Merge "Allow to install os-resource-classes from git repo"
diff --git a/.zuul.yaml b/.zuul.yaml
index 3c490ff..8c275d8 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -80,7 +80,7 @@
name: devstack-single-node-fedora-latest
nodes:
- name: controller
- label: fedora-32
+ label: fedora-34
groups:
- name: tempest
nodes:
@@ -336,6 +336,7 @@
/var/log/postgresql: logs
/var/log/mysql: logs
/var/log/libvirt: logs
+ /etc/libvirt: logs
/etc/sudoers: logs
/etc/sudoers.d: logs
'{{ stage_dir }}/iptables.txt': logs
@@ -730,11 +731,11 @@
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-grenade-multinode:
+ - neutron-ovs-grenade-multinode:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-linuxbridge:
+ - neutron-linuxbridge-tempest:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
@@ -767,11 +768,11 @@
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
- - neutron-grenade-multinode:
+ - neutron-ovs-grenade-multinode:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-linuxbridge:
+ - neutron-linuxbridge-tempest:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
@@ -824,11 +825,11 @@
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-dvr:
+ - neutron-ovs-tempest-dvr:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- - neutron-tempest-dvr-ha-multinode-full:
+ - neutron-ovs-tempest-dvr-ha-multinode-full:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 2d0c894..6745614 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -689,6 +689,24 @@
ENABLE_IDENTITY_V2=False
+
+Glance
+++++++
+
+The default image size quota of 1GiB may be too small if larger images
+are to be used. Change the default at setup time with:
+
+::
+
+ GLANCE_LIMIT_IMAGE_SIZE_TOTAL=5000
+
+or at runtime via:
+
+::
+
+ openstack --os-cloud devstack-system-admin registered limit update \
+ --service glance --default-limit 5000 --region RegionOne image_size_total
+
.. _arch-configuration:
Architectures
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 9f477ab..08ce4cb 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -63,7 +63,7 @@
.. code-block:: console
$ echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
- $ sudo su - stack
+ $ sudo -u stack -i
Download DevStack
-----------------
diff --git a/doc/source/plugin-registry.rst b/doc/source/plugin-registry.rst
index 691fffa..490132e 100644
--- a/doc/source/plugin-registry.rst
+++ b/doc/source/plugin-registry.rst
@@ -98,6 +98,7 @@
openstack/solum `https://opendev.org/openstack/solum <https://opendev.org/openstack/solum>`__
openstack/storlets `https://opendev.org/openstack/storlets <https://opendev.org/openstack/storlets>`__
openstack/tacker `https://opendev.org/openstack/tacker <https://opendev.org/openstack/tacker>`__
+openstack/tap-as-a-service `https://opendev.org/openstack/tap-as-a-service <https://opendev.org/openstack/tap-as-a-service>`__
openstack/telemetry-tempest-plugin `https://opendev.org/openstack/telemetry-tempest-plugin <https://opendev.org/openstack/telemetry-tempest-plugin>`__
openstack/trove `https://opendev.org/openstack/trove <https://opendev.org/openstack/trove>`__
openstack/trove-dashboard `https://opendev.org/openstack/trove-dashboard <https://opendev.org/openstack/trove-dashboard>`__
@@ -179,7 +180,6 @@
x/scalpels `https://opendev.org/x/scalpels <https://opendev.org/x/scalpels>`__
x/slogging `https://opendev.org/x/slogging <https://opendev.org/x/slogging>`__
x/stackube `https://opendev.org/x/stackube <https://opendev.org/x/stackube>`__
-x/tap-as-a-service `https://opendev.org/x/tap-as-a-service <https://opendev.org/x/tap-as-a-service>`__
x/tap-as-a-service-dashboard `https://opendev.org/x/tap-as-a-service-dashboard <https://opendev.org/x/tap-as-a-service-dashboard>`__
x/tatu `https://opendev.org/x/tatu <https://opendev.org/x/tatu>`__
x/trio2o `https://opendev.org/x/trio2o <https://opendev.org/x/trio2o>`__
diff --git a/lib/cinder b/lib/cinder
index f6fd095..7f2f29f 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -144,6 +144,12 @@
# enable the cache for all cinder backends.
CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS}
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Volume API policies to start checking the scope of token. by default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+CINDER_ENFORCE_SCOPE=$(trueorfalse False CINDER_ENFORCE_SCOPE)
+
# Functions
# ---------
@@ -347,6 +353,11 @@
elif is_service_enabled etcd3; then
iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
fi
+
+ if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
+ iniset $CINDER_CONF oslo_policy enforce_scope true
+ iniset $CINDER_CONF oslo_policy enforce_new_defaults true
+ fi
}
# create_cinder_accounts() - Set up common required cinder accounts
diff --git a/lib/glance b/lib/glance
index e789aff..cd26d97 100644
--- a/lib/glance
+++ b/lib/glance
@@ -84,6 +84,13 @@
GLANCE_TASKS_DIR=${GLANCE_MULTISTORE_FILE_IMAGE_DIR:=$DATA_DIR/os_glance_tasks_store}
GLANCE_USE_IMPORT_WORKFLOW=$(trueorfalse False GLANCE_USE_IMPORT_WORKFLOW)
+GLANCE_ENABLE_QUOTAS=$(trueorfalse True GLANCE_ENABLE_QUOTAS)
+
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Image API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+GLANCE_ENFORCE_SCOPE=$(trueorfalse False GLANCE_ENFORCE_SCOPE)
GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance}
GLANCE_METADEF_DIR=$GLANCE_CONF_DIR/metadefs
@@ -107,6 +114,10 @@
GLANCE_SERVICE_PROTOCOL=${GLANCE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
GLANCE_UWSGI=$GLANCE_BIN_DIR/glance-wsgi-api
GLANCE_UWSGI_CONF=$GLANCE_CONF_DIR/glance-uwsgi.ini
+
+# Glance default limit for Devstack
+GLANCE_LIMIT_IMAGE_SIZE_TOTAL=${GLANCE_LIMIT_IMAGE_SIZE_TOTAL:-1000}
+
# If wsgi mode is uwsgi run glance under uwsgi, else default to eventlet
# TODO(mtreinish): Remove the eventlet path here and in all the similar
# conditionals below after the Pike release
@@ -263,6 +274,45 @@
fi
}
+function configure_glance_quotas {
+
+ # NOTE(danms): We need to have some of the OS_ things unset in
+ # order to use system scope, which is required for creating these
+ # limits. This is a hack, but I dunno how else to get osc to use
+ # system scope.
+
+ bash -c "unset OS_USERNAME OS_TENANT_NAME OS_PROJECT_NAME;
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL \
+ --region $REGION_NAME image_size_total; \
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit $GLANCE_LIMIT_IMAGE_SIZE_TOTAL \
+ --region $REGION_NAME image_stage_total; \
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit 100 --region $REGION_NAME \
+ image_count_total; \
+ openstack --os-cloud devstack-system-admin registered limit create \
+ --service glance --default-limit 100 --region $REGION_NAME \
+ image_count_uploading"
+
+ # Tell glance to use these limits
+ iniset $GLANCE_API_CONF DEFAULT use_keystone_limits True
+
+ # Configure oslo_limit so it can talk to keystone
+ iniset $GLANCE_API_CONF oslo_limit user_domain_name $SERVICE_DOMAIN_NAME
+ iniset $GLANCE_API_CONF oslo_limit password $SERVICE_PASSWORD
+ iniset $GLANCE_API_CONF oslo_limit username glance
+ iniset $GLANCE_API_CONF oslo_limit auth_type password
+ iniset $GLANCE_API_CONF oslo_limit auth_url $KEYSTONE_SERVICE_URI
+ iniset $GLANCE_API_CONF oslo_limit system_scope "'all'"
+ iniset $GLANCE_API_CONF oslo_limit endpoint_id \
+ $(openstack endpoint list --service glance -f value -c ID)
+
+ # Allow the glance service user to read quotas
+ openstack role add --user glance --user-domain Default --system all \
+ reader
+}
+
# configure_glance() - Set config files, create data dirs, etc
function configure_glance {
sudo install -d -o $STACK_USER $GLANCE_CONF_DIR $GLANCE_METADEF_DIR
@@ -373,6 +423,12 @@
iniset $GLANCE_API_CONF DEFAULT bind_port $GLANCE_SERVICE_PORT_INT
iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS"
fi
+
+ if [[ "$GLANCE_ENFORCE_SCOPE" == True ]] ; then
+ iniset $GLANCE_API_CONF oslo_policy enforce_scope true
+ iniset $GLANCE_API_CONF oslo_policy enforce_new_defaults true
+ iniset $GLANCE_API_CONF DEFAULT enforce_secure_rbac true
+ fi
}
# create_glance_accounts() - Set up common required glance accounts
@@ -403,6 +459,11 @@
service_domain_id=$(get_or_create_domain $SERVICE_DOMAIN_NAME)
iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id $service_domain_id
iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id $service_domain_id
+
+ if [[ "$GLANCE_ENABLE_QUOTAS" = True ]]; then
+ configure_glance_quotas
+ fi
+
fi
}
diff --git a/lib/keystone b/lib/keystone
index 66e867c..e282db0 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -134,6 +134,12 @@
# Cache settings
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the Identity API policies to start checking the scope of token. By Default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
+
# Functions
# ---------
@@ -281,6 +287,11 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
+ if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+ iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+ iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
+ iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+ fi
}
# create_keystone_accounts() - Sets up common required keystone accounts
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index d3827c3..e9ceae4 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -58,13 +58,10 @@
function install_libvirt {
if is_ubuntu; then
- install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev
+ install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev python3-libvirt
if is_arch "aarch64"; then
install_package qemu-efi
fi
- # uninstall in case the libvirt version changed
- pip_uninstall libvirt-python
- pip_install_gr libvirt-python
#pip_install_gr <there-si-no-guestfs-in-pypi>
elif is_fedora || is_suse; then
@@ -79,14 +76,11 @@
# as the base system version is too old. We should have
# pre-installed these
install_package qemu-kvm
+ install_package libvirt libvirt-devel python3-libvirt
- install_package libvirt libvirt-devel
if is_arch "aarch64"; then
install_package edk2.git-aarch64
fi
-
- pip_uninstall libvirt-python
- pip_install_gr libvirt-python
fi
if [[ $DEBUG_LIBVIRT_COREDUMPS == True ]]; then
diff --git a/lib/tempest b/lib/tempest
index d835c68..3fa7ce0 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -107,7 +107,7 @@
# Takes an image ID parameter as input
function image_size_in_gib {
local size
- size=$(openstack image show $1 -c size -f value)
+ size=$(openstack --os-cloud devstack-admin image show $1 -c size -f value)
echo $size | python3 -c "import math; print(int(math.ceil(float(int(input()) / 1024.0 ** 3))))"
}
@@ -173,7 +173,7 @@
image_uuid_alt="$IMAGE_UUID"
fi
images+=($IMAGE_UUID)
- done < <(openstack image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }')
+ done < <(openstack --os-cloud devstack-admin image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }')
case "${#images[*]}" in
0)
@@ -209,23 +209,23 @@
local alt_username=${ALT_USERNAME:-alt_demo}
local alt_project_name=${ALT_TENANT_NAME:-alt_demo}
local admin_project_id
- admin_project_id=$(openstack project list | awk "/ admin / { print \$2 }")
+ admin_project_id=$(openstack --os-cloud devstack-admin project list | awk "/ admin / { print \$2 }")
if is_service_enabled nova; then
# If ``DEFAULT_INSTANCE_TYPE`` is not declared, use the new behavior
# Tempest creates its own instance types
- available_flavors=$(nova flavor-list)
+ available_flavors=$(openstack --os-cloud devstack-admin flavor list)
if [[ -z "$DEFAULT_INSTANCE_TYPE" ]]; then
if [[ ! ( $available_flavors =~ 'm1.nano' ) ]]; then
# Determine the flavor disk size based on the image size.
disk=$(image_size_in_gib $image_uuid)
- openstack flavor create --id 42 --ram 128 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.nano
+ openstack --os-cloud devstack-admin flavor create --id 42 --ram 128 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.nano
fi
flavor_ref=42
if [[ ! ( $available_flavors =~ 'm1.micro' ) ]]; then
# Determine the alt flavor disk size based on the alt image size.
disk=$(image_size_in_gib $image_uuid_alt)
- openstack flavor create --id 84 --ram 192 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.micro
+ openstack --os-cloud devstack-admin flavor create --id 84 --ram 192 --disk $disk --vcpus 1 --property hw_rng:allowed=True m1.micro
fi
flavor_ref_alt=84
else
@@ -251,7 +251,7 @@
fi
flavor_ref=${flavors[0]}
flavor_ref_alt=$flavor_ref
- flavor_ref_size=$(openstack flavor show --format value --column disk "${flavor_ref}")
+ flavor_ref_size=$(openstack --os-cloud devstack-admin flavor show --format value --column disk "${flavor_ref}")
# Ensure ``flavor_ref`` and ``flavor_ref_alt`` have different values.
# Some resize instance in tempest tests depends on this.
@@ -264,7 +264,7 @@
# flavor selected as default, e.g. m1.small,
# we need to perform additional check.
#
- flavor_ref_alt_size=$(openstack flavor show --format value --column disk "${f}")
+ flavor_ref_alt_size=$(openstack --os-cloud devstack-admin flavor show --format value --column disk "${f}")
if [[ "${flavor_ref_alt_size}" -lt "${flavor_ref_size}" ]]; then
continue
fi
@@ -285,10 +285,10 @@
# If NEUTRON_CREATE_INITIAL_NETWORKS is not true, there is no network created
# and the public_network_id should not be set.
if [[ "$NEUTRON_CREATE_INITIAL_NETWORKS" == "True" ]] && is_networking_extension_supported 'external-net'; then
- public_network_id=$(openstack network show -f value -c id $PUBLIC_NETWORK_NAME)
+ public_network_id=$(openstack --os-cloud devstack-admin network show -f value -c id $PUBLIC_NETWORK_NAME)
# make sure shared network presence does not confuses the tempest tests
- openstack network create --share shared
- openstack subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
+ openstack --os-cloud devstack-admin network create --share shared
+ openstack --os-cloud devstack-admin subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
fi
iniset $TEMPEST_CONFIG DEFAULT use_syslog $SYSLOG
@@ -419,6 +419,9 @@
iniset $TEMPEST_CONFIG compute-feature-enabled live_migrate_back_and_forth ${LIVE_MIGRATE_BACK_AND_FORTH:-False}
iniset $TEMPEST_CONFIG compute-feature-enabled attach_encrypted_volume ${ATTACH_ENCRYPTED_VOLUME_AVAILABLE:-True}
+ # Starting Wallaby, nova sanitizes instance hostnames having freeform characters with dashes
+ iniset $TEMPEST_CONFIG compute-feature-enabled hostname_fqdn_sanitization True
+
if [[ -n "$NOVA_FILTERS" ]]; then
iniset $TEMPEST_CONFIG compute-feature-enabled scheduler_enabled_filters ${NOVA_FILTERS}
fi
@@ -597,6 +600,19 @@
fi
done
+ # ``enforce_scope``
+ # If services enable the enforce_scope for their policy
+ # we need to enable the same on Tempest side so that
+ # test can be run with scoped token.
+ if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
+ iniset $TEMPEST_CONFIG enforce_scope keystone true
+ iniset $TEMPEST_CONFIG auth admin_system 'all'
+ iniset $TEMPEST_CONFIG auth admin_project_name ''
+ fi
+ iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
+
+ iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
+
if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
# libvirt-lxc does not support boot from volume or attaching volumes
# so basically anything with cinder is out of the question.
diff --git a/stack.sh b/stack.sh
index c439a72..e3d67f5 100755
--- a/stack.sh
+++ b/stack.sh
@@ -300,10 +300,14 @@
}
function _install_rdo {
- # NOTE(ianw) 2020-04-30 : when we have future branches, we
- # probably want to install the relevant branch RDO release as
- # well. But for now it's all master.
- sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
+ if [[ "$TARGET_BRANCH" == "master" ]]; then
+ # rdo-release.el8.rpm points to latest RDO release, use that for master
+ sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
+ else
+ # For stable branches use corresponding release rpm
+ rdo_release=$(echo $TARGET_BRANCH | sed "s|stable/||g")
+ sudo dnf -y install https://rdoproject.org/repos/openstack-${rdo_release}/rdo-release-${rdo_release}.el8.rpm
+ fi
sudo dnf -y update
}