Merge "Allow cinder default quotas configuration"
diff --git a/.zuul.yaml b/.zuul.yaml
index 8c275d8..cbcb863 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -87,6 +87,16 @@
- controller
- nodeset:
+ name: devstack-single-node-debian-bullseye
+ nodes:
+ - name: controller
+ label: debian-bullseye
+ groups:
+ - name: tempest
+ nodes:
+ - controller
+
+- nodeset:
name: openstack-two-node
nodes:
- name: controller
@@ -524,7 +534,6 @@
c-bak: true
c-sch: true
c-vol: true
- cinder: true
# Services we don't need.
# This section is not really needed, it's for readability.
horizon: false
@@ -581,6 +590,17 @@
SERVICE_HOST: ""
- job:
+ name: devstack-enforce-scope
+ parent: devstack
+ description: |
+ This job runs the devstack with scope checks enabled.
+ vars:
+ devstack_localrc:
+ # Keep enabeling the services here to run with system scope
+ CINDER_ENFORCE_SCOPE: true
+ GLANCE_ENFORCE_SCOPE: true
+
+- job:
name: devstack-multinode
parent: devstack
nodeset: openstack-two-node-focal
@@ -599,17 +619,51 @@
nodeset: devstack-single-node-centos-8-stream
voting: false
timeout: 9000
+ vars:
+ configure_swap_size: 4096
- job:
- name: devstack-async
+ name: devstack-platform-debian-bullseye
parent: tempest-full-py3
- description: Async mode enabled
+ description: Debian Bullseye platform test
+ nodeset: devstack-single-node-debian-bullseye
voting: false
+ timeout: 9000
vars:
+ # NOTE(yoctozepto): With concurrency equal 2, there is a random event
+ # that this job will run out of memory at some point.
+ tempest_concurrency: 1
+ # NOTE(yoctozepto): Debian Bullseye does not yet offer OVN. Switch to OVS
+ # for the time being.
devstack_localrc:
- DEVSTACK_PARALLEL: True
- zuul_copy_output:
- /opt/stack/async: logs
+ Q_AGENT: openvswitch
+ Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
+ Q_ML2_TENANT_NETWORK_TYPE: vxlan
+ devstack_services:
+ # Disable OVN services
+ ovn-northd: false
+ ovn-controller: false
+ ovs-vswitchd: false
+ ovsdb-server: false
+ # Disable Neutron ML2/OVN services
+ q-ovn-metadata-agent: false
+ # Enable Neutron ML2/OVS services
+ q-agt: true
+ q-dhcp: true
+ q-l3: true
+ q-meta: true
+ q-metering: true
+ group-vars:
+ subnode:
+ devstack_services:
+ # Disable OVN services
+ ovn-controller: false
+ ovs-vswitchd: false
+ ovsdb-server: false
+ # Disable Neutron ML2/OVN services
+ q-ovn-metadata-agent: false
+ # Enable Neutron ML2/OVS services
+ q-agt: true
- job:
name: devstack-no-tls-proxy
@@ -711,22 +765,15 @@
jobs:
- devstack
- devstack-ipv6
+ - devstack-enforce-scope
- devstack-platform-fedora-latest
- devstack-platform-centos-8-stream
- - devstack-async
+ - devstack-platform-debian-bullseye
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
- - ironic-tempest-ipa-wholedisk-bios-agent_ipmitool-tinyipa:
- voting: false
- - swift-dsvm-functional:
- voting: false
- irrelevant-files: &dsvm-irrelevant-files
- - ^.*\.rst$
- - ^doc/.*$
- - swift-dsvm-functional-py3:
- voting: false
- irrelevant-files: *dsvm-irrelevant-files
+ - ironic-tempest-bios-ipmi-direct-tinyipa
+ - swift-dsvm-functional
- grenade:
irrelevant-files:
- ^.*\.rst$
@@ -765,6 +812,7 @@
jobs:
- devstack
- devstack-ipv6
+ - devstack-enforce-scope
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
@@ -776,6 +824,8 @@
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
+ - ironic-tempest-bios-ipmi-direct-tinyipa
+ - swift-dsvm-functional
- grenade:
irrelevant-files:
- ^.*\.rst$
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 8244525..b4fff4f 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -672,7 +672,6 @@
disable_service horizon
KEYSTONE_SERVICE_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
- KEYSTONE_AUTH_HOST=<KEYSTONE_IP_ADDRESS_FROM_REGION_ONE>
REGION_NAME=RegionTwo
KEYSTONE_REGION_NAME=RegionOne
diff --git a/doc/source/plugin-registry.rst b/doc/source/plugin-registry.rst
index 691fffa..3edd708 100644
--- a/doc/source/plugin-registry.rst
+++ b/doc/source/plugin-registry.rst
@@ -24,8 +24,6 @@
======================================== ===
Plugin Name URL
======================================== ===
-inspur/venus `https://opendev.org/inspur/venus <https://opendev.org/inspur/venus>`__
-inspur/venus-dashboard `https://opendev.org/inspur/venus-dashboard <https://opendev.org/inspur/venus-dashboard>`__
openstack/aodh `https://opendev.org/openstack/aodh <https://opendev.org/openstack/aodh>`__
openstack/barbican `https://opendev.org/openstack/barbican <https://opendev.org/openstack/barbican>`__
openstack/blazar `https://opendev.org/openstack/blazar <https://opendev.org/openstack/blazar>`__
@@ -46,7 +44,6 @@
openstack/freezer-api `https://opendev.org/openstack/freezer-api <https://opendev.org/openstack/freezer-api>`__
openstack/freezer-tempest-plugin `https://opendev.org/openstack/freezer-tempest-plugin <https://opendev.org/openstack/freezer-tempest-plugin>`__
openstack/freezer-web-ui `https://opendev.org/openstack/freezer-web-ui <https://opendev.org/openstack/freezer-web-ui>`__
-openstack/glance `https://opendev.org/openstack/glance <https://opendev.org/openstack/glance>`__
openstack/heat `https://opendev.org/openstack/heat <https://opendev.org/openstack/heat>`__
openstack/heat-dashboard `https://opendev.org/openstack/heat-dashboard <https://opendev.org/openstack/heat-dashboard>`__
openstack/ironic `https://opendev.org/openstack/ironic <https://opendev.org/openstack/ironic>`__
@@ -98,9 +95,12 @@
openstack/solum `https://opendev.org/openstack/solum <https://opendev.org/openstack/solum>`__
openstack/storlets `https://opendev.org/openstack/storlets <https://opendev.org/openstack/storlets>`__
openstack/tacker `https://opendev.org/openstack/tacker <https://opendev.org/openstack/tacker>`__
+openstack/tap-as-a-service `https://opendev.org/openstack/tap-as-a-service <https://opendev.org/openstack/tap-as-a-service>`__
openstack/telemetry-tempest-plugin `https://opendev.org/openstack/telemetry-tempest-plugin <https://opendev.org/openstack/telemetry-tempest-plugin>`__
openstack/trove `https://opendev.org/openstack/trove <https://opendev.org/openstack/trove>`__
openstack/trove-dashboard `https://opendev.org/openstack/trove-dashboard <https://opendev.org/openstack/trove-dashboard>`__
+openstack/venus `https://opendev.org/openstack/venus <https://opendev.org/openstack/venus>`__
+openstack/venus-dashboard `https://opendev.org/openstack/venus-dashboard <https://opendev.org/openstack/venus-dashboard>`__
openstack/vitrage `https://opendev.org/openstack/vitrage <https://opendev.org/openstack/vitrage>`__
openstack/vitrage-dashboard `https://opendev.org/openstack/vitrage-dashboard <https://opendev.org/openstack/vitrage-dashboard>`__
openstack/vitrage-tempest-plugin `https://opendev.org/openstack/vitrage-tempest-plugin <https://opendev.org/openstack/vitrage-tempest-plugin>`__
@@ -112,6 +112,7 @@
openstack/zun `https://opendev.org/openstack/zun <https://opendev.org/openstack/zun>`__
openstack/zun-ui `https://opendev.org/openstack/zun-ui <https://opendev.org/openstack/zun-ui>`__
performa/os-faults `https://opendev.org/performa/os-faults <https://opendev.org/performa/os-faults>`__
+skyline/skyline-apiserver `https://opendev.org/skyline/skyline-apiserver <https://opendev.org/skyline/skyline-apiserver>`__
starlingx/config `https://opendev.org/starlingx/config <https://opendev.org/starlingx/config>`__
starlingx/fault `https://opendev.org/starlingx/fault <https://opendev.org/starlingx/fault>`__
starlingx/ha `https://opendev.org/starlingx/ha <https://opendev.org/starlingx/ha>`__
@@ -179,7 +180,6 @@
x/scalpels `https://opendev.org/x/scalpels <https://opendev.org/x/scalpels>`__
x/slogging `https://opendev.org/x/slogging <https://opendev.org/x/slogging>`__
x/stackube `https://opendev.org/x/stackube <https://opendev.org/x/stackube>`__
-x/tap-as-a-service `https://opendev.org/x/tap-as-a-service <https://opendev.org/x/tap-as-a-service>`__
x/tap-as-a-service-dashboard `https://opendev.org/x/tap-as-a-service-dashboard <https://opendev.org/x/tap-as-a-service-dashboard>`__
x/tatu `https://opendev.org/x/tatu <https://opendev.org/x/tatu>`__
x/trio2o `https://opendev.org/x/trio2o <https://opendev.org/x/trio2o>`__
diff --git a/files/apache-keystone.template b/files/apache-keystone.template
index 1284360..1a353e5 100644
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@@ -1,5 +1,4 @@
Listen %PUBLICPORT%
-Listen %ADMINPORT%
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined
<Directory %KEYSTONE_BIN%>
@@ -20,20 +19,6 @@
%SSLKEYFILE%
</VirtualHost>
-<VirtualHost *:%ADMINPORT%>
- WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
- WSGIProcessGroup keystone-admin
- WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%M"
- ErrorLog /var/log/%APACHE_NAME%/keystone.log
- CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
- %SSLENGINE%
- %SSLCERTFILE%
- %SSLKEYFILE%
-</VirtualHost>
-
%SSLLISTEN%<VirtualHost *:443>
%SSLLISTEN% %SSLENGINE%
%SSLLISTEN% %SSLCERTFILE%
@@ -49,13 +34,3 @@
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
-
-Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin
-<Location /identity_admin>
- SetHandler wsgi-script
- Options +ExecCGI
-
- WSGIProcessGroup keystone-admin
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
-</Location>
diff --git a/files/debs/general b/files/debs/general
index 7e481b4..364f3cc 100644
--- a/files/debs/general
+++ b/files/debs/general
@@ -14,7 +14,6 @@
libapache2-mod-proxy-uwsgi
libffi-dev # for pyOpenSSL
libjpeg-dev # Pillow 3.0.0
-libmysqlclient-dev # MySQL-python
libpcre3-dev # for python-pcre
libpq-dev # psycopg2
libssl-dev # for pyOpenSSL
diff --git a/files/debs/neutron-common b/files/debs/neutron-common
index e548396..f6afc5b 100644
--- a/files/debs/neutron-common
+++ b/files/debs/neutron-common
@@ -6,7 +6,6 @@
iptables
iputils-arping
iputils-ping
-libmysqlclient-dev
mysql-server #NOPRIME
postgresql-server-dev-all
python3-mysqldb
diff --git a/files/debs/nova b/files/debs/nova
index e194414..0194f00 100644
--- a/files/debs/nova
+++ b/files/debs/nova
@@ -8,7 +8,6 @@
iputils-arping
kpartx
libjs-jquery-tablesorter # Needed for coverage html reports
-libmysqlclient-dev
libvirt-clients # NOPRIME
libvirt-daemon-system # NOPRIME
libvirt-dev # NOPRIME
diff --git a/files/rpms/swift b/files/rpms/swift
index 376c6f3..18c957c 100644
--- a/files/rpms/swift
+++ b/files/rpms/swift
@@ -4,4 +4,4 @@
rsync-daemon
sqlite
xfsprogs
-xinetd
+xinetd # not:f34
diff --git a/inc/python b/inc/python
index 8941fd0..9382d35 100644
--- a/inc/python
+++ b/inc/python
@@ -378,12 +378,13 @@
project_dir=$(cd $project_dir && pwd)
if [ -n "$REQUIREMENTS_DIR" ]; then
- # Constrain this package to this project directory from here on out.
+ # Remove this package from constraints before we install it.
+ # That way, later installs won't "downgrade" the install from
+ # source we are about to do.
local name
name=$(awk '/^name.*=/ {print $3}' $project_dir/setup.cfg)
$REQUIREMENTS_DIR/.venv/bin/edit-constraints \
- $REQUIREMENTS_DIR/upper-constraints.txt -- $name \
- "$flags file://$project_dir#egg=$name"
+ $REQUIREMENTS_DIR/upper-constraints.txt -- $name
fi
setup_package $bindep $project_dir "$flags" $extras
diff --git a/lib/apache b/lib/apache
index 04259ba..4bea07d 100644
--- a/lib/apache
+++ b/lib/apache
@@ -303,7 +303,7 @@
apache_conf=$(apache_site_config_for $name)
iniset "$file" uwsgi socket "$socket"
iniset "$file" uwsgi chmod-socket 666
- echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee -a $apache_conf
+ echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}\" retry=0 " | sudo tee -a $apache_conf
enable_apache_site $name
restart_apache_server
fi
diff --git a/lib/cinder b/lib/cinder
index 9235428..cefb609 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -98,6 +98,22 @@
fi
fi
+# When Cinder is used as a backend for Glance, it can be configured to clone
+# the volume containing image data directly in the backend instead of
+# transferring data from volume to volume. Value is a comma separated list of
+# schemes (currently only 'file' and 'cinder' are supported). The default
+# configuration in Cinder is empty (that is, do not use this feature). NOTE:
+# to use this feature you must also enable GLANCE_SHOW_DIRECT_URL and/or
+# GLANCE_SHOW_MULTIPLE_LOCATIONS for glance-api.conf.
+CINDER_ALLOWED_DIRECT_URL_SCHEMES=${CINDER_ALLOWED_DIRECT_URL_SCHEMES:-}
+if [[ -n "$CINDER_ALLOWED_DIRECT_URL_SCHEMES" ]]; then
+ if [[ "${GLANCE_SHOW_DIRECT_URL:-False}" != "True" \
+ && "${GLANCE_SHOW_MULTIPLE_LOCATIONS:-False}" != "True" ]]; then
+ warn $LINENO "CINDER_ALLOWED_DIRECT_URL_SCHEMES is set, but neither \
+GLANCE_SHOW_DIRECT_URL nor GLANCE_SHOW_MULTIPLE_LOCATIONS is True"
+ fi
+fi
+
# For backward compatibility
# Before CINDER_BACKUP_DRIVER was introduced, ceph backup driver was configured
# along with ceph backend driver.
@@ -266,6 +282,9 @@
fi
iniset $CINDER_CONF key_manager backend cinder.keymgr.conf_key_mgr.ConfKeyManager
iniset $CINDER_CONF key_manager fixed_key $(openssl rand -hex 16)
+ if [[ -n "$CINDER_ALLOWED_DIRECT_URL_SCHEMES" ]]; then
+ iniset $CINDER_CONF DEFAULT allowed_direct_url_schemes $CINDER_ALLOWED_DIRECT_URL_SCHEMES
+ fi
# set default quotas
iniset $CINDER_CONF DEFAULT quota_volumes ${CINDER_QUOTA_VOLUMES:-10}
diff --git a/lib/databases/mysql b/lib/databases/mysql
index d4969d7..d0fa119 100644
--- a/lib/databases/mysql
+++ b/lib/databases/mysql
@@ -25,6 +25,8 @@
# provide a mysql.service symlink for backwards-compatibility, but
# let's not rely on that.
MYSQL_SERVICE_NAME=mariadb
+ elif [[ "$DISTRO" == "bullseye" ]]; then
+ MYSQL_SERVICE_NAME=mariadb
fi
fi
@@ -105,7 +107,7 @@
# In mariadb e.g. on Ubuntu socket plugin is used for authentication
# as root so it works only as sudo. To restore old "mysql like" behaviour,
# we need to change auth plugin for root user
- if is_ubuntu && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
+ if is_ubuntu && [[ "$DISTRO" != "bullseye" ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
sudo mysql $cmd_args -e "UPDATE mysql.user SET plugin='' WHERE user='$DATABASE_USER' AND host='localhost';"
sudo mysql $cmd_args -e "FLUSH PRIVILEGES;"
fi
diff --git a/lib/glance b/lib/glance
index cd26d97..f18bea9 100644
--- a/lib/glance
+++ b/lib/glance
@@ -51,6 +51,18 @@
if is_opensuse; then
GLANCE_STORE_ROOTWRAP_BASE_DIR=/usr/etc/glance
fi
+# When Cinder is used as a glance store, you can optionally configure cinder to
+# optimize bootable volume creation by allowing volumes to be cloned directly
+# in the backend instead of transferring data via Glance. To use this feature,
+# set CINDER_ALLOWED_DIRECT_URL_SCHEMES for cinder.conf and enable
+# GLANCE_SHOW_DIRECT_URL and/or GLANCE_SHOW_MULTIPLE_LOCATIONS for Glance. The
+# default value for both of these is False, because for some backends they
+# present a grave security risk (though not for Cinder, because all that's
+# exposed is the volume_id where the image data is stored.) See OSSN-0065 for
+# more information: https://wiki.openstack.org/wiki/OSSN/OSSN-0065
+GLANCE_SHOW_DIRECT_URL=$(trueorfalse False GLANCE_SHOW_DIRECT_URL)
+GLANCE_SHOW_MULTIPLE_LOCATIONS=$(trueorfalse False GLANCE_SHOW_MULTIPLE_LOCATIONS)
+
# Glance multi-store configuration
# Boolean flag to enable multiple store configuration for glance
GLANCE_ENABLE_MULTIPLE_STORES=$(trueorfalse False GLANCE_ENABLE_MULTIPLE_STORES)
@@ -333,6 +345,9 @@
if [ "$VIRT_DRIVER" = 'libvirt' ] && [ "$LIBVIRT_TYPE" = 'parallels' ]; then
iniset $GLANCE_API_CONF DEFAULT disk_formats "ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso,ploop"
fi
+ # Only use these if you know what you are doing! See OSSN-0065
+ iniset $GLANCE_API_CONF DEFAULT show_image_direct_url $GLANCE_SHOW_DIRECT_URL
+ iniset $GLANCE_API_CONF DEFAULT show_multiple_locations $GLANCE_SHOW_MULTIPLE_LOCATIONS
# Configure glance_store
configure_glance_store $USE_CINDER_FOR_GLANCE $GLANCE_ENABLE_MULTIPLE_STORES
@@ -552,6 +567,11 @@
iniset $(glance_remote_conf "$GLANCE_API_CONF") os_glance_tasks_store \
filesystem_store_datadir "${remote_data}/os_glance_tasks_store"
+ # Point this worker to use different cache dir
+ mkdir -p "$remote_data/cache"
+ iniset $(glance_remote_conf "$GLANCE_API_CONF") DEFAULT \
+ image_cache_dir "${remote_data}/cache"
+
# Change our uwsgi to our new port
sed -ri "s/^(http-socket.*):[0-9]+/\1:$glance_remote_port/" \
"$glance_remote_uwsgi"
diff --git a/lib/keystone b/lib/keystone
index e282db0..0609abd 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -50,9 +50,7 @@
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
-KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
-KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
@@ -81,21 +79,12 @@
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet}
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]')
-# Set Keystone interface configuration
-KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
-KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
-KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
-
# Public facing bits
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
-# Bind hosts
-KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST}
-
# Set the project for service accounts in Keystone
SERVICE_DOMAIN_NAME=${SERVICE_DOMAIN_NAME:-Default}
SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service}
@@ -106,7 +95,6 @@
# if we are running with SSL use https protocols
if is_service_enabled tls-proxy; then
- KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
@@ -134,11 +122,8 @@
# Cache settings
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
-# Flag to set the oslo_policy.enforce_scope. This is used to switch
-# the Identity API policies to start checking the scope of token. By Default,
-# this flag is False.
-# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
-KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
+# Whether to create a keystone admin endpoint for legacy applications
+KEYSTONE_ADMIN_ENDPOINT=$(trueorfalse False KEYSTONE_ADMIN_ENDPOINT)
# Functions
# ---------
@@ -160,11 +145,8 @@
sudo rm -f $(apache_site_config_for keystone)
else
stop_process "keystone"
- # TODO: remove admin at pike-2
remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
- remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
sudo rm -f $(apache_site_config_for keystone-wsgi-public)
- sudo rm -f $(apache_site_config_for keystone-wsgi-admin)
fi
}
@@ -177,12 +159,10 @@
local keystone_certfile=""
local keystone_keyfile=""
local keystone_service_port=$KEYSTONE_SERVICE_PORT
- local keystone_auth_port=$KEYSTONE_AUTH_PORT
local venv_path=""
if is_service_enabled tls-proxy; then
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
- keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
@@ -191,7 +171,6 @@
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
sudo sed -e "
s|%PUBLICPORT%|$keystone_service_port|g;
- s|%ADMINPORT%|$keystone_auth_port|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%SSLLISTEN%|$keystone_ssl_listen|g;
s|%SSLENGINE%|$keystone_ssl|g;
@@ -229,12 +208,10 @@
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
local service_port=$KEYSTONE_SERVICE_PORT
- local auth_port=$KEYSTONE_AUTH_PORT
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
service_port=$KEYSTONE_SERVICE_PORT_INT
- auth_port=$KEYSTONE_AUTH_PORT_INT
fi
# Override the endpoints advertised by keystone (the public_endpoint and
@@ -244,7 +221,7 @@
# don't want the port (in the case of putting keystone on a path in
# apache).
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
- iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
+ iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_SERVICE_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
@@ -267,7 +244,6 @@
_config_keystone_apache_wsgi
else # uwsgi
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
- write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
fi
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
@@ -287,11 +263,6 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
- if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
- iniset $KEYSTONE_CONF oslo_policy enforce_scope true
- iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
- iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
- fi
}
# create_keystone_accounts() - Sets up common required keystone accounts
@@ -529,7 +500,7 @@
function start_keystone {
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT
- local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
+ local auth_protocol=$KEYSTONE_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_protocol="http"
@@ -557,7 +528,6 @@
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
- start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.
@@ -580,9 +550,7 @@
# - ``ADMIN_PASSWORD``
# - ``IDENTITY_API_VERSION``
# - ``REGION_NAME``
-# - ``KEYSTONE_SERVICE_PROTOCOL``
-# - ``KEYSTONE_SERVICE_HOST``
-# - ``KEYSTONE_SERVICE_PORT``
+# - ``KEYSTONE_SERVICE_URI``
function bootstrap_keystone {
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
--bootstrap-username admin \
@@ -591,8 +559,16 @@
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id "$REGION_NAME" \
- --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
+ if [ "$KEYSTONE_ADMIN_ENDPOINT" == "True" ]; then
+ openstack endpoint create --region "$REGION_NAME" \
+ --os-username admin \
+ --os-user-domain-id default \
+ --os-password "$ADMIN_PASSWORD" \
+ --os-project-name admin \
+ --os-project-domain-id default \
+ keystone admin "$KEYSTONE_SERVICE_URI"
+ fi
}
# create_ldap_domain() - Create domain file and initialize domain with a user
diff --git a/lib/libraries b/lib/libraries
old mode 100644
new mode 100755
index c7aa815..67ff21f
--- a/lib/libraries
+++ b/lib/libraries
@@ -59,6 +59,7 @@
# Non oslo libraries are welcomed below as well, this prevents
# duplication of this code.
GITDIR["os-brick"]=$DEST/os-brick
+GITDIR["os-resource-classes"]=$DEST/os-resource-classes
GITDIR["os-traits"]=$DEST/os-traits
# Support entry points installation of console scripts
@@ -122,6 +123,7 @@
#
# os-traits for nova
_install_lib_from_source "os-brick"
+ _install_lib_from_source "os-resource-classes"
_install_lib_from_source "os-traits"
#
# python client libraries we might need from git can go here
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 791ff18..7b20a96 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -275,6 +275,10 @@
# L3 Service functions
source $TOP_DIR/lib/neutron_plugins/services/l3
+
+# Additional Neutron service plugins
+source $TOP_DIR/lib/neutron_plugins/services/trunk
+
# Use security group or not
if has_neutron_plugin_security_group; then
Q_USE_SECGROUP=${Q_USE_SECGROUP:-True}
@@ -369,6 +373,11 @@
configure_ovn_plugin
fi
+ # Configure Neutron's advanced services
+ if is_service_enabled q-trunk neutron-trunk; then
+ configure_trunk_extension
+ fi
+
iniset $NEUTRON_CONF DEFAULT api_workers "$API_WORKERS"
# devstack is not a tool for running uber scale OpenStack
# clouds, therefore running without a dedicated RPC worker
@@ -663,6 +672,27 @@
fi
}
+# _configure_public_network_connectivity() - Configures connectivity to the
+# external network using $PUBLIC_INTERFACE or NAT on the single interface
+# machines
+function _configure_public_network_connectivity {
+ # If we've given a PUBLIC_INTERFACE to take over, then we assume
+ # that we can own the whole thing, and privot it into the OVS
+ # bridge. If we are not, we're probably on a single interface
+ # machine, and we just setup NAT so that fixed guests can get out.
+ if [[ -n "$PUBLIC_INTERFACE" ]]; then
+ _move_neutron_addresses_route "$PUBLIC_INTERFACE" "$OVS_PHYSICAL_BRIDGE" True False "inet"
+
+ if [[ $(ip -f inet6 a s dev "$PUBLIC_INTERFACE" | grep -c 'global') != 0 ]]; then
+ _move_neutron_addresses_route "$PUBLIC_INTERFACE" "$OVS_PHYSICAL_BRIDGE" False False "inet6"
+ fi
+ else
+ for d in $default_v4_route_devs; do
+ sudo iptables -t nat -A POSTROUTING -o $d -s $FLOATING_RANGE -j MASQUERADE
+ done
+ fi
+}
+
# cleanup_mutnauq() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_mutnauq {
diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent
index cfcb01e..1f737fb 100644
--- a/lib/neutron_plugins/ovn_agent
+++ b/lib/neutron_plugins/ovn_agent
@@ -266,6 +266,7 @@
# Create the public bridge that OVN will use
sudo ovs-vsctl --may-exist add-br $PUBLIC_BRIDGE -- set bridge $PUBLIC_BRIDGE protocols=OpenFlow13,OpenFlow15
sudo ovs-vsctl set open . external-ids:ovn-bridge-mappings=$PHYSICAL_NETWORK:$PUBLIC_BRIDGE
+ _configure_public_network_connectivity
}
function _disable_libvirt_apparmor {
diff --git a/lib/neutron_plugins/ovs_source b/lib/neutron_plugins/ovs_source
index 294171f..08951d1 100644
--- a/lib/neutron_plugins/ovs_source
+++ b/lib/neutron_plugins/ovs_source
@@ -211,5 +211,5 @@
# load_conntrack_gre_module() - loads nf_conntrack_proto_gre kernel module
function load_conntrack_gre_module {
- sudo modprobe nf_conntrack_proto_gre
+ load_module nf_conntrack_proto_gre False
}
diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3
index b6bc028..98b96ac 100644
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@@ -123,21 +123,7 @@
neutron_plugin_configure_l3_agent $Q_L3_CONF_FILE
- # If we've given a PUBLIC_INTERFACE to take over, then we assume
- # that we can own the whole thing, and privot it into the OVS
- # bridge. If we are not, we're probably on a single interface
- # machine, and we just setup NAT so that fixed guests can get out.
- if [[ -n "$PUBLIC_INTERFACE" ]]; then
- _move_neutron_addresses_route "$PUBLIC_INTERFACE" "$OVS_PHYSICAL_BRIDGE" True False "inet"
-
- if [[ $(ip -f inet6 a s dev "$PUBLIC_INTERFACE" | grep -c 'global') != 0 ]]; then
- _move_neutron_addresses_route "$PUBLIC_INTERFACE" "$OVS_PHYSICAL_BRIDGE" False False "inet6"
- fi
- else
- for d in $default_v4_route_devs; do
- sudo iptables -t nat -A POSTROUTING -o $d -s $FLOATING_RANGE -j MASQUERADE
- done
- fi
+ _configure_public_network_connectivity
}
# Explicitly set router id in l3 agent configuration
diff --git a/lib/neutron_plugins/services/trunk b/lib/neutron_plugins/services/trunk
new file mode 100644
index 0000000..8e0f694
--- /dev/null
+++ b/lib/neutron_plugins/services/trunk
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+function configure_trunk_extension {
+ neutron_service_plugin_class_add "trunk"
+}
diff --git a/lib/nova b/lib/nova
index 930529a..9aae2c4 100644
--- a/lib/nova
+++ b/lib/nova
@@ -260,7 +260,8 @@
if [ ! -e /dev/kvm ]; then
echo "WARNING: Switching to QEMU"
LIBVIRT_TYPE=qemu
- LIBVIRT_CPU_MODE=none
+ LIBVIRT_CPU_MODE=custom
+ LIBVIRT_CPU_MODEL=Nehalem
if which selinuxenabled >/dev/null 2>&1 && selinuxenabled; then
# https://bugzilla.redhat.com/show_bug.cgi?id=753589
sudo setsebool virt_use_execmem on
@@ -298,11 +299,8 @@
fi
fi
- if is_fedora && [[ $DISTRO =~ f31] ]]; then
- # For f31 use the rebased 2.1.0 version of the package.
- sudo dnf copr enable -y lyarwood/iscsi-initiator-utils
- sudo dnf update -y
- fi
+ # Ensure each compute host uses a unique iSCSI initiator
+ echo InitiatorName=$(iscsi-iname) | sudo tee /etc/iscsi/initiatorname.iscsi
if [[ ${ISCSID_DEBUG} == "True" ]]; then
# Install an override that starts iscsid with debugging
@@ -932,6 +930,11 @@
iniset $NOVA_CPU_CONF os_vif_ovs ovsdb_connection "tcp:$OVSDB_SERVER_LOCAL_HOST:6640"
fi
+ # Workaround bug #1939108
+ if [[ "$VIRT_DRIVER" == "libvirt" && "$LIBVIRT_TYPE" == "qemu" ]]; then
+ iniset $NOVA_CPU_CONF workarounds libvirt_disable_apic True
+ fi
+
if [[ "$VIRT_DRIVER" = 'libvirt' ]]; then
# The group **$LIBVIRT_GROUP** is added to the current user in this script.
# ``sg`` is used in run_process to execute nova-compute as a member of the
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index e9ceae4..63882e0 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -56,6 +56,17 @@
# Installs required distro-specific libvirt packages.
function install_libvirt {
+ # NOTE(yoctozepto): The common consensus [1] is that libvirt-python should
+ # be installed from distro packages. However, various projects might be
+ # trying to ensure it is installed using pip AND use upper-constraints
+ # with that, causing pip to try to upgrade it and to fail.
+ # The following line removes libvirt-python from upper-constraints and
+ # avoids the situation described above. Now only if installed packages
+ # explicitly depend on a newer (or, in general, incompatible) libvirt-python
+ # version, will pip try to reinstall it.
+ # [1] https://review.opendev.org/c/openstack/devstack/+/798514
+ $REQUIREMENTS_DIR/.venv/bin/edit-constraints \
+ $REQUIREMENTS_DIR/upper-constraints.txt -- libvirt-python
if is_ubuntu; then
install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev python3-libvirt
diff --git a/lib/nova_plugins/hypervisor-libvirt b/lib/nova_plugins/hypervisor-libvirt
index 321775d..c1cd132 100644
--- a/lib/nova_plugins/hypervisor-libvirt
+++ b/lib/nova_plugins/hypervisor-libvirt
@@ -40,6 +40,9 @@
configure_libvirt
iniset $NOVA_CONF libvirt virt_type "$LIBVIRT_TYPE"
iniset $NOVA_CONF libvirt cpu_mode "$LIBVIRT_CPU_MODE"
+ if [ "$LIBVIRT_CPU_MODE" == "custom" ] ; then
+ iniset $NOVA_CONF libvirt cpu_model "$LIBVIRT_CPU_MODEL"
+ fi
# Do not enable USB tablet input devices to avoid QEMU CPU overhead.
iniset $NOVA_CONF DEFAULT pointer_model "ps2mouse"
iniset $NOVA_CONF libvirt live_migration_uri "qemu+ssh://$STACK_USER@%s/system"
diff --git a/lib/swift b/lib/swift
index 790fb99..b376993 100644
--- a/lib/swift
+++ b/lib/swift
@@ -335,7 +335,6 @@
local node_number
local swift_node_config
local swift_log_dir
- local user_group
# Make sure to kill all swift processes first
$SWIFT_BIN_DIR/swift-init --run-dir=${SWIFT_DATA_DIR}/run all stop || true
@@ -353,7 +352,7 @@
# partitions (which make more sense when you have a multi-node
# setup) we configure it with our version of rsync.
sed -e "
- s/%GROUP%/${USER_GROUP}/;
+ s/%GROUP%/$(id -g -n ${STACK_USER})/;
s/%USER%/${STACK_USER}/;
s,%SWIFT_DATA_DIR%,$SWIFT_DATA_DIR,;
" $FILES/swift/rsyncd.conf | sudo tee /etc/rsyncd.conf
@@ -431,7 +430,7 @@
swift_pipeline+=" authtoken"
if is_service_enabled s3api;then
swift_pipeline+=" s3token"
- iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token auth_uri ${KEYSTONE_AUTH_URI_V3}
+ iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token auth_uri ${KEYSTONE_SERVICE_URI_V3}
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token delay_auth_decision true
fi
swift_pipeline+=" keystoneauth"
@@ -522,7 +521,7 @@
local auth_vers
auth_vers=$(iniget ${testfile} func_test auth_version)
iniset ${testfile} func_test auth_host ${KEYSTONE_SERVICE_HOST}
- if [[ "$KEYSTONE_AUTH_PROTOCOL" == "https" ]]; then
+ if [[ "$KEYSTONE_SERVICE_PROTOCOL" == "https" ]]; then
iniset ${testfile} func_test auth_port 443
else
iniset ${testfile} func_test auth_port 80
diff --git a/lib/tempest b/lib/tempest
index 3fa7ce0..8fd54c5 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -600,15 +600,6 @@
fi
done
- # ``enforce_scope``
- # If services enable the enforce_scope for their policy
- # we need to enable the same on Tempest side so that
- # test can be run with scoped token.
- if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
- iniset $TEMPEST_CONFIG enforce_scope keystone true
- iniset $TEMPEST_CONFIG auth admin_system 'all'
- iniset $TEMPEST_CONFIG auth admin_project_name ''
- fi
iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
@@ -718,9 +709,6 @@
set_tempest_venv_constraints $tmp_u_c_m
tox -r --notest -efull
- # TODO: remove the trailing pip constraint when a proper fix
- # arrives for bug https://bugs.launchpad.net/devstack/+bug/1906322
- $TEMPEST_DIR/.tox/tempest/bin/pip install -U -r $RC_DIR/tools/cap-pip.txt
# NOTE(mtreinish) Respect constraints in the tempest full venv, things that
# are using a tox job other than full will not be respecting constraints but
# running pip install -U on tempest requirements
diff --git a/stack.sh b/stack.sh
index c439a72..b5ad81b 100755
--- a/stack.sh
+++ b/stack.sh
@@ -227,7 +227,7 @@
# Warn users who aren't on an explicitly supported distro, but allow them to
# override check and attempt installation with ``FORCE=yes ./stack``
-SUPPORTED_DISTROS="focal|f31|f32|opensuse-15.2|opensuse-tumbleweed|rhel8"
+SUPPORTED_DISTROS="bullseye|focal|f34|opensuse-15.2|opensuse-tumbleweed|rhel8"
if [[ ! ${DISTRO} =~ $SUPPORTED_DISTROS ]]; then
echo "WARNING: this script has not been tested on $DISTRO"
@@ -300,10 +300,14 @@
}
function _install_rdo {
- # NOTE(ianw) 2020-04-30 : when we have future branches, we
- # probably want to install the relevant branch RDO release as
- # well. But for now it's all master.
- sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
+ if [[ "$TARGET_BRANCH" == "master" ]]; then
+ # rdo-release.el8.rpm points to latest RDO release, use that for master
+ sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
+ else
+ # For stable branches use corresponding release rpm
+ rdo_release=$(echo $TARGET_BRANCH | sed "s|stable/||g")
+ sudo dnf -y install https://rdoproject.org/repos/openstack-${rdo_release}/rdo-release-${rdo_release}.el8.rpm
+ fi
sudo dnf -y update
}
@@ -752,7 +756,19 @@
echo_summary "Installing package prerequisites"
source $TOP_DIR/tools/install_prereqs.sh
-# Configure an appropriate Python environment
+# Configure an appropriate Python environment.
+#
+# NOTE(ianw) 2021-08-11 : We install the latest pip here because pip
+# is very active and changes are not generally reflected in the LTS
+# distros. This often involves important things like dependency or
+# conflict resolution, and has often been required because the
+# complicated constraints etc. used by openstack have tickled bugs in
+# distro versions of pip. We want to find these problems as they
+# happen, rather than years later when we try to update our LTS
+# distro. Whilst it is clear that global installations of upstream
+# pip are less and less common, with virtualenv's being the general
+# approach now; there are a lot of devstack plugins that assume a
+# global install environment.
if [[ "$OFFLINE" != "True" ]]; then
PYPI_ALTERNATIVE_URL=${PYPI_ALTERNATIVE_URL:-""} $TOP_DIR/tools/install_pip.sh
fi
@@ -860,7 +876,7 @@
install_keystonemiddleware
if is_service_enabled keystone; then
- if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
+ if [ "$KEYSTONE_SERVICE_HOST" == "$SERVICE_HOST" ]; then
stack_install_service keystone
configure_keystone
fi
@@ -1074,10 +1090,13 @@
source $TOP_DIR/userrc_early
+# Write a clouds.yaml file
+write_clouds_yaml
+
if is_service_enabled keystone; then
echo_summary "Starting Keystone"
- if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
+ if [ "$KEYSTONE_SERVICE_HOST" == "$SERVICE_HOST" ]; then
init_keystone
start_keystone
bootstrap_keystone
@@ -1102,9 +1121,6 @@
fi
-# Write a clouds.yaml file
-write_clouds_yaml
-
# Horizon
# -------
diff --git a/stackrc b/stackrc
old mode 100644
new mode 100755
index 0501659..ebe472c
--- a/stackrc
+++ b/stackrc
@@ -247,7 +247,7 @@
# Setting the variable to 'ALL' will activate the download for all
# libraries.
-DEVSTACK_SERIES="xena"
+DEVSTACK_SERIES="yoga"
##############
#
@@ -548,6 +548,10 @@
GITBRANCH["neutron-lib"]=${NEUTRON_LIB_BRANCH:-$TARGET_BRANCH}
GITDIR["neutron-lib"]=$DEST/neutron-lib
+# os-resource-classes library containing a list of standardized resource classes for OpenStack
+GITREPO["os-resource-classes"]=${OS_RESOURCE_CLASSES_REPO:-${GIT_BASE}/openstack/os-resource-classes.git}
+GITBRANCH["os-resource-classes"]=${OS_RESOURCE_CLASSES_BRANCH:-$TARGET_BRANCH}
+
# os-traits library for resource provider traits in the placement service
GITREPO["os-traits"]=${OS_TRAITS_REPO:-${GIT_BASE}/openstack/os-traits.git}
GITBRANCH["os-traits"]=${OS_TRAITS_BRANCH:-$TARGET_BRANCH}
@@ -619,7 +623,8 @@
case "$VIRT_DRIVER" in
ironic|libvirt)
LIBVIRT_TYPE=${LIBVIRT_TYPE:-kvm}
- LIBVIRT_CPU_MODE=${LIBVIRT_CPU_MODE:-none}
+ LIBVIRT_CPU_MODE=${LIBVIRT_CPU_MODE:-custom}
+ LIBVIRT_CPU_MODEL=${LIBVIRT_CPU_MODEL:-Nehalem}
if [[ "$os_VENDOR" =~ (Debian|Ubuntu) ]]; then
# The groups change with newer libvirt. Older Ubuntu used
# 'libvirtd', but now uses libvirt like Debian. Do a quick check
diff --git a/tests/test_libs_from_pypi.sh b/tests/test_libs_from_pypi.sh
index 5b53389..ce1b344 100755
--- a/tests/test_libs_from_pypi.sh
+++ b/tests/test_libs_from_pypi.sh
@@ -44,7 +44,7 @@
ALL_LIBS+=" oslo.cache oslo.reports osprofiler cursive"
ALL_LIBS+=" keystoneauth ironic-lib neutron-lib oslo.privsep"
ALL_LIBS+=" diskimage-builder os-vif python-brick-cinderclient-ext"
-ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken"
+ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken os-resource-classes"
# Generate the above list with
# echo ${!GITREPO[@]}
diff --git a/tools/cap-pip.txt b/tools/cap-pip.txt
deleted file mode 100644
index 8ee551b..0000000
--- a/tools/cap-pip.txt
+++ /dev/null
@@ -1 +0,0 @@
-pip<20.3
diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index 1921943..fe5dafa 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -26,39 +26,6 @@
FILES=$TOP_DIR/files
fi
-# Keystone Port Reservation
-# -------------------------
-# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from
-# being used as ephemeral ports by the system. The default(s) are 35357 and
-# 35358 which are in the Linux defined ephemeral port range (in disagreement
-# with the IANA ephemeral port range). This is a workaround for bug #1253482
-# where Keystone will try and bind to the port and the port will already be
-# in use as an ephemeral port by another process. This places an explicit
-# exception into the Kernel for the Keystone AUTH ports.
-function fixup_keystone {
- keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}
-
- # Only do the reserved ports when available, on some system (like containers)
- # where it's not exposed we are almost pretty sure these ports would be
- # exclusive for our DevStack.
- if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then
- # Get any currently reserved ports, strip off leading whitespace
- reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')
-
- if [[ -z "${reserved_ports}" ]]; then
- # If there are no currently reserved ports, reserve the keystone ports
- sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}
- else
- # If there are currently reserved ports, keep those and also reserve the
- # Keystone specific ports. Duplicate reservations are merged into a single
- # reservation (or range) automatically by the kernel.
- sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}
- fi
- else
- echo_summary "WARNING: unable to reserve keystone ports"
- fi
-}
-
# Python Packages
# ---------------
@@ -106,6 +73,16 @@
# overwriting works. So this hacks around those packages that
# have been dragged in by some other system dependency
sudo rm -rf /usr/lib64/python3*/site-packages/PyYAML-*.egg-info
+
+ # After updating setuptools based on the requirements, the files from the
+ # python3-setuptools RPM are deleted, it breaks some tools such as semanage
+ # (used in diskimage-builder) that use the -s flag of the python
+ # interpreter, enforcing the use of the packages from /usr/lib.
+ # Importing setuptools/pkg_resources in a such environment fails.
+ # Enforce the package re-installation to fix those applications.
+ if is_package_installed python3-setuptools; then
+ sudo dnf reinstall -y python3-setuptools
+ fi
}
function fixup_suse {
@@ -155,8 +132,24 @@
yum_install centos-release-openstack-victoria
}
+function fixup_ubuntu {
+ if ! is_ubuntu; then
+ return
+ fi
+
+ # Since pip10, pip will refuse to uninstall files from packages
+ # that were created with distutils (rather than more modern
+ # setuptools). This is because it technically doesn't have a
+ # manifest of what to remove. However, in most cases, simply
+ # overwriting works. So this hacks around those packages that
+ # have been dragged in by some other system dependency
+ sudo rm -rf /usr/lib/python3/dist-packages/PyYAML-*.egg-info
+ sudo rm -rf /usr/lib/python3/dist-packages/pyasn1_modules-*.egg-info
+ sudo rm -rf /usr/lib/python3/dist-packages/simplejson-*.egg-info
+}
+
function fixup_all {
- fixup_keystone
+ fixup_ubuntu
fixup_fedora
fixup_suse
}
diff --git a/tools/install_pip.sh b/tools/install_pip.sh
index 9afd2e5..c72dc89 100755
--- a/tools/install_pip.sh
+++ b/tools/install_pip.sh
@@ -46,15 +46,13 @@
function get_versions {
# FIXME(dhellmann): Deal with multiple python versions here? This
# is just used for reporting, so maybe not?
- PIP=$(which pip 2>/dev/null || which pip-python 2>/dev/null || true)
+ PIP=$(which pip 2>/dev/null || which pip-python 2>/dev/null || which pip3 2>/dev/null || true)
if [[ -n $PIP ]]; then
PIP_VERSION=$($PIP --version | awk '{ print $2}')
echo "pip: $PIP_VERSION"
else
echo "pip: Not Installed"
fi
- # Show python3 module version
- python${PYTHON3_VERSION} -m pip --version
}
@@ -91,9 +89,7 @@
die $LINENO "Download of get-pip.py failed"
touch $LOCAL_PIP.downloaded
fi
- # TODO: remove the trailing pip constraint when a proper fix
- # arrives for bug https://bugs.launchpad.net/devstack/+bug/1906322
- sudo -H -E python${PYTHON3_VERSION} $LOCAL_PIP -c $TOOLS_DIR/cap-pip.txt
+ sudo -H -E python${PYTHON3_VERSION} $LOCAL_PIP
}
@@ -115,14 +111,6 @@
}
-# Setuptools 8 implements PEP 440, and 8.0.4 adds a warning triggered any time
-# pkg_resources inspects the list of installed Python packages if there are
-# non-compliant version numbers in the egg-info (for example, from distro
-# system packaged Python libraries). This is off by default after 8.2 but can
-# be enabled by uncommenting the lines below.
-#PYTHONWARNINGS=$PYTHONWARNINGS,always::RuntimeWarning:pkg_resources
-#export PYTHONWARNINGS
-
# Show starting versions
get_versions
@@ -130,24 +118,21 @@
configure_pypi_alternative_url
fi
-# Just use system pkgs on Focal
-if [[ "$DISTRO" == focal ]]; then
- exit 0
+if is_fedora && [[ ${DISTRO} == f* ]]; then
+ # get-pip.py will not install over the python3-pip package in
+ # Fedora 34 any more.
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1988935
+ # https://github.com/pypa/pip/issues/9904
+ # You can still install using get-pip.py if python3-pip is *not*
+ # installed; this *should* remain separate under /usr/local and not break
+ # if python3-pip is later installed.
+ # For general sanity, we just use the packaged pip. It should be
+ # recent enough anyway. This is included via rpms/general
+ : # Simply fall through
+else
+ install_get_pip
fi
-# Eradicate any and all system packages
-
-# Python in fedora/suse depends on the python-pip package so removing it
-# results in a nonfunctional system. pip on fedora installs to /usr so pip
-# can safely override the system pip for all versions of fedora
-if ! is_fedora && ! is_suse; then
- if is_package_installed python3-pip ; then
- uninstall_package python3-pip
- fi
-fi
-
-install_get_pip
-
set -x
# Note setuptools is part of requirements.txt and we want to make sure
diff --git a/tools/make_cert.sh b/tools/make_cert.sh
index e91464f..0212d00 100755
--- a/tools/make_cert.sh
+++ b/tools/make_cert.sh
@@ -27,7 +27,7 @@
}
CN=$1
-if [ -z "$CN" ]]; then
+if [ -z "$CN" ]; then
usage
fi
ORG_UNIT_NAME=${2:-$ORG_UNIT_NAME}
@@ -52,5 +52,5 @@
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME
# Create a cert bundle
-cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
-
+cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key \
+ $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
diff --git a/tools/update_clouds_yaml.py b/tools/update_clouds_yaml.py
index 7be995e..74dcdb2 100755
--- a/tools/update_clouds_yaml.py
+++ b/tools/update_clouds_yaml.py
@@ -65,7 +65,7 @@
def _read_clouds(self):
try:
with open(self._clouds_path) as clouds_file:
- self._clouds = yaml.load(clouds_file)
+ self._clouds = yaml.safe_load(clouds_file)
except IOError:
# The user doesn't have a clouds.yaml file.
print("The user clouds.yaml file didn't exist.")