Q_PLUGIN_CLASS="neutron.plugins.ml2.plugin.Ml2Plugin"
+ Q_PLUGIN_CLASS="ml2"
# The ML2 plugin delegates L3 routing/NAT functionality to
# the L3 service plugin which must therefore be specified.
_neutron_service_plugin_class_add $ML2_L3_PLUGIN
diff --git a/lib/nova b/lib/nova
index 50c0d47..8f11e0f 100644
--- a/lib/nova
+++ b/lib/nova
@@ -823,7 +823,7 @@
run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf" $LIBVIRT_GROUP
elif [[ "$VIRT_DRIVER" = 'lxd' ]]; then
run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf" $LXD_GROUP
- elif [[ "$VIRT_DRIVER" = 'docker' ]]; then
+ elif [[ "$VIRT_DRIVER" = 'docker' || "$VIRT_DRIVER" = 'zun' ]]; then
run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf" $DOCKER_GROUP
elif [[ "$VIRT_DRIVER" = 'fake' ]]; then
local i
diff --git a/lib/placement b/lib/placement
index 93b72eb..871e282 100644
--- a/lib/placement
+++ b/lib/placement
@@ -103,9 +103,9 @@
iniset $NOVA_CONF placement auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
iniset $NOVA_CONF placement username placement
iniset $NOVA_CONF placement password "$SERVICE_PASSWORD"
- iniset $NOVA_CONF placement user_domain_name "Default"
+ iniset $NOVA_CONF placement user_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF placement project_name "$SERVICE_TENANT_NAME"
- iniset $NOVA_CONF placement project_domain_name "Default"
+ iniset $NOVA_CONF placement project_domain_name "$SERVICE_DOMAIN_NAME"
iniset $NOVA_CONF placement os_region_name "$REGION_NAME"
# TODO(cdent): auth_strategy, which is common to see in these
# blocks is not currently used here. For the time being the
diff --git a/lib/swift b/lib/swift
index b175f2e..03fd454 100644
--- a/lib/swift
+++ b/lib/swift
@@ -454,7 +454,6 @@
# out. Make sure we uncomment Tempauth after we uncomment Keystoneauth
# otherwise, this code also sets the reseller_prefix for Keystoneauth.
iniuncomment ${SWIFT_CONFIG_PROXY_SERVER} filter:tempauth account_autocreate
- iniuncomment ${SWIFT_CONFIG_PROXY_SERVER} filter:tempauth reseller_prefix
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:tempauth reseller_prefix "TEMPAUTH"
if is_service_enabled swift3; then
@@ -809,10 +808,10 @@
local proxy_port=${SWIFT_DEFAULT_BIND_PORT}
start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT
fi
- run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
+ run_process s-proxy "swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
if [[ ${SWIFT_REPLICAS} == 1 ]]; then
for type in object container account; do
- run_process s-${type} "$SWIFT_DIR/bin/swift-${type}-server ${SWIFT_CONF_DIR}/${type}-server/1.conf -v"
+ run_process s-${type} "swift-${type}-server ${SWIFT_CONF_DIR}/${type}-server/1.conf -v"
done
fi
diff --git a/lib/tempest b/lib/tempest
index 7d68092..4b8fbb7 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -261,6 +261,9 @@
# Identity
iniset $TEMPEST_CONFIG identity uri "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:5000/v2.0/"
iniset $TEMPEST_CONFIG identity uri_v3 "$KEYSTONE_SERVICE_URI_V3"
+ iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
+ iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION
+ iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
# Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation
iniset $TEMPEST_CONFIG identity admin_domain_scope True
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
@@ -285,6 +288,9 @@
fi
# Identity Features
+ if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
+ iniset $TEMPEST_CONFIG identity-feature-enabled security_compliance True
+ fi
# TODO(rodrigods): Remove the reseller flag when Kilo and Liberty are end of life.
iniset $TEMPEST_CONFIG identity-feature-enabled reseller True
@@ -484,12 +490,6 @@
iniset $TEMPEST_CONFIG volume storage_protocol "$TEMPEST_STORAGE_PROTOCOL"
fi
- # Dashboard
- iniset $TEMPEST_CONFIG dashboard dashboard_url "http://$SERVICE_HOST/"
-
- # CLI
- iniset $TEMPEST_CONFIG cli cli_dir $NOVA_BIN_DIR
-
# Baremetal
if [ "$VIRT_DRIVER" = "ironic" ] ; then
iniset $TEMPEST_CONFIG baremetal driver_enabled True
diff --git a/stackrc b/stackrc
index 7ce6c51..19f5b53 100644
--- a/stackrc
+++ b/stackrc
@@ -573,7 +573,7 @@
lxd)
LXD_GROUP=${LXD_GROUP:-"lxd"}
;;
- docker)
+ docker|zun)
DOCKER_GROUP=${DOCKER_GROUP:-"docker"}
;;
fake)