Merge "yum_install: fix awk return code"
diff --git a/.gitignore b/.gitignore
index a470ff5..d1781bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,6 +15,8 @@
files/*.vmdk
files/*.rpm
files/*.rpm.*
+files/*.deb
+files/*.deb.*
files/*.qcow2
files/*.img
files/images
diff --git a/README.md b/README.md
index 4ba4619..ff5598b 100644
--- a/README.md
+++ b/README.md
@@ -25,9 +25,9 @@
The DevStack master branch generally points to trunk versions of OpenStack
components. For older, stable versions, look for branches named
stable/[release] in the DevStack repo. For example, you can do the
-following to create a juno OpenStack cloud:
+following to create a Newton OpenStack cloud:
- git checkout stable/juno
+ git checkout stable/newton
./stack.sh
You can also pick specific OpenStack project releases by setting the appropriate
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 1161b34..22809eb 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -521,16 +521,14 @@
IP Version
----------
-``IP_VERSION`` can be used to configure DevStack to create either an
-IPv4, IPv6, or dual-stack self service project data-network by with
+``IP_VERSION`` can be used to configure Neutron to create either an
+IPv4, IPv6, or dual-stack self-service project data-network by with
either ``IP_VERSION=4``, ``IP_VERSION=6``, or ``IP_VERSION=4+6``
-respectively. This functionality requires that the Neutron networking
-service is enabled by setting the following options:
+respectively.
::
- disable_service n-net
- enable_service q-svc q-agt q-dhcp q-l3
+ IP_VERSION=4+6
The following optional variables can be used to alter the default IPv6
behavior:
diff --git a/doc/source/guides/multinode-lab.rst b/doc/source/guides/multinode-lab.rst
index c996f95..8751eb8 100644
--- a/doc/source/guides/multinode-lab.rst
+++ b/doc/source/guides/multinode-lab.rst
@@ -260,7 +260,7 @@
openstack user create $NAME --password=$PASSWORD --project $PROJECT
openstack role add Member --user $NAME --project $PROJECT
# The Member role is created by stack.sh
- # openstack role list
+ # openstack role assignment list
Swift
-----
diff --git a/doc/source/guides/neutron.rst b/doc/source/guides/neutron.rst
index c5b1634..bc6816c 100644
--- a/doc/source/guides/neutron.rst
+++ b/doc/source/guides/neutron.rst
@@ -76,12 +76,6 @@
RABBIT_PASSWORD=secret
SERVICE_PASSWORD=secret
- # Do not use Nova-Network
- disable_service n-net
- # Enable Neutron
- ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-agt,q-l3
-
-
## Neutron options
Q_USE_SECGROUP=True
FLOATING_RANGE="172.18.161.0/24"
@@ -389,11 +383,7 @@
Q_USE_PROVIDER_NETWORKING=True
- # Do not use Nova-Network
- disable_service n-net
-
- # Neutron
- ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-agt
+ disable_service q-l3
## Neutron Networking options used to create Neutron Subnets
@@ -402,6 +392,7 @@
PROVIDER_SUBNET_NAME="provider_net"
PROVIDER_NETWORK_TYPE="vlan"
SEGMENTATION_ID=2010
+ USE_SUBNETPOOL=False
In this configuration we are defining FIXED_RANGE to be a
publicly routed IPv4 subnet. In this specific instance we are using
@@ -530,12 +521,6 @@
RABBIT_PASSWORD=secret
SERVICE_PASSWORD=secret
- # Do not use Nova-Network
- disable_service n-net
- # Enable Neutron
- ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-agt,q-l3
-
-
## Neutron options
Q_USE_SECGROUP=True
FLOATING_RANGE="172.18.161.0/24"
@@ -582,10 +567,7 @@
Q_ML2_PLUGIN_MECHANISM_DRIVERS=macvtap
Q_USE_PROVIDER_NETWORKING=True
- #Enable Neutron services
- disable_service n-net
enable_plugin neutron git://git.openstack.org/openstack/neutron
- ENABLED_SERVICES+=,q-agt,q-svc
## MacVTap agent options
Q_AGENT=macvtap
@@ -596,6 +578,7 @@
PROVIDER_SUBNET_NAME="provider_net"
PROVIDER_NETWORK_TYPE="vlan"
SEGMENTATION_ID=2010
+ USE_SUBNETPOOL=False
[[post-config|/$Q_PLUGIN_CONF_FILE]]
[macvtap]
@@ -614,7 +597,7 @@
For OVS, a similar configuration like described in the
:ref:`OVS Provider Network <ovs-provider-network-controller>` section can be
-used. Just add the the following line to this local.conf, which also loads
+used. Just add the following line to this local.conf, which also loads
the MacVTap mechanism driver:
::
diff --git a/doc/source/plugin-registry.rst b/doc/source/plugin-registry.rst
index d6df1ef..6ece997 100644
--- a/doc/source/plugin-registry.rst
+++ b/doc/source/plugin-registry.rst
@@ -1,16 +1,16 @@
-.. Note to patch submitters:
+.. Note to patch submitters:
- # ============================= #
- # THIS FILE IS AUTOGENERATED ! #
- # ============================= #
+ # ============================= #
+ # THIS FILE IS AUTOGENERATED ! #
+ # ============================= #
- ** Plugins are found automatically and added to this list **
+ ** Plugins are found automatically and added to this list **
- This file is created by a periodic proposal job. You should not
- edit this file.
+ This file is created by a periodic proposal job. You should not
+ edit this file.
- You should edit the files data/devstack-plugins-registry.footer
- data/devstack-plugins-registry.header to modify this text.
+ You should edit the files data/devstack-plugins-registry.footer
+ data/devstack-plugins-registry.header to modify this text.
==========================
DevStack Plugin Registry
@@ -24,6 +24,7 @@
====================================== ===
Plugin Name URL
====================================== ===
+almanach `git://git.openstack.org/openstack/almanach <https://git.openstack.org/cgit/openstack/almanach>`__
aodh `git://git.openstack.org/openstack/aodh <https://git.openstack.org/cgit/openstack/aodh>`__
app-catalog-ui `git://git.openstack.org/openstack/app-catalog-ui <https://git.openstack.org/cgit/openstack/app-catalog-ui>`__
astara `git://git.openstack.org/openstack/astara <https://git.openstack.org/cgit/openstack/astara>`__
@@ -58,21 +59,26 @@
freezer-api `git://git.openstack.org/openstack/freezer-api <https://git.openstack.org/cgit/openstack/freezer-api>`__
freezer-web-ui `git://git.openstack.org/openstack/freezer-web-ui <https://git.openstack.org/cgit/openstack/freezer-web-ui>`__
gce-api `git://git.openstack.org/openstack/gce-api <https://git.openstack.org/cgit/openstack/gce-api>`__
+glare `git://git.openstack.org/openstack/glare <https://git.openstack.org/cgit/openstack/glare>`__
gnocchi `git://git.openstack.org/openstack/gnocchi <https://git.openstack.org/cgit/openstack/gnocchi>`__
group-based-policy `git://git.openstack.org/openstack/group-based-policy <https://git.openstack.org/cgit/openstack/group-based-policy>`__
heat `git://git.openstack.org/openstack/heat <https://git.openstack.org/cgit/openstack/heat>`__
-higgins `git://git.openstack.org/openstack/higgins <https://git.openstack.org/cgit/openstack/higgins>`__
horizon-mellanox `git://git.openstack.org/openstack/horizon-mellanox <https://git.openstack.org/cgit/openstack/horizon-mellanox>`__
ironic `git://git.openstack.org/openstack/ironic <https://git.openstack.org/cgit/openstack/ironic>`__
ironic-inspector `git://git.openstack.org/openstack/ironic-inspector <https://git.openstack.org/cgit/openstack/ironic-inspector>`__
ironic-staging-drivers `git://git.openstack.org/openstack/ironic-staging-drivers <https://git.openstack.org/cgit/openstack/ironic-staging-drivers>`__
+karbor `git://git.openstack.org/openstack/karbor <https://git.openstack.org/cgit/openstack/karbor>`__
+karbor-dashboard `git://git.openstack.org/openstack/karbor-dashboard <https://git.openstack.org/cgit/openstack/karbor-dashboard>`__
+keystone `git://git.openstack.org/openstack/keystone <https://git.openstack.org/cgit/openstack/keystone>`__
kingbird `git://git.openstack.org/openstack/kingbird <https://git.openstack.org/cgit/openstack/kingbird>`__
+kuryr-kubernetes `git://git.openstack.org/openstack/kuryr-kubernetes <https://git.openstack.org/cgit/openstack/kuryr-kubernetes>`__
kuryr-libnetwork `git://git.openstack.org/openstack/kuryr-libnetwork <https://git.openstack.org/cgit/openstack/kuryr-libnetwork>`__
magnum `git://git.openstack.org/openstack/magnum <https://git.openstack.org/cgit/openstack/magnum>`__
magnum-ui `git://git.openstack.org/openstack/magnum-ui <https://git.openstack.org/cgit/openstack/magnum-ui>`__
manila `git://git.openstack.org/openstack/manila <https://git.openstack.org/cgit/openstack/manila>`__
masakari `git://git.openstack.org/openstack/masakari <https://git.openstack.org/cgit/openstack/masakari>`__
mistral `git://git.openstack.org/openstack/mistral <https://git.openstack.org/cgit/openstack/mistral>`__
+mixmatch `git://git.openstack.org/openstack/mixmatch <https://git.openstack.org/cgit/openstack/mixmatch>`__
monasca-analytics `git://git.openstack.org/openstack/monasca-analytics <https://git.openstack.org/cgit/openstack/monasca-analytics>`__
monasca-api `git://git.openstack.org/openstack/monasca-api <https://git.openstack.org/cgit/openstack/monasca-api>`__
monasca-ceilometer `git://git.openstack.org/openstack/monasca-ceilometer <https://git.openstack.org/cgit/openstack/monasca-ceilometer>`__
@@ -80,6 +86,7 @@
monasca-transform `git://git.openstack.org/openstack/monasca-transform <https://git.openstack.org/cgit/openstack/monasca-transform>`__
murano `git://git.openstack.org/openstack/murano <https://git.openstack.org/cgit/openstack/murano>`__
networking-6wind `git://git.openstack.org/openstack/networking-6wind <https://git.openstack.org/cgit/openstack/networking-6wind>`__
+networking-arista `git://git.openstack.org/openstack/networking-arista <https://git.openstack.org/cgit/openstack/networking-arista>`__
networking-bagpipe `git://git.openstack.org/openstack/networking-bagpipe <https://git.openstack.org/cgit/openstack/networking-bagpipe>`__
networking-bgpvpn `git://git.openstack.org/openstack/networking-bgpvpn <https://git.openstack.org/cgit/openstack/networking-bgpvpn>`__
networking-brocade `git://git.openstack.org/openstack/networking-brocade <https://git.openstack.org/cgit/openstack/networking-brocade>`__
@@ -101,6 +108,7 @@
networking-plumgrid `git://git.openstack.org/openstack/networking-plumgrid <https://git.openstack.org/cgit/openstack/networking-plumgrid>`__
networking-powervm `git://git.openstack.org/openstack/networking-powervm <https://git.openstack.org/cgit/openstack/networking-powervm>`__
networking-sfc `git://git.openstack.org/openstack/networking-sfc <https://git.openstack.org/cgit/openstack/networking-sfc>`__
+networking-vpp `git://git.openstack.org/openstack/networking-vpp <https://git.openstack.org/cgit/openstack/networking-vpp>`__
networking-vsphere `git://git.openstack.org/openstack/networking-vsphere <https://git.openstack.org/cgit/openstack/networking-vsphere>`__
neutron `git://git.openstack.org/openstack/neutron <https://git.openstack.org/cgit/openstack/neutron>`__
neutron-dynamic-routing `git://git.openstack.org/openstack/neutron-dynamic-routing <https://git.openstack.org/cgit/openstack/neutron-dynamic-routing>`__
@@ -108,13 +116,15 @@
neutron-lbaas `git://git.openstack.org/openstack/neutron-lbaas <https://git.openstack.org/cgit/openstack/neutron-lbaas>`__
neutron-lbaas-dashboard `git://git.openstack.org/openstack/neutron-lbaas-dashboard <https://git.openstack.org/cgit/openstack/neutron-lbaas-dashboard>`__
neutron-vpnaas `git://git.openstack.org/openstack/neutron-vpnaas <https://git.openstack.org/cgit/openstack/neutron-vpnaas>`__
+nimble `git://git.openstack.org/openstack/nimble <https://git.openstack.org/cgit/openstack/nimble>`__
nova-docker `git://git.openstack.org/openstack/nova-docker <https://git.openstack.org/cgit/openstack/nova-docker>`__
nova-lxd `git://git.openstack.org/openstack/nova-lxd <https://git.openstack.org/cgit/openstack/nova-lxd>`__
+nova-mksproxy `git://git.openstack.org/openstack/nova-mksproxy <https://git.openstack.org/cgit/openstack/nova-mksproxy>`__
nova-powervm `git://git.openstack.org/openstack/nova-powervm <https://git.openstack.org/cgit/openstack/nova-powervm>`__
+oaktree `git://git.openstack.org/openstack/oaktree <https://git.openstack.org/cgit/openstack/oaktree>`__
octavia `git://git.openstack.org/openstack/octavia <https://git.openstack.org/cgit/openstack/octavia>`__
osprofiler `git://git.openstack.org/openstack/osprofiler <https://git.openstack.org/cgit/openstack/osprofiler>`__
panko `git://git.openstack.org/openstack/panko <https://git.openstack.org/cgit/openstack/panko>`__
-python-freezerclient `git://git.openstack.org/openstack/python-freezerclient <https://git.openstack.org/cgit/openstack/python-freezerclient>`__
rally `git://git.openstack.org/openstack/rally <https://git.openstack.org/cgit/openstack/rally>`__
sahara `git://git.openstack.org/openstack/sahara <https://git.openstack.org/cgit/openstack/sahara>`__
sahara-dashboard `git://git.openstack.org/openstack/sahara-dashboard <https://git.openstack.org/cgit/openstack/sahara-dashboard>`__
@@ -122,12 +132,11 @@
searchlight `git://git.openstack.org/openstack/searchlight <https://git.openstack.org/cgit/openstack/searchlight>`__
searchlight-ui `git://git.openstack.org/openstack/searchlight-ui <https://git.openstack.org/cgit/openstack/searchlight-ui>`__
senlin `git://git.openstack.org/openstack/senlin <https://git.openstack.org/cgit/openstack/senlin>`__
-smaug `git://git.openstack.org/openstack/smaug <https://git.openstack.org/cgit/openstack/smaug>`__
-smaug-dashboard `git://git.openstack.org/openstack/smaug-dashboard <https://git.openstack.org/cgit/openstack/smaug-dashboard>`__
solum `git://git.openstack.org/openstack/solum <https://git.openstack.org/cgit/openstack/solum>`__
tacker `git://git.openstack.org/openstack/tacker <https://git.openstack.org/cgit/openstack/tacker>`__
tap-as-a-service `git://git.openstack.org/openstack/tap-as-a-service <https://git.openstack.org/cgit/openstack/tap-as-a-service>`__
tricircle `git://git.openstack.org/openstack/tricircle <https://git.openstack.org/cgit/openstack/tricircle>`__
+trio2o `git://git.openstack.org/openstack/trio2o <https://git.openstack.org/cgit/openstack/trio2o>`__
trove `git://git.openstack.org/openstack/trove <https://git.openstack.org/cgit/openstack/trove>`__
trove-dashboard `git://git.openstack.org/openstack/trove-dashboard <https://git.openstack.org/cgit/openstack/trove-dashboard>`__
vitrage `git://git.openstack.org/openstack/vitrage <https://git.openstack.org/cgit/openstack/vitrage>`__
@@ -137,6 +146,8 @@
watcher-dashboard `git://git.openstack.org/openstack/watcher-dashboard <https://git.openstack.org/cgit/openstack/watcher-dashboard>`__
zaqar `git://git.openstack.org/openstack/zaqar <https://git.openstack.org/cgit/openstack/zaqar>`__
zaqar-ui `git://git.openstack.org/openstack/zaqar-ui <https://git.openstack.org/cgit/openstack/zaqar-ui>`__
+zun `git://git.openstack.org/openstack/zun <https://git.openstack.org/cgit/openstack/zun>`__
+zun-ui `git://git.openstack.org/openstack/zun-ui <https://git.openstack.org/cgit/openstack/zun-ui>`__
====================================== ===
diff --git a/exercises/neutron-adv-test.sh b/exercises/neutron-adv-test.sh
index dc6bbbb..e003c56 100755
--- a/exercises/neutron-adv-test.sh
+++ b/exercises/neutron-adv-test.sh
@@ -148,7 +148,7 @@
function get_role_id {
local ROLE_NAME=$1
local ROLE_ID
- ROLE_ID=`openstack role list | grep $ROLE_NAME | awk '{print $2}'`
+ ROLE_ID=`openstack role assignment list | grep $ROLE_NAME | awk '{print $2}'`
die_if_not_set $LINENO ROLE_ID "Failure retrieving ROLE_ID for $ROLE_NAME"
echo "$ROLE_ID"
}
diff --git a/files/apache-keystone.template b/files/apache-keystone.template
index 8a4b0f0..428544f 100644
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@@ -44,8 +44,8 @@
WSGIPassAuthorization On
</Location>
-Alias /identity_v2_admin %KEYSTONE_BIN%/keystone-wsgi-admin
-<Location /identity_v2_admin>
+Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin
+<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
diff --git a/files/debs/tls-proxy b/files/debs/tls-proxy
index dce9c07..5bd8e21 100644
--- a/files/debs/tls-proxy
+++ b/files/debs/tls-proxy
@@ -1 +1 @@
-stud
+apache2
diff --git a/functions b/functions
index 5856578..6a0ac67 100644
--- a/functions
+++ b/functions
@@ -646,6 +646,24 @@
}
+# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling
+function enable_kernel_bridge_firewall {
+ # Load bridge module. This module provides access to firewall for bridged
+ # frames; and also on older kernels (pre-3.18) it provides sysctl knobs to
+ # enable/disable bridge firewalling
+ sudo modprobe bridge
+ # For newer kernels (3.18+), those sysctl settings are split into a separate
+ # kernel module (br_netfilter). Load it too, if present.
+ sudo modprobe br_netfilter 2>> /dev/null || :
+ # Enable bridge firewalling in case it's disabled in kernel (upstream
+ # default is enabled, but some distributions may decide to change it).
+ # This is at least needed for RHEL 7.2 and earlier releases.
+ for proto in arp ip ip6; do
+ sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
+ done
+}
+
+
# Restore xtrace
$_XTRACE_FUNCTIONS
diff --git a/functions-common b/functions-common
index 120aa97..8e14b5e 100644
--- a/functions-common
+++ b/functions-common
@@ -865,11 +865,9 @@
domain_args=$(_get_domain_args $4 $5)
# Gets user role id
- user_role_id=$(openstack role list \
+ user_role_id=$(openstack role assignment list \
--user $2 \
- --column "ID" \
--project $3 \
- --column "Name" \
$domain_args \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
@@ -878,11 +876,9 @@
--user $2 \
--project $3 \
$domain_args
- user_role_id=$(openstack role list \
+ user_role_id=$(openstack role assignment list \
--user $2 \
- --column "ID" \
--project $3 \
- --column "Name" \
$domain_args \
| grep " $1 " | get_field 1)
fi
@@ -894,22 +890,18 @@
function get_or_add_user_domain_role {
local user_role_id
# Gets user role id
- user_role_id=$(openstack role list \
+ user_role_id=$(openstack role assignment list \
--user $2 \
- --column "ID" \
--domain $3 \
- --column "Name" \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
openstack role add $1 \
--user $2 \
--domain $3
- user_role_id=$(openstack role list \
+ user_role_id=$(openstack role assignment list \
--user $2 \
- --column "ID" \
--domain $3 \
- --column "Name" \
| grep " $1 " | get_field 1)
fi
echo $user_role_id
@@ -920,13 +912,11 @@
function get_or_add_user_domain_role {
local user_role_id
# Gets user role id
- user_role_id=$(openstack role list \
+ user_role_id=$(openstack role assignment list \
--user $2 \
--os-url=$KEYSTONE_SERVICE_URI_V3 \
--os-identity-api-version=3 \
- --column "ID" \
--domain $3 \
- --column "Name" \
| grep " $1 " | get_field 1)
if [[ -z "$user_role_id" ]]; then
# Adds role to user and get it
@@ -935,13 +925,11 @@
--domain $3 \
--os-url=$KEYSTONE_SERVICE_URI_V3 \
--os-identity-api-version=3
- user_role_id=$(openstack role list \
+ user_role_id=$(openstack role assignment list \
--user $2 \
--os-url=$KEYSTONE_SERVICE_URI_V3 \
--os-identity-api-version=3 \
- --column "ID" \
--domain $3 \
- --column "Name" \
| grep " $1 " | get_field 1)
fi
echo $user_role_id
@@ -952,19 +940,19 @@
function get_or_add_group_project_role {
local group_role_id
# Gets group role id
- group_role_id=$(openstack role list \
+ group_role_id=$(openstack role assignment list \
--group $2 \
--project $3 \
- -c "ID" -f value)
+ -f value)
if [[ -z "$group_role_id" ]]; then
# Adds role to group and get it
openstack role add $1 \
--group $2 \
--project $3
- group_role_id=$(openstack role list \
+ group_role_id=$(openstack role assignment list \
--group $2 \
--project $3 \
- -c "ID" -f value)
+ -f value)
fi
echo $group_role_id
}
@@ -2213,6 +2201,18 @@
echo ${1-0}.${2-0}.${3-0}.${4-0}
}
+# Check if this is a valid ipv4 address string
+function is_ipv4_address {
+ local address=$1
+ local regex='([0-9]{1,3}.){3}[0-9]{1,3}'
+ # TODO(clarkb) make this more robust
+ if [[ "$address" =~ $regex ]] ; then
+ return 0
+ else
+ return 1
+ fi
+}
+
# Gracefully cp only if source file/dir exists
# cp_it source destination
function cp_it {
@@ -2310,6 +2310,16 @@
fi
}
+# Service wrapper to stop services
+# reload_service service-name
+function reload_service {
+ if [ -x /bin/systemctl ]; then
+ sudo /bin/systemctl reload $1
+ else
+ sudo service $1 reload
+ fi
+}
+
# Test with a finite retry loop.
#
function test_with_retry {
diff --git a/lib/apache b/lib/apache
index 2c84c7a..8a38cc4 100644
--- a/lib/apache
+++ b/lib/apache
@@ -39,27 +39,44 @@
APACHE_NAME=apache2
APACHE_CONF_DIR=${APACHE_CONF_DIR:-/etc/$APACHE_NAME/vhosts.d}
fi
+APACHE_LOG_DIR="/var/log/${APACHE_NAME}"
# Functions
# ---------
+
+# Enable apache mod and restart apache if it isn't already enabled.
+function enable_apache_mod {
+ local mod=$1
+ # Apache installation, because we mark it NOPRIME
+ if is_ubuntu || is_suse ; then
+ if ! a2query -m $mod ; then
+ sudo a2enmod $mod
+ restart_apache_server
+ fi
+ elif is_fedora; then
+ # pass
+ true
+ else
+ exit_distro_not_supported "apache enable mod"
+ fi
+}
+
# install_apache_wsgi() - Install Apache server and wsgi module
function install_apache_wsgi {
# Apache installation, because we mark it NOPRIME
if is_ubuntu; then
# Install apache2, which is NOPRIME'd
install_package apache2 libapache2-mod-wsgi
- # WSGI isn't enabled by default, enable it
- sudo a2enmod wsgi
elif is_fedora; then
sudo rm -f /etc/httpd/conf.d/000-*
install_package httpd mod_wsgi
elif is_suse; then
install_package apache2 apache2-mod_wsgi
- # WSGI isn't enabled by default, enable it
- sudo a2enmod wsgi
else
- exit_distro_not_supported "apache installation"
+ exit_distro_not_supported "apache wsgi installation"
fi
+ # WSGI isn't enabled by default, enable it
+ enable_apache_mod wsgi
# ensure mod_version enabled for <IfVersion ...>. This is
# built-in statically on anything recent, but precise (2.2)
@@ -192,6 +209,11 @@
time_stop "restart_apache_server"
}
+# reload_apache_server
+function reload_apache_server {
+ reload_service $APACHE_NAME
+}
+
# Restore xtrace
$_XTRACE_LIB_APACHE
diff --git a/lib/cinder b/lib/cinder
index a87f395..c4a49cd 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -68,9 +68,8 @@
CINDER_SERVICE_LISTEN_ADDRESS=${CINDER_SERVICE_LISTEN_ADDRESS:-$SERVICE_LISTEN_ADDRESS}
# What type of LVM device should Cinder use for LVM backend
-# Defaults to default, which is thick, the other valid choice
-# is thin, which as the name implies utilizes lvm thin provisioning.
-CINDER_LVM_TYPE=${CINDER_LVM_TYPE:-default}
+# Defaults to thin. For thick provisioning change to 'default'
+CINDER_LVM_TYPE=${CINDER_LVM_TYPE:-thin}
# Default backends
# The backend format is type:name where type is one of the supported backend
@@ -128,6 +127,17 @@
CINDER_NOVA_CATALOG_INFO=${CINDER_NOVA_CATALOG_INFO:-compute:nova:publicURL}
CINDER_NOVA_CATALOG_ADMIN_INFO=${CINDER_NOVA_CATALOG_ADMIN_INFO:-compute:nova:adminURL}
+# Environment variables to configure the image-volume cache
+CINDER_IMG_CACHE_ENABLED=${CINDER_IMG_CACHE_ENABLED:-True}
+
+# For limits, if left unset, it will use cinder defaults of 0 for unlimited
+CINDER_IMG_CACHE_SIZE_GB=${CINDER_IMG_CACHE_SIZE_GB:-}
+CINDER_IMG_CACHE_SIZE_COUNT=${CINDER_IMG_CACHE_SIZE_COUNT:-}
+
+# Configure which cinder backends will have the image-volume cache, this takes the same
+# form as the CINDER_ENABLED_BACKENDS config option. By default it will
+# enable the cache for all cinder backends.
+CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS}
# Functions
# ---------
@@ -292,6 +302,7 @@
if [[ -n "$default_name" ]]; then
iniset $CINDER_CONF DEFAULT default_volume_type ${default_name}
fi
+ configure_cinder_image_volume_cache
fi
if is_service_enabled swift; then
@@ -305,8 +316,8 @@
if is_service_enabled tls-proxy; then
# Set the service port for a proxy to take the original
iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
-
iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
+ iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
fi
if [ "$SYSLOG" != "False" ]; then
@@ -397,6 +408,8 @@
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v3/\$(project_id)s" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v3/\$(project_id)s" \
"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v3/\$(project_id)s"
+
+ configure_cinder_internal_tenant
fi
}
@@ -534,7 +547,7 @@
# Start proxies if enabled
if is_service_enabled c-api && is_service_enabled tls-proxy; then
- start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT &
+ start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT
fi
}
@@ -574,6 +587,31 @@
:
}
+function configure_cinder_internal_tenant {
+ # Re-use the Cinder service account for simplicity.
+ iniset $CINDER_CONF DEFAULT cinder_internal_tenant_project_id $(get_or_create_project $SERVICE_PROJECT_NAME)
+ iniset $CINDER_CONF DEFAULT cinder_internal_tenant_user_id $(get_or_create_user "cinder")
+}
+
+function configure_cinder_image_volume_cache {
+ # Expect CINDER_CACHE_ENABLED_FOR_BACKENDS to be a list of backends
+ # similar to CINDER_ENABLED_BACKENDS with NAME:TYPE where NAME will
+ # be the backend specific configuration stanza in cinder.conf.
+ for be in ${CINDER_CACHE_ENABLED_FOR_BACKENDS//,/ }; do
+ local be_name=${be##*:}
+
+ iniset $CINDER_CONF $be_name image_volume_cache_enabled $CINDER_IMG_CACHE_ENABLED
+
+ if [[ -n $CINDER_IMG_CACHE_SIZE_GB ]]; then
+ iniset $CINDER_CONF $be_name image_volume_cache_max_size_gb $CINDER_IMG_CACHE_SIZE_GB
+ fi
+
+ if [[ -n $CINDER_IMG_CACHE_SIZE_COUNT ]]; then
+ iniset $CINDER_CONF $be_name image_volume_cache_max_count $CINDER_IMG_CACHE_SIZE_COUNT
+ fi
+ done
+}
+
# Restore xtrace
$_XTRACE_CINDER
diff --git a/lib/cinder_backends/ceph b/lib/cinder_backends/ceph
index 9bff5be..ba86ccf 100644
--- a/lib/cinder_backends/ceph
+++ b/lib/cinder_backends/ceph
@@ -45,7 +45,7 @@
iniset $CINDER_CONF $be_name volume_backend_name $be_name
iniset $CINDER_CONF $be_name volume_driver "cinder.volume.drivers.rbd.RBDDriver"
- iniset $CINDER_CONF $be_name rbd_ceph_conf "$CEPH_CONF"
+ iniset $CINDER_CONF $be_name rbd_ceph_conf "$CEPH_CONF_FILE"
iniset $CINDER_CONF $be_name rbd_pool "$CINDER_CEPH_POOL"
iniset $CINDER_CONF $be_name rbd_user "$CINDER_CEPH_USER"
iniset $CINDER_CONF $be_name rbd_uuid "$CINDER_CEPH_UUID"
@@ -66,7 +66,7 @@
sudo chown $(whoami):$(whoami) ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring
iniset $CINDER_CONF DEFAULT backup_driver "cinder.backup.drivers.ceph"
- iniset $CINDER_CONF DEFAULT backup_ceph_conf "$CEPH_CONF"
+ iniset $CINDER_CONF DEFAULT backup_ceph_conf "$CEPH_CONF_FILE"
iniset $CINDER_CONF DEFAULT backup_ceph_pool "$CINDER_BAK_CEPH_POOL"
iniset $CINDER_CONF DEFAULT backup_ceph_user "$CINDER_BAK_CEPH_USER"
iniset $CINDER_CONF DEFAULT backup_ceph_stripe_unit 0
diff --git a/lib/glance b/lib/glance
index 8d95aad..5259174 100644
--- a/lib/glance
+++ b/lib/glance
@@ -187,8 +187,6 @@
iniset $GLANCE_SWIFT_STORE_CONF ref1 key $SERVICE_PASSWORD
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_address $KEYSTONE_SERVICE_URI/v3
- iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_name $SERVICE_DOMAIN_NAME
- iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_name $SERVICE_DOMAIN_NAME
iniset $GLANCE_SWIFT_STORE_CONF ref1 auth_version 3
# commenting is not strictly necessary but it's confusing to have bad values in conf
@@ -312,6 +310,11 @@
"$GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT" \
"$GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT" \
"$GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT"
+
+ # Note(frickler): Crude workaround for https://bugs.launchpad.net/glance-store/+bug/1620999
+ service_domain_id=$(get_or_create_domain $SERVICE_DOMAIN_NAME)
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 project_domain_id $service_domain_id
+ iniset $GLANCE_SWIFT_STORE_CONF ref1 user_domain_id $service_domain_id
fi
# Add glance-glare service and endpoints
@@ -383,8 +386,8 @@
function start_glance {
local service_protocol=$GLANCE_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT &
- start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT &
+ start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT
+ start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT
fi
run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf"
diff --git a/lib/heat b/lib/heat
index c841e0a..0863128 100644
--- a/lib/heat
+++ b/lib/heat
@@ -40,7 +40,6 @@
HEAT_CFNTOOLS_DIR=$DEST/heat-cfntools
HEAT_TEMPLATES_REPO_DIR=$DEST/heat-templates
OCC_DIR=$DEST/os-collect-config
-DIB_UTILS_DIR=$DEST/dib-utils
ORC_DIR=$DEST/os-refresh-config
OAC_DIR=$DEST/os-apply-config
@@ -276,7 +275,6 @@
git_clone $OAC_REPO $OAC_DIR $OAC_BRANCH
git_clone $OCC_REPO $OCC_DIR $OCC_BRANCH
git_clone $ORC_REPO $ORC_DIR $ORC_BRANCH
- git_clone $DIB_UTILS_REPO $DIB_UTILS_DIR $DIB_UTILS_BRANCH
}
# start_heat() - Start running processes, including screen
@@ -420,7 +418,7 @@
# build_heat_pip_mirror() - Build a pip mirror containing heat agent projects
function build_heat_pip_mirror {
- local project_dirs="$OCC_DIR $OAC_DIR $ORC_DIR $HEAT_CFNTOOLS_DIR $DIB_UTILS_DIR"
+ local project_dirs="$OCC_DIR $OAC_DIR $ORC_DIR $HEAT_CFNTOOLS_DIR"
local projpath proj package
rm -rf $HEAT_PIP_REPO
diff --git a/lib/keystone b/lib/keystone
index a8423bc..fd92f31 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -25,7 +25,6 @@
# - create_keystone_accounts
# - stop_keystone
# - cleanup_keystone
-# - _cleanup_keystone_apache_wsgi
# Save trace setting
_XTRACE_KEYSTONE=$(set +o | grep xtrace)
@@ -89,7 +88,7 @@
# Select Keystone's token provider (and format)
# Choose from 'uuid', 'pki', 'pkiz', or 'fernet'
-KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-}
+KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-fernet}
KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]')
# Set Keystone interface configuration
@@ -124,7 +123,7 @@
# complete URIs
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
# If running in Apache, use path access rather than port.
- KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_v2_admin
+ KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
else
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
@@ -149,11 +148,7 @@
# cleanup_keystone() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_keystone {
- _cleanup_keystone_apache_wsgi
-}
-
-# _cleanup_keystone_apache_wsgi() - Remove wsgi files, disable and remove apache vhost file
-function _cleanup_keystone_apache_wsgi {
+ disable_apache_site keystone
sudo rm -f $(apache_site_config_for keystone)
}
@@ -226,13 +221,6 @@
iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD
iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN
iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN
- iniset $KEYSTONE_CONF ldap use_dumb_member "True"
- iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id"
- iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled"
- iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory"
- iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description"
- iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN"
- iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory"
iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN"
iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab"
iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_"
@@ -245,7 +233,7 @@
# Enable caching
iniset $KEYSTONE_CONF cache enabled "True"
- iniset $KEYSTONE_CONF cache backend "oslo_cache.memcache_pool"
+ iniset $KEYSTONE_CONF cache backend "dogpile.cache.memcached"
iniset $KEYSTONE_CONF cache memcache_servers localhost:11211
iniset_rpc_backend keystone $KEYSTONE_CONF
@@ -335,6 +323,8 @@
iniset "$file" uwsgi buffer-size 65535
# Make sure the client doesn't try to re-use the connection.
iniset "$file" uwsgi add-header "Connection: close"
+ # This ensures that file descriptors aren't shared between processes.
+ iniset "$file" uwsgi lazy-apps true
done
fi
@@ -611,8 +601,8 @@
# Start proxies if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
- start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
+ start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
+ start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.
diff --git a/lib/neutron b/lib/neutron
index 7442efd..415344e 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -47,10 +47,10 @@
NEUTRON_AUTH_CACHE_DIR=${NEUTRON_AUTH_CACHE_DIR:-/var/cache/neutron}
# By default, use the ML2 plugin
-NEUTRON_PLUGIN=${NEUTRON_PLUGIN:-ml2}
-NEUTRON_PLUGIN_CONF_FILENAME=${NEUTRON_PLUGIN_CONF_FILENAME:-ml2_conf.ini}
-NEUTRON_PLUGIN_CONF_PATH=$NEUTRON_CONF_DIR/plugins/$NEUTRON_PLUGIN
-NEUTRON_PLUGIN_CONF=$NEUTRON_PLUGIN_CONF_PATH/$NEUTRON_PLUGIN_CONF_FILENAME
+NEUTRON_CORE_PLUGIN=${NEUTRON_CORE_PLUGIN:-ml2}
+NEUTRON_CORE_PLUGIN_CONF_FILENAME=${NEUTRON_CORE_PLUGIN_CONF_FILENAME:-ml2_conf.ini}
+NEUTRON_CORE_PLUGIN_CONF_PATH=$NEUTRON_CONF_DIR/plugins/$NEUTRON_CORE_PLUGIN
+NEUTRON_CORE_PLUGIN_CONF=$NEUTRON_CORE_PLUGIN_CONF_PATH/$NEUTRON_CORE_PLUGIN_CONF_FILENAME
NEUTRON_AGENT_BINARY=${NEUTRON_AGENT_BINARY:-neutron-$NEUTRON_AGENT-agent}
NEUTRON_L3_BINARY=${NEUTRON_L3_BINARY:-neutron-l3-agent}
@@ -117,16 +117,16 @@
configure_neutron_rootwrap
- mkdir -p $NEUTRON_PLUGIN_CONF_PATH
+ mkdir -p $NEUTRON_CORE_PLUGIN_CONF_PATH
- cp $NEUTRON_DIR/etc/neutron/plugins/$NEUTRON_PLUGIN/$NEUTRON_PLUGIN_CONF_FILENAME.sample $NEUTRON_PLUGIN_CONF
+ cp $NEUTRON_DIR/etc/neutron/plugins/$NEUTRON_CORE_PLUGIN/$NEUTRON_CORE_PLUGIN_CONF_FILENAME.sample $NEUTRON_CORE_PLUGIN_CONF
iniset $NEUTRON_CONF database connection `database_connection_url neutron`
iniset $NEUTRON_CONF DEFAULT state_path $NEUTRON_STATE_PATH
iniset $NEUTRON_CONF oslo_concurrency lock_path $NEUTRON_STATE_PATH/lock
iniset $NEUTRON_CONF DEFAULT use_syslog $SYSLOG
- iniset $NEUTRON_CONF DEFAULT debug True
+ iniset $NEUTRON_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset_rpc_backend neutron $NEUTRON_CONF
@@ -139,7 +139,7 @@
cp $NEUTRON_DIR/etc/api-paste.ini $NEUTRON_CONF_DIR/api-paste.ini
- iniset $NEUTRON_CONF DEFAULT core_plugin ml2
+ iniset $NEUTRON_CONF DEFAULT core_plugin $NEUTRON_CORE_PLUGIN
iniset $NEUTRON_CONF DEFAULT policy_file $policy_file
iniset $NEUTRON_CONF DEFAULT allow_overlapping_ips True
@@ -147,10 +147,6 @@
iniset $NEUTRON_CONF DEFAULT auth_strategy $NEUTRON_AUTH_STRATEGY
configure_auth_token_middleware $NEUTRON_CONF neutron $NEUTRON_AUTH_CACHE_DIR keystone_authtoken
- # Configuration for neutron notifations to nova.
- iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_status_changes $Q_NOTIFY_NOVA_PORT_STATUS_CHANGES
- iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_data_changes $Q_NOTIFY_NOVA_PORT_DATA_CHANGES
-
iniset $NEUTRON_CONF nova auth_type password
iniset $NEUTRON_CONF nova auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_AUTH_PORT/v3"
iniset $NEUTRON_CONF nova username nova
@@ -162,33 +158,37 @@
# Configure VXLAN
# TODO(sc68cal) not hardcode?
- iniset $NEUTRON_PLUGIN_CONF ml2 tenant_network_types vxlan
- iniset $NEUTRON_PLUGIN_CONF ml2 type_drivers vxlan
- iniset $NEUTRON_PLUGIN_CONF ml2 mechanism_drivers openvswitch,linuxbridge
- iniset $NEUTRON_PLUGIN_CONF ml2_type_vxlan vni_ranges 1001:2000
- iniset $NEUTRON_PLUGIN_CONF ml2 extension_drivers port_security
+ iniset $NEUTRON_CORE_PLUGIN_CONF ml2 tenant_network_types vxlan
+ iniset $NEUTRON_CORE_PLUGIN_CONF ml2 type_drivers vxlan
+ iniset $NEUTRON_CORE_PLUGIN_CONF ml2 mechanism_drivers openvswitch,linuxbridge
+ iniset $NEUTRON_CORE_PLUGIN_CONF ml2_type_vxlan vni_ranges 1001:2000
+ if [[ "$NEUTRON_PORT_SECURITY" = "True" ]]; then
+ iniset $NEUTRON_CORE_PLUGIN_CONF ml2 extension_drivers port_security
+ fi
fi
# Neutron OVS or LB agent
if is_service_enabled neutron-agent; then
- iniset $NEUTRON_PLUGIN_CONF agent tunnel_types vxlan
- iniset $NEUTRON_PLUGIN_CONF DEFAULT debug True
+ iniset $NEUTRON_CORE_PLUGIN_CONF agent tunnel_types vxlan
+ iniset $NEUTRON_CORE_PLUGIN_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
# Configure the neutron agent
if [[ $NEUTRON_AGENT == "linuxbridge" ]]; then
- iniset $NEUTRON_PLUGIN_CONF securitygroup iptables
- iniset $NEUTRON_PLUGIN_CONF vxlan local_ip $HOST_IP
+ iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables
+ iniset $NEUTRON_CORE_PLUGIN_CONF vxlan local_ip $HOST_IP
else
- iniset $NEUTRON_PLUGIN_CONF securitygroup iptables_hybrid
- iniset $NEUTRON_PLUGIN_CONF ovs local_ip $HOST_IP
+ iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
+ iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
fi
+
+ enable_kernel_bridge_firewall
fi
# DHCP Agent
if is_service_enabled neutron-dhcp; then
cp $NEUTRON_DIR/etc/dhcp_agent.ini.sample $NEUTRON_DHCP_CONF
- iniset $NEUTRON_DHCP_CONF DEFAULT debug True
+ iniset $NEUTRON_DHCP_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
# make it so we have working DNS from guests
iniset $NEUTRON_DHCP_CONF DEFAULT dnsmasq_local_resolv True
@@ -202,7 +202,7 @@
iniset $NEUTRON_L3_CONF DEFAULT interface_driver $NEUTRON_AGENT
iniset $NEUTRON_CONF DEFAULT service_plugins router
iniset $NEUTRON_L3_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
- iniset $NEUTRON_L3_CONF DEFAULT debug True
+ iniset $NEUTRON_L3_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
neutron_plugin_configure_l3_agent $NEUTRON_L3_CONF
fi
@@ -210,7 +210,7 @@
if is_service_enabled neutron-metadata-agent; then
cp $NEUTRON_DIR/etc/metadata_agent.ini.sample $NEUTRON_META_CONF
- iniset $NEUTRON_META_CONF DEFAULT debug True
+ iniset $NEUTRON_META_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $NEUTRON_META_CONF DEFAULT nova_metadata_ip $SERVICE_HOST
iniset $NEUTRON_META_CONF agent root_helper_daemon "$NEUTRON_ROOTWRAP_DAEMON_CMD"
@@ -397,7 +397,7 @@
# Start the Neutron service
# TODO(sc68cal) Stop hard coding this
- run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server --config-file $NEUTRON_CONF --config-file $NEUTRON_PLUGIN_CONF"
+ run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server --config-file $NEUTRON_CONF --config-file $NEUTRON_CORE_PLUGIN_CONF"
if is_ssl_enabled_service "neutron"; then
ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
@@ -412,7 +412,7 @@
# Start proxy if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT &
+ start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
fi
}
@@ -475,9 +475,9 @@
NEUTRON_CONFIG_ARG+=" --config-file $NEUTRON_CONF"
- #TODO(sc68cal) OVS and LB agent uses settings in NEUTRON_PLUGIN_CONF (ml2_conf.ini) but others may not
+ #TODO(sc68cal) OVS and LB agent uses settings in NEUTRON_CORE_PLUGIN_CONF (ml2_conf.ini) but others may not
if is_service_enabled neutron-agent; then
- NEUTRON_CONFIG_ARG+=" --config-file $NEUTRON_PLUGIN_CONF"
+ NEUTRON_CONFIG_ARG+=" --config-file $NEUTRON_CORE_PLUGIN_CONF"
fi
if is_service_enabled neutron-dhcp; then
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 1b7c4db..613e0f1 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -24,11 +24,9 @@
# - check_neutron_third_party_integration
# - start_neutron_agents
# - create_neutron_initial_network
-# - setup_neutron_debug
#
# ``unstack.sh`` calls the entry points in this order:
#
-# - teardown_neutron_debug
# - stop_neutron
# - stop_neutron_third_party
# - cleanup_neutron
@@ -125,8 +123,6 @@
Q_META_DATA_IP=${Q_META_DATA_IP:-$SERVICE_HOST}
# Allow Overlapping IP among subnets
Q_ALLOW_OVERLAPPING_IP=${Q_ALLOW_OVERLAPPING_IP:-True}
-# The name of the default q-l3 router
-Q_ROUTER_NAME=${Q_ROUTER_NAME:-router1}
Q_NOTIFY_NOVA_PORT_STATUS_CHANGES=${Q_NOTIFY_NOVA_PORT_STATUS_CHANGES:-True}
Q_NOTIFY_NOVA_PORT_DATA_CHANGES=${Q_NOTIFY_NOVA_PORT_DATA_CHANGES:-True}
VIF_PLUGGING_IS_FATAL=${VIF_PLUGGING_IS_FATAL:-True}
@@ -462,7 +458,7 @@
# Start proxy if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT &
+ start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT
fi
}
diff --git a/lib/neutron_plugins/linuxbridge_agent b/lib/neutron_plugins/linuxbridge_agent
index 7d59e13..d0de2f5 100644
--- a/lib/neutron_plugins/linuxbridge_agent
+++ b/lib/neutron_plugins/linuxbridge_agent
@@ -69,6 +69,7 @@
fi
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
+ enable_kernel_bridge_firewall
else
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
fi
diff --git a/lib/neutron_plugins/ml2 b/lib/neutron_plugins/ml2
index 7e80209..e429714 100644
--- a/lib/neutron_plugins/ml2
+++ b/lib/neutron_plugins/ml2
@@ -35,7 +35,11 @@
Q_ML2_PLUGIN_GENEVE_TYPE_OPTIONS=${Q_ML2_PLUGIN_GENEVE_TYPE_OPTIONS:-vni_ranges=$TENANT_TUNNEL_RANGES}
# List of extension drivers to load, use '-' instead of ':-' to allow people to
# explicitly override this to blank
-Q_ML2_PLUGIN_EXT_DRIVERS=${Q_ML2_PLUGIN_EXT_DRIVERS-port_security}
+if [[ "$NEUTRON_PORT_SECURITY" = "True" ]]; then
+ Q_ML2_PLUGIN_EXT_DRIVERS=${Q_ML2_PLUGIN_EXT_DRIVERS-port_security}
+else
+ Q_ML2_PLUGIN_EXT_DRIVERS=${Q_ML2_PLUGIN_EXT_DRIVERS:-}
+fi
# L3 Plugin to load for ML2
# For some flat network environment, they not want to extend L3 plugin.
diff --git a/lib/neutron_plugins/ovs_base b/lib/neutron_plugins/ovs_base
index f6d10ea..baf7d7f 100644
--- a/lib/neutron_plugins/ovs_base
+++ b/lib/neutron_plugins/ovs_base
@@ -83,9 +83,10 @@
function _neutron_ovs_base_configure_firewall_driver {
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
- iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+ iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver iptables_hybrid
+ enable_kernel_bridge_firewall
else
- iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
+ iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver noop
fi
}
diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3
index 2e96284..aa61a10 100644
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@@ -22,6 +22,9 @@
# used.
Q_ASSIGN_GATEWAY_TO_PUBLIC_BRIDGE=${Q_ASSIGN_GATEWAY_TO_PUBLIC_BRIDGE:-True}
+# The name of the default router
+Q_ROUTER_NAME=${Q_ROUTER_NAME:-router1}
+
# If Q_USE_PUBLIC_VETH=True, create and use a veth pair instead of
# PUBLIC_BRIDGE. This is intended to be used with
# Q_USE_PROVIDERNET_FOR_PUBLIC=True.
@@ -80,16 +83,19 @@
PUBLIC_SUBNET_NAME=${PUBLIC_SUBNET_NAME:-"public-subnet"}
# Subnetpool defaults
+USE_SUBNETPOOL=${USE_SUBNETPOOL:-True}
SUBNETPOOL_NAME=${SUBNETPOOL_NAME:-"shared-default-subnetpool"}
-SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-10.0.0.0/8}
+SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-10.0.0.0/16}
SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-2001:db8:8000::/48}
SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-24}
SUBNETPOOL_SIZE_V6=${SUBNETPOOL_SIZE_V6:-64}
-default_route_dev=$(ip route | grep ^default | awk '{print $5}')
-die_if_not_set $LINENO default_route_dev "Failure retrieving default route device"
+default_v4_route_devs=$(ip -4 route | grep ^default | awk '{print $5}')
+die_if_not_set $LINENO default_v4_route_devs "Failure retrieving default IPv4 route devices"
+
+default_v6_route_devs=$(ip -6 route | grep ^default | awk '{print $5}')
function _determine_config_l3 {
local opts="--config-file $NEUTRON_CONF --config-file $Q_L3_CONF_FILE"
@@ -121,7 +127,9 @@
_move_neutron_addresses_route "$PUBLIC_INTERFACE" "$OVS_PHYSICAL_BRIDGE" False False "inet6"
fi
else
- sudo iptables -t nat -A POSTROUTING -o $default_route_dev -s $FLOATING_RANGE -j MASQUERADE
+ for d in $default_v4_route_devs; do
+ sudo iptables -t nat -A POSTROUTING -o $d -s $FLOATING_RANGE -j MASQUERADE
+ done
fi
}
@@ -163,6 +171,17 @@
neutron_plugin_create_initial_network_profile $PHYSICAL_NETWORK
fi
+ if is_networking_extension_supported "auto-allocated-topology"; then
+ if [[ "$USE_SUBNETPOOL" == "True" ]]; then
+ if [[ "$IP_VERSION" =~ 4.* ]]; then
+ SUBNETPOOL_V4_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnetpool-create $SUBNETPOOL_NAME --default-prefixlen $SUBNETPOOL_SIZE_V4 --pool-prefix $SUBNETPOOL_PREFIX_V4 --shared --is-default=True | grep ' id ' | get_field 2)
+ fi
+ if [[ "$IP_VERSION" =~ .*6 ]]; then
+ SUBNETPOOL_V6_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnetpool-create $SUBNETPOOL_NAME --default-prefixlen $SUBNETPOOL_SIZE_V6 --pool-prefix $SUBNETPOOL_PREFIX_V6 --shared --is-default=True | grep ' id ' | get_field 2)
+ fi
+ fi
+ fi
+
if is_provider_network; then
die_if_not_set $LINENO PHYSICAL_NETWORK "You must specify the PHYSICAL_NETWORK"
die_if_not_set $LINENO PROVIDER_NETWORK_TYPE "You must specify the PROVIDER_NETWORK_TYPE"
@@ -170,14 +189,20 @@
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PHYSICAL_NETWORK $project_id"
if [[ "$IP_VERSION" =~ 4.* ]]; then
- SUBNET_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnet-create --tenant_id $project_id --ip_version 4 ${ALLOCATION_POOL:+--allocation-pool $ALLOCATION_POOL} --name $PROVIDER_SUBNET_NAME --gateway $NETWORK_GATEWAY $NET_ID $FIXED_RANGE | grep ' id ' | get_field 2)
+ if [ -z $SUBNETPOOL_V4_ID ]; then
+ fixed_range_v4=$FIXED_RANGE
+ fi
+ SUBNET_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnet-create --tenant_id $project_id --ip_version 4 ${ALLOCATION_POOL:+--allocation-pool $ALLOCATION_POOL} --name $PROVIDER_SUBNET_NAME --gateway $NETWORK_GATEWAY ${SUBNETPOOL_V4_ID:+--subnetpool $SUBNETPOOL_V4_ID} $NET_ID $fixed_range_v4 | grep ' id ' | get_field 2)
die_if_not_set $LINENO SUBNET_ID "Failure creating SUBNET_ID for $PROVIDER_SUBNET_NAME $project_id"
fi
if [[ "$IP_VERSION" =~ .*6 ]]; then
die_if_not_set $LINENO IPV6_PROVIDER_FIXED_RANGE "IPV6_PROVIDER_FIXED_RANGE has not been set, but Q_USE_PROVIDERNET_FOR_PUBLIC is true and IP_VERSION includes 6"
die_if_not_set $LINENO IPV6_PROVIDER_NETWORK_GATEWAY "IPV6_PROVIDER_NETWORK_GATEWAY has not been set, but Q_USE_PROVIDERNET_FOR_PUBLIC is true and IP_VERSION includes 6"
- SUBNET_V6_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnet-create --tenant_id $project_id --ip_version 6 --ipv6-address-mode $IPV6_ADDRESS_MODE --gateway $IPV6_PROVIDER_NETWORK_GATEWAY --name $IPV6_PROVIDER_SUBNET_NAME $NET_ID $IPV6_PROVIDER_FIXED_RANGE | grep 'id' | get_field 2)
+ if [ -z $SUBNETPOOL_V6_ID ]; then
+ fixed_range_v6=$IPV6_PROVIDER_FIXED_RANGE
+ fi
+ SUBNET_V6_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnet-create --tenant_id $project_id --ip_version 6 --ipv6-address-mode $IPV6_ADDRESS_MODE --gateway $IPV6_PROVIDER_NETWORK_GATEWAY --name $IPV6_PROVIDER_SUBNET_NAME ${SUBNETPOOL_V6_ID:+--subnetpool $SUBNETPOOL_V6_ID} $NET_ID $fixed_range_v6 | grep 'id' | get_field 2)
die_if_not_set $LINENO SUBNET_V6_ID "Failure creating SUBNET_V6_ID for $IPV6_PROVIDER_SUBNET_NAME $project_id"
fi
@@ -214,14 +239,8 @@
fi
EXTERNAL_NETWORK_FLAGS="--router:external"
- if is_networking_extension_supported "auto-allocated-topology" && is_networking_extension_supported "subnet_allocation"; then
+ if is_networking_extension_supported "auto-allocated-topology"; then
EXTERNAL_NETWORK_FLAGS="$EXTERNAL_NETWORK_FLAGS --is-default"
- if [[ "$IP_VERSION" =~ 4.* ]]; then
- SUBNETPOOL_V4_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnetpool-create $SUBNETPOOL_NAME --default-prefixlen $SUBNETPOOL_SIZE_V4 --pool-prefix $SUBNETPOOL_PREFIX_V4 --shared --is-default=True | grep ' id ' | get_field 2)
- fi
- if [[ "$IP_VERSION" =~ .*6 ]]; then
- SUBNETPOOL_V6_ID=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnetpool-create $SUBNETPOOL_NAME --default-prefixlen $SUBNETPOOL_SIZE_V6 --pool-prefix $SUBNETPOOL_PREFIX_V6 --shared --is-default=True | grep ' id ' | get_field 2)
- fi
fi
# Create an external network, and a subnet. Configure the external network as router gw
if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
@@ -246,13 +265,17 @@
# Create private IPv4 subnet
function _neutron_create_private_subnet_v4 {
local project_id=$1
+ if [ -z $SUBNETPOOL_V4_ID ]; then
+ fixed_range_v4=$FIXED_RANGE
+ fi
local subnet_params="--tenant-id $project_id "
subnet_params+="--ip_version 4 "
if [[ -n "$NETWORK_GATEWAY" ]]; then
subnet_params+="--gateway $NETWORK_GATEWAY "
fi
subnet_params+="--name $PRIVATE_SUBNET_NAME "
- subnet_params+="$NET_ID $FIXED_RANGE"
+ subnet_params+="${SUBNETPOOL_V4_ID:+--subnetpool $SUBNETPOOL_V4_ID} "
+ subnet_params+="$NET_ID $fixed_range_v4"
local subnet_id
subnet_id=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnet-create $subnet_params | grep ' id ' | get_field 2)
die_if_not_set $LINENO subnet_id "Failure creating private IPv4 subnet for $project_id"
@@ -265,13 +288,17 @@
die_if_not_set $LINENO IPV6_RA_MODE "IPV6 RA Mode not set"
die_if_not_set $LINENO IPV6_ADDRESS_MODE "IPV6 Address Mode not set"
local ipv6_modes="--ipv6-ra-mode $IPV6_RA_MODE --ipv6-address-mode $IPV6_ADDRESS_MODE"
+ if [ -z $SUBNETPOOL_V6_ID ]; then
+ fixed_range_v6=$FIXED_RANGE_V6
+ fi
local subnet_params="--tenant-id $project_id "
subnet_params+="--ip_version 6 "
if [[ -n "$IPV6_PRIVATE_NETWORK_GATEWAY" ]]; then
subnet_params+="--gateway $IPV6_PRIVATE_NETWORK_GATEWAY "
fi
subnet_params+="--name $IPV6_PRIVATE_SUBNET_NAME "
- subnet_params+="$NET_ID $FIXED_RANGE_V6 $ipv6_modes"
+ subnet_params+="${SUBNETPOOL_V6_ID:+--subnetpool $SUBNETPOOL_V6_ID} "
+ subnet_params+="$NET_ID $fixed_range_v6 $ipv6_modes"
local ipv6_subnet_id
ipv6_subnet_id=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" subnet-create $subnet_params | grep ' id ' | get_field 2)
die_if_not_set $LINENO ipv6_subnet_id "Failure creating private IPv6 subnet for $project_id"
@@ -346,7 +373,11 @@
fi
ROUTER_GW_IP=$(neutron --os-cloud devstack-admin --os-region "$REGION_NAME" port-list -c fixed_ips -c device_owner | grep router_gateway | awk -F'ip_address' '{ print $2 }' | cut -f3 -d\" | tr '\n' ' ')
die_if_not_set $LINENO ROUTER_GW_IP "Failure retrieving ROUTER_GW_IP"
- sudo ip route replace $FIXED_RANGE via $ROUTER_GW_IP
+ local replace_range=${SUBNETPOOL_PREFIX_V4}
+ if [[ -z "${SUBNETPOOL_V4_ID}" ]]; then
+ replace_range=${FIXED_RANGE}
+ fi
+ sudo ip route replace $replace_range via $ROUTER_GW_IP
fi
_neutron_set_router_id
fi
@@ -371,11 +402,16 @@
# This logic is specific to using the l3-agent for layer 3
if is_service_enabled q-l3 || is_service_enabled neutron-l3; then
- # Ensure IPv6 RAs are accepted on the interface with the default route.
+ # Ensure IPv6 RAs are accepted on interfaces with a default route.
# This is needed for neutron-based devstack clouds to work in
# IPv6-only clouds in the gate. Please do not remove this without
# talking to folks in Infra.
- sudo sysctl -w net.ipv6.conf.$default_route_dev.accept_ra=2
+ for d in $default_v6_route_devs; do
+ # Slashes must be used in this sysctl command because route devices
+ # can have dots in their names. If dots were used, dots in the
+ # device name would be reinterpreted as a slash, causing an error.
+ sudo sysctl -w net/ipv6/conf/$d/accept_ra=2
+ done
# Ensure IPv6 forwarding is enabled on the host
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Configure and enable public bridge
@@ -390,7 +426,11 @@
# Configure interface for public bridge
sudo ip -6 addr replace $ipv6_ext_gw_ip/$ipv6_cidr_len dev $ext_gw_interface
- sudo ip -6 route replace $FIXED_RANGE_V6 via $IPV6_ROUTER_GW_IP dev $ext_gw_interface
+ local replace_range=${SUBNETPOOL_PREFIX_V6}
+ if [[ -z "${SUBNETPOOL_V6_ID}" ]]; then
+ replace_range=${FIXED_RANGE_V6}
+ fi
+ sudo ip -6 route replace $replace_range via $IPV6_ROUTER_GW_IP dev $ext_gw_interface
fi
_neutron_set_router_id
fi
diff --git a/lib/nova b/lib/nova
index 670f605..f38fb8b 100644
--- a/lib/nova
+++ b/lib/nova
@@ -302,8 +302,6 @@
# Put config files in ``/etc/nova`` for everyone to find
sudo install -d -o $STACK_USER $NOVA_CONF_DIR
- install_default_policy nova
-
configure_rootwrap nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
@@ -461,7 +459,6 @@
iniset $NOVA_CONF DEFAULT rootwrap_config "$NOVA_CONF_DIR/rootwrap.conf"
iniset $NOVA_CONF DEFAULT scheduler_driver "$SCHEDULER"
iniset $NOVA_CONF DEFAULT scheduler_default_filters "$FILTERS"
- iniset $NOVA_CONF DEFAULT force_dhcp_release "True"
iniset $NOVA_CONF DEFAULT default_floating_pool "$PUBLIC_NETWORK_NAME"
iniset $NOVA_CONF DEFAULT s3_host "$SERVICE_HOST"
iniset $NOVA_CONF DEFAULT s3_port "$S3_SERVICE_PORT"
@@ -557,7 +554,6 @@
# For multi-host, this should be the management ip of the compute host.
VNCSERVER_LISTEN=${VNCSERVER_LISTEN=$NOVA_SERVICE_LOCAL_HOST}
VNCSERVER_PROXYCLIENT_ADDRESS=${VNCSERVER_PROXYCLIENT_ADDRESS=$NOVA_SERVICE_LOCAL_HOST}
- iniset $NOVA_CONF vnc enabled true
iniset $NOVA_CONF vnc vncserver_listen "$VNCSERVER_LISTEN"
iniset $NOVA_CONF vnc vncserver_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
@@ -575,8 +571,6 @@
iniset $NOVA_CONF spice server_listen "$SPICESERVER_LISTEN"
iniset $NOVA_CONF spice server_proxyclient_address "$SPICESERVER_PROXYCLIENT_ADDRESS"
iniset $NOVA_CONF spice html5proxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
- else
- iniset $NOVA_CONF spice enabled false
fi
# Set the oslo messaging driver to the typical default. This does not
@@ -808,7 +802,7 @@
# Start proxies if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
+ start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT
fi
export PATH=$old_path
@@ -831,6 +825,8 @@
# ``sg`` is used in run_process to execute nova-compute as a member of the
# **$LIBVIRT_GROUP** group.
run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf" $LIBVIRT_GROUP
+ elif [[ "$VIRT_DRIVER" = 'lxd' ]]; then
+ run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf" $LXD_GROUP
elif [[ "$VIRT_DRIVER" = 'fake' ]]; then
local i
for i in `seq 1 $NUMBER_FAKE_NOVA_COMPUTE`; do
@@ -868,9 +864,13 @@
run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf"
run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf"
run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf"
-
run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf"
+
+ if is_service_enabled n-net; then
+ enable_kernel_bridge_firewall
+ fi
run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"
+
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf"
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index 6b7c7c2..5e7695a 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -23,12 +23,7 @@
# Installs required distro-specific libvirt packages.
function install_libvirt {
if is_ubuntu; then
- if is_arch "aarch64" && [[ ${DISTRO} == "trusty" ]]; then
- install_package qemu-system
- else
- install_package qemu-kvm
- install_package libguestfs0
- fi
+ install_package qemu-system
install_package libvirt-bin libvirt-dev
pip_install_gr libvirt-python
if [[ "$EBTABLES_RACE_FIX" == "True" ]]; then
diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic
index c40427c..7ffd14d 100644
--- a/lib/nova_plugins/hypervisor-ironic
+++ b/lib/nova_plugins/hypervisor-ironic
@@ -45,11 +45,13 @@
iniset $NOVA_CONF DEFAULT ram_allocation_ratio 1.0
iniset $NOVA_CONF DEFAULT reserved_host_memory_mb 0
# ironic section
- iniset $NOVA_CONF ironic admin_username admin
- iniset $NOVA_CONF ironic admin_password $ADMIN_PASSWORD
- iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_URI/v2.0
- iniset $NOVA_CONF ironic admin_tenant_name demo
- iniset $NOVA_CONF ironic api_endpoint $IRONIC_SERVICE_PROTOCOL://$IRONIC_HOSTPORT/v1
+ iniset $NOVA_CONF ironic auth_type password
+ iniset $NOVA_CONF ironic username admin
+ iniset $NOVA_CONF ironic password $ADMIN_PASSWORD
+ iniset $NOVA_CONF ironic auth_url $KEYSTONE_AUTH_URI/v3
+ iniset $NOVA_CONF ironic project_domain_id default
+ iniset $NOVA_CONF ironic user_domain_id default
+ iniset $NOVA_CONF ironic project_name demo
}
# install_nova_hypervisor() - Install external components
diff --git a/lib/nova_plugins/hypervisor-libvirt b/lib/nova_plugins/hypervisor-libvirt
index b4eb3c1..167ab6f 100644
--- a/lib/nova_plugins/hypervisor-libvirt
+++ b/lib/nova_plugins/hypervisor-libvirt
@@ -40,7 +40,8 @@
configure_libvirt
iniset $NOVA_CONF libvirt virt_type "$LIBVIRT_TYPE"
iniset $NOVA_CONF libvirt cpu_mode "none"
- iniset $NOVA_CONF libvirt use_usb_tablet "False"
+ # Do not enable USB tablet input devices to avoid QEMU CPU overhead.
+ iniset $NOVA_CONF DEFAULT pointer_model "ps2mouse"
iniset $NOVA_CONF libvirt live_migration_uri "qemu+ssh://$STACK_USER@%s/system"
iniset $NOVA_CONF DEFAULT default_ephemeral_format "ext4"
iniset $NOVA_CONF DEFAULT compute_driver "libvirt.LibvirtDriver"
diff --git a/lib/swift b/lib/swift
index 0c74411..f9ea028 100644
--- a/lib/swift
+++ b/lib/swift
@@ -806,7 +806,7 @@
done
if is_service_enabled tls-proxy; then
local proxy_port=${SWIFT_DEFAULT_BIND_PORT}
- start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT &
+ start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT
fi
run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
if [[ ${SWIFT_REPLICAS} == 1 ]]; then
diff --git a/lib/tempest b/lib/tempest
index 67fb454..657c3ad 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -15,7 +15,6 @@
# - ``SERVICE_HOST``
# - ``BASE_SQL_CONN`` ``lib/database`` declares
# - ``PUBLIC_NETWORK_NAME``
-# - ``Q_ROUTER_NAME``
# - ``VIRT_DRIVER``
# - ``LIBVIRT_TYPE``
# - ``KEYSTONE_SERVICE_PROTOCOL``, ``KEYSTONE_SERVICE_HOST`` from lib/keystone
@@ -268,8 +267,7 @@
if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
iniset $TEMPEST_CONFIG auth admin_username $admin_username
iniset $TEMPEST_CONFIG auth admin_password "$password"
- iniset $TEMPEST_CONFIG auth admin_tenant_name $admin_project_name
- iniset $TEMPEST_CONFIG auth admin_tenant_id $admin_project_id
+ iniset $TEMPEST_CONFIG auth admin_project_name $admin_project_name
iniset $TEMPEST_CONFIG auth admin_domain_name $admin_domain_name
fi
if [ "$ENABLE_IDENTITY_V2" == "False" ]; then
@@ -307,17 +305,12 @@
fi
# Compute
- iniset $TEMPEST_CONFIG compute ssh_user ${DEFAULT_INSTANCE_USER:-cirros} # DEPRECATED
iniset $TEMPEST_CONFIG compute image_ref $image_uuid
iniset $TEMPEST_CONFIG compute image_ref_alt $image_uuid_alt
- iniset $TEMPEST_CONFIG compute image_alt_ssh_user ${ALT_INSTANCE_USER:-cirros}
iniset $TEMPEST_CONFIG compute flavor_ref $flavor_ref
iniset $TEMPEST_CONFIG compute flavor_ref_alt $flavor_ref_alt
- iniset $TEMPEST_CONFIG compute ssh_connect_method $ssh_connect_method
- # set the equiv validation option here as well to ensure they are
- # in sync. They shouldn't be separate options.
iniset $TEMPEST_CONFIG validation connect_method $ssh_connect_method
- if [[ ! $(is_service_enabled n-cell) && ! $(is_service_enabled neutron) ]]; then
+ if ! is_service_enabled n-cell && ! is_service_enabled neutron; then
iniset $TEMPEST_CONFIG compute fixed_network_name $PRIVATE_NETWORK_NAME
fi
@@ -354,6 +347,8 @@
iniset $TEMPEST_CONFIG compute max_microversion $tempest_compute_max_microversion
fi
+ # TODO(mriedem): Remove allow_port_security_disabled after liberty-eol.
+ iniset $TEMPEST_CONFIG compute-feature-enabled allow_port_security_disabled True
iniset $TEMPEST_CONFIG compute-feature-enabled personality ${ENABLE_FILE_INJECTION:-False}
iniset $TEMPEST_CONFIG compute-feature-enabled resize True
iniset $TEMPEST_CONFIG compute-feature-enabled live_migration ${LIVE_MIGRATION_AVAILABLE:-False}
@@ -386,6 +381,7 @@
iniset $TEMPEST_CONFIG network default_network "$FIXED_RANGE"
iniset $TEMPEST_CONFIG network-feature-enabled ipv6 "$IPV6_ENABLED"
iniset $TEMPEST_CONFIG network-feature-enabled ipv6_subnet_attributes "$IPV6_SUBNET_ATTRIBUTES_ENABLED"
+ iniset $TEMPEST_CONFIG network-feature-enabled port_security $NEUTRON_PORT_SECURITY
# Orchestration Tests
if is_service_enabled heat; then
@@ -418,9 +414,6 @@
iniset $TEMPEST_CONFIG scenario aki_img_file "cirros-${CIRROS_VERSION}-${CIRROS_ARCH}-vmlinuz"
iniset $TEMPEST_CONFIG scenario img_file "cirros-${CIRROS_VERSION}-${CIRROS_ARCH}-disk.img"
- # Telemetry
- iniset $TEMPEST_CONFIG telemetry-feature-enabled events "True"
-
# Validation
iniset $TEMPEST_CONFIG validation run_validation ${TEMPEST_RUN_VALIDATION:-False}
iniset $TEMPEST_CONFIG validation ip_version_for_ssh 4
diff --git a/lib/tls b/lib/tls
index ca57ed4..40f3e81 100644
--- a/lib/tls
+++ b/lib/tls
@@ -16,7 +16,6 @@
#
# - configure_CA
# - init_CA
-# - cleanup_CA
# - configure_proxy
# - start_tls_proxy
@@ -221,26 +220,13 @@
fi
}
-# Clean up the CA files
-# cleanup_CA
-function cleanup_CA {
- if is_fedora; then
- sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
- sudo update-ca-trust
- elif is_ubuntu; then
- sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
- sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
- sudo update-ca-certificates
- fi
-}
-
# Create an initial server cert
# init_cert
function init_cert {
if [[ ! -r $DEVSTACK_CERT ]]; then
if [[ -n "$TLS_IP" ]]; then
# Lie to let incomplete match routines work
- TLS_IP="DNS:$TLS_IP"
+ TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
fi
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
@@ -263,6 +249,9 @@
else
alt_names="$alt_names,DNS:$SERVICE_HOST"
fi
+ if is_ipv4_address "$SERVICE_HOST" ; then
+ alt_names="$alt_names,IP:$SERVICE_HOST"
+ fi
fi
# Only generate the certificate if it doesn't exist yet on the disk
@@ -336,15 +325,17 @@
create_CA_base $ca_dir
create_CA_config $ca_dir 'Root CA'
- # Create a self-signed certificate valid for 5 years
- $OPENSSL req -config $ca_dir/ca.conf \
- -x509 \
- -nodes \
- -newkey rsa \
- -days 21360 \
- -keyout $ca_dir/private/cacert.key \
- -out $ca_dir/cacert.pem \
- -outform PEM
+ if [ ! -r "$ca_dir/cacert.pem" ]; then
+ # Create a self-signed certificate valid for 5 years
+ $OPENSSL req -config $ca_dir/ca.conf \
+ -x509 \
+ -nodes \
+ -newkey rsa \
+ -days 21360 \
+ -keyout $ca_dir/private/cacert.key \
+ -out $ca_dir/cacert.pem \
+ -outform PEM
+ fi
}
# If a non-system python-requests is installed then it will use the
@@ -455,27 +446,85 @@
# Starts the TLS proxy for the given IP/ports
# start_tls_proxy front-host front-port back-host back-port
function start_tls_proxy {
- local f_host=$1
- local f_port=$2
- local b_host=$3
- local b_port=$4
+ local b_service="$1-tls-proxy"
+ local f_host=$2
+ local f_port=$3
+ local b_host=$4
+ local b_port=$5
- stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
+ local config_file
+ config_file=$(apache_site_config_for $b_service)
+ local listen_string
+ # Default apache configs on ubuntu and centos listen on 80 and 443
+ # newer apache seems fine with duplicate listen directive but older
+ # apache does not so special case 80 and 443.
+ if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
+ listen_string=""
+ elif [[ "$f_host" == '*' ]] ; then
+ listen_string="Listen $f_port"
+ else
+ listen_string="Listen $f_host:$f_port"
+ fi
+ sudo bash -c "cat >$config_file" << EOF
+$listen_string
+
+<VirtualHost $f_host:$f_port>
+ SSLEngine On
+ SSLCertificateFile $DEVSTACK_CERT
+
+ <Location />
+ ProxyPass http://$b_host:$b_port/ retry=5 nocanon
+ ProxyPassReverse http://$b_host:$b_port/
+ </Location>
+ ErrorLog $APACHE_LOG_DIR/tls-proxy_error.log
+ ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] [frontend\ %A] %M% ,\ referer\ %{Referer}i"
+ LogLevel info
+ CustomLog $APACHE_LOG_DIR/tls-proxy_access.log common
+ LogFormat "%v %h %l %u %t \"%r\" %>s %b"
+</VirtualHost>
+EOF
+ for mod in ssl proxy proxy_http; do
+ enable_apache_mod $mod
+ done
+ enable_apache_site $b_service
+ # Only a reload is required to pull in new vhosts
+ # Note that a restart reliably fails on centos7 and trusty
+ # because apache can't open port 80 because the old apache
+ # still has it open. Using reload fixes trusty but centos7
+ # still doesn't work.
+ reload_apache_server
}
+# Follow TLS proxy
+function follow_tls_proxy {
+ sudo touch /var/log/$APACHE_NAME/tls-proxy_error.log
+ tail_log tls-error /var/log/$APACHE_NAME/tls-proxy_error.log
+ sudo touch /var/log/$APACHE_NAME/tls-proxy_access.log
+ tail_log tls-proxy /var/log/$APACHE_NAME/tls-proxy_access.log
+}
# Cleanup Functions
# =================
-# Stops all stud processes. This should be done only after all services
+# Stops the apache service. This should be done only after all services
# using tls configuration are down.
function stop_tls_proxy {
- killall stud
+ stop_apache_server
}
-# Remove CA along with configuration, as well as the local server certificate
+# Clean up the CA files
+# cleanup_CA
function cleanup_CA {
- rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
+ if is_fedora; then
+ sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
+ sudo update-ca-trust
+ elif is_ubuntu; then
+ sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
+ sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
+ sudo update-ca-certificates
+ fi
+
+ rm -rf "$INT_CA_DIR" "$ROOT_CA_DIR" "$DEVSTACK_CERT"
}
# Tell emacs to use shell-script-mode
diff --git a/samples/local.sh b/samples/local.sh
index 634f6dd..9cd0bdc 100755
--- a/samples/local.sh
+++ b/samples/local.sh
@@ -36,7 +36,7 @@
# Add first keypair found in localhost:$HOME/.ssh
for i in $HOME/.ssh/id_rsa.pub $HOME/.ssh/id_dsa.pub; do
if [[ -r $i ]]; then
- nova keypair-add --pub_key=$i `hostname`
+ openstack keypair create --public-key $i `hostname`
break
fi
done
@@ -53,8 +53,8 @@
MI_NAME=m1.micro
# Create micro flavor if not present
- if [[ -z $(nova flavor-list | grep $MI_NAME) ]]; then
- nova flavor-create $MI_NAME 6 128 0 1
+ if [[ -z $(openstack flavor list | grep $MI_NAME) ]]; then
+ openstack flavor create $MI_NAME --id 6 --ram 128 --disk 0 --vcpus 1
fi
@@ -62,7 +62,7 @@
# ----------
# Add tcp/22 and icmp to default security group
- nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
- nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+ openstack security group rule create --project $OS_PROJECT_NAME default --protocol tcp --ingress --dst-port 22
+ openstack security group rule create --project $OS_PROJECT_NAME default --protocol icmp
fi
diff --git a/stack.sh b/stack.sh
index f47842b..54485b6 100755
--- a/stack.sh
+++ b/stack.sh
@@ -192,7 +192,7 @@
# Warn users who aren't on an explicitly supported distro, but allow them to
# override check and attempt installation with ``FORCE=yes ./stack``
-if [[ ! ${DISTRO} =~ (trusty|wily|xenial|7.0|wheezy|sid|testing|jessie|f23|f24|rhel7|kvmibm1) ]]; then
+if [[ ! ${DISTRO} =~ (trusty|xenial|yakkety|7.0|wheezy|sid|testing|jessie|f23|f24|rhel7|kvmibm1) ]]; then
echo "WARNING: this script has not been tested on $DISTRO"
if [[ "$FORCE" != "yes" ]]; then
die $LINENO "If you wish to run this script anyway run with FORCE=yes"
@@ -993,6 +993,10 @@
fi
screen -r $SCREEN_NAME -X hardstatus alwayslastline "$SCREEN_HARDSTATUS"
screen -r $SCREEN_NAME -X setenv PROMPT_COMMAND /bin/true
+
+ if is_service_enabled tls-proxy; then
+ follow_tls_proxy
+ fi
fi
# Clear ``screenrc`` file
@@ -1021,21 +1025,12 @@
# Keystone
# --------
-if is_service_enabled keystone; then
- echo_summary "Starting Keystone"
-
- if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
- init_keystone
- start_keystone
- bootstrap_keystone
- fi
-
- # Rather than just export these, we write them out to a
- # intermediate userrc file that can also be used to debug if
- # something goes wrong between here and running
- # tools/create_userrc.sh (this script relies on services other
- # than keystone being available, so we can't call it right now)
- cat > $TOP_DIR/userrc_early <<EOF
+# Rather than just export these, we write them out to a
+# intermediate userrc file that can also be used to debug if
+# something goes wrong between here and running
+# tools/create_userrc.sh (this script relies on services other
+# than keystone being available, so we can't call it right now)
+cat > $TOP_DIR/userrc_early <<EOF
# Use this for debugging issues before files in accrc are created
# Set up password auth credentials now that Keystone is bootstrapped
@@ -1050,11 +1045,21 @@
EOF
- if is_service_enabled tls-proxy; then
- echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
- fi
+if is_service_enabled tls-proxy; then
+ echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
+ start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
+fi
- source $TOP_DIR/userrc_early
+source $TOP_DIR/userrc_early
+
+if is_service_enabled keystone; then
+ echo_summary "Starting Keystone"
+
+ if [ "$KEYSTONE_AUTH_HOST" == "$SERVICE_HOST" ]; then
+ init_keystone
+ start_keystone
+ bootstrap_keystone
+ fi
create_keystone_accounts
create_nova_accounts
@@ -1220,11 +1225,6 @@
echo_summary "Uploading images"
- # Option to upload legacy ami-tty, which works with xenserver
- if [[ -n "$UPLOAD_LEGACY_TTY" ]]; then
- IMAGE_URLS="${IMAGE_URLS:+${IMAGE_URLS},}https://github.com/downloads/citrix-openstack/warehouse/tty.tgz"
- fi
-
for image_url in ${IMAGE_URLS//,/ }; do
upload_image $image_url
done
@@ -1388,12 +1388,7 @@
# ===============
# Prepare bash completion for OSC
-#
-# BUG: https://bugs.launchpad.net/python-openstackclient/+bug/1619274
-# the os-cloud param should not be required but if we don't provide it
-# then this command hangs indefinitely if something is wrong with
-# default environment credentials.
-openstack --os-cloud=devstack complete | sudo tee /etc/bash_completion.d/osc.bash_completion > /dev/null
+openstack complete | sudo tee /etc/bash_completion.d/osc.bash_completion > /dev/null
# If cinder is configured, set global_filter for PV devices
if is_service_enabled cinder; then
diff --git a/stackrc b/stackrc
index c14085a..ea8b044 100644
--- a/stackrc
+++ b/stackrc
@@ -586,6 +586,9 @@
LIBVIRT_GROUP=libvirtd
fi
;;
+ lxd)
+ LXD_GROUP=${LXD_GROUP:-"lxd"}
+ ;;
fake)
NUMBER_FAKE_NOVA_COMPUTE=${NUMBER_FAKE_NOVA_COMPUTE:-1}
;;
@@ -775,6 +778,9 @@
HOST_IPV6=$(get_default_host_ip "" "" "$HOST_IP_IFACE" "$HOST_IPV6" "inet6")
+# Whether or not the port_security extension should be enabled for Neutron.
+NEUTRON_PORT_SECURITY=$(trueorfalse True NEUTRON_PORT_SECURITY)
+
# SERVICE IP version
# This is the IP version that services should be listening on, as well
# as using to register their endpoints with keystone.
diff --git a/tools/create_userrc.sh b/tools/create_userrc.sh
index b6db5d1..30d1a01 100755
--- a/tools/create_userrc.sh
+++ b/tools/create_userrc.sh
@@ -193,7 +193,6 @@
export OS_AUTH_URL="$OS_AUTH_URL"
export OS_CACERT="$OS_CACERT"
export NOVA_CERT="$ACCOUNT_DIR/cacert.pem"
-export OS_AUTH_TYPE=v2password
EOF
if [ -n "$ADDPASS" ]; then
echo "export OS_PASSWORD=\"$user_passwd\"" >>"$rcfile"
diff --git a/unstack.sh b/unstack.sh
index d93b835..c05d1f0 100755
--- a/unstack.sh
+++ b/unstack.sh
@@ -97,11 +97,6 @@
# Phase: unstack
run_phase unstack
-if [[ "$Q_USE_DEBUG_COMMAND" == "True" ]]; then
- source $TOP_DIR/openrc
- teardown_neutron_debug
-fi
-
# Call service stop
if is_service_enabled heat; then
@@ -189,11 +184,13 @@
fi
fi
-# BUG: maybe it doesn't exist? We should isolate this further down.
# NOTE: Cinder automatically installs the lvm2 package, independently of the
-# enabled backends. So if Cinder is enabled, we are sure lvm (lvremove,
-# /etc/lvm/lvm.conf, etc.) is here.
-if is_service_enabled cinder; then
+# enabled backends. So if Cinder is enabled, and installed successfully we are
+# sure lvm2 (lvremove, /etc/lvm/lvm.conf, etc.) is here.
+if is_service_enabled cinder && is_package_installed lvm2; then
+ # Using /bin/true here indicates a BUG - maybe the
+ # DEFAULT_VOLUME_GROUP_NAME doesn't exist? We should
+ # isolate this further down in lib/cinder cleanup.
clean_lvm_volume_group $DEFAULT_VOLUME_GROUP_NAME || /bin/true
clean_lvm_filter
fi