Merge "Clean up compile_ovn function's parameters"
diff --git a/.zuul.yaml b/.zuul.yaml
index 3945faf..248a56b 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -107,6 +107,16 @@
- controller
- nodeset:
+ name: devstack-single-node-openeuler-20.03-sp2
+ nodes:
+ - name: controller
+ label: openEuler-20-03-LTS-SP2
+ groups:
+ - name: tempest
+ nodes:
+ - controller
+
+- nodeset:
name: openstack-two-node
nodes:
- name: controller
@@ -432,7 +442,7 @@
PUBLIC_BRIDGE_MTU: '{{ external_bridge_mtu }}'
devstack_services:
# Shared services
- dstat: true
+ dstat: false
etcd3: true
memory_tracker: true
mysql: true
@@ -441,7 +451,7 @@
subnode:
devstack_services:
# Shared services
- dstat: true
+ dstat: false
memory_tracker: true
devstack_localrc:
# Multinode specific settings
@@ -507,7 +517,7 @@
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
- dstat: true
+ dstat: false
etcd3: true
memory_tracker: true
mysql: true
@@ -557,7 +567,7 @@
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
- dstat: true
+ dstat: false
memory_tracker: true
tls-proxy: true
# Nova services
@@ -609,6 +619,7 @@
# Keep enabeling the services here to run with system scope
CINDER_ENFORCE_SCOPE: true
GLANCE_ENFORCE_SCOPE: true
+ NEUTRON_ENFORCE_SCOPE: true
- job:
name: devstack-multinode
@@ -684,6 +695,20 @@
q-agt: true
- job:
+ name: devstack-platform-openEuler-20.03-SP2
+ parent: tempest-full-py3
+ description: openEuler 20.03 SP2 platform test
+ nodeset: devstack-single-node-openeuler-20.03-sp2
+ voting: false
+ timeout: 9000
+ vars:
+ configure_swap_size: 4096
+ devstack_localrc:
+ # NOTE(wxy): OVN package is not supported by openEuler yet. Build it
+ # from source instead.
+ OVN_BUILD_FROM_SOURCE: True
+
+- job:
name: devstack-no-tls-proxy
parent: tempest-full-py3
description: |
@@ -700,6 +725,8 @@
description: Fedora latest platform test
nodeset: devstack-single-node-fedora-latest
voting: false
+ vars:
+ configure_swap_size: 4096
- job:
name: devstack-platform-fedora-latest-virt-preview
@@ -708,6 +735,7 @@
nodeset: devstack-single-node-fedora-latest
voting: false
vars:
+ configure_swap_size: 4096
devstack_localrc:
ENABLE_FEDORA_VIRT_PREVIEW_REPO: true
@@ -788,6 +816,7 @@
- devstack-platform-centos-8-stream
- devstack-platform-centos-9-stream
- devstack-platform-debian-bullseye
+ - devstack-platform-openEuler-20.03-SP2
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 08ce4cb..feb50ce 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -38,7 +38,7 @@
Start with a clean and minimal install of a Linux system. DevStack
attempts to support the two latest LTS releases of Ubuntu, the
-latest/current Fedora version, CentOS/RHEL 8 and OpenSUSE.
+latest/current Fedora version, CentOS/RHEL 8, OpenSUSE and openEuler.
If you do not have a preference, Ubuntu 20.04 (Focal Fossa) is the
most tested, and will probably go the smoothest.
diff --git a/files/ldap/manager.ldif.in b/files/ldap/manager.ldif.in
index 2f1f139..d3b9be8 100644
--- a/files/ldap/manager.ldif.in
+++ b/files/ldap/manager.ldif.in
@@ -1,4 +1,4 @@
-dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
+dn: olcDatabase={${LDAP_OLCDB_NUMBER}}${LDAP_OLCDB_TYPE},cn=config
changetype: modify
replace: olcSuffix
olcSuffix: ${BASE_DN}
diff --git a/files/rpms/ceph b/files/rpms/ceph
index 33a55f8..93b5746 100644
--- a/files/rpms/ceph
+++ b/files/rpms/ceph
@@ -1,3 +1,3 @@
ceph # NOPRIME
-redhat-lsb-core # not:rhel9
+redhat-lsb-core # not:rhel9,openEuler-20.03
xfsprogs
diff --git a/files/rpms/general b/files/rpms/general
index 33da0a5..163a7c8 100644
--- a/files/rpms/general
+++ b/files/rpms/general
@@ -16,6 +16,7 @@
libxml2-devel # lxml
libxslt-devel # lxml
libyaml-devel
+make # dist:openEuler-20.03
net-tools
openssh-server
openssl
@@ -27,7 +28,8 @@
python3-devel
python3-pip
python3-systemd
-redhat-rpm-config # missing dep for gcc hardening flags, see rhbz#1217376
+redhat-rpm-config # not:openEuler-20.03 missing dep for gcc hardening flags, see rhbz#1217376
+systemd-devel # dist:openEuler-20.03
tar
tcpdump
unzip
diff --git a/files/rpms/nova b/files/rpms/nova
index 9522e57..9e8621c 100644
--- a/files/rpms/nova
+++ b/files/rpms/nova
@@ -6,7 +6,7 @@
genisoimage # not:rhel9 required for config_drive
iptables
iputils
-kernel-modules
+kernel-modules # not:openEuler-20.03
kpartx
parted
polkit
diff --git a/files/rpms/swift b/files/rpms/swift
index b6009a3..faf0a31 100644
--- a/files/rpms/swift
+++ b/files/rpms/swift
@@ -1,5 +1,5 @@
curl
-liberasurecode-devel
+liberasurecode-devel # not:openEuler-20.03
memcached
rsync-daemon
sqlite
diff --git a/functions-common b/functions-common
index 80f4355..7042408 100644
--- a/functions-common
+++ b/functions-common
@@ -388,7 +388,7 @@
elif [[ -x $(command -v zypper 2>/dev/null) ]]; then
sudo zypper -n install lsb-release
elif [[ -x $(command -v dnf 2>/dev/null) ]]; then
- sudo dnf install -y redhat-lsb-core
+ sudo dnf install -y redhat-lsb-core || sudo dnf install -y openeuler-lsb
else
die $LINENO "Unable to find or auto-install lsb_release"
fi
@@ -453,12 +453,17 @@
DISTRO="sle${os_RELEASE%.*}"
elif [[ "$os_VENDOR" =~ (Red.*Hat) || \
"$os_VENDOR" =~ (CentOS) || \
+ "$os_VENDOR" =~ (AlmaLinux) || \
"$os_VENDOR" =~ (Scientific) || \
"$os_VENDOR" =~ (OracleServer) || \
"$os_VENDOR" =~ (Virtuozzo) ]]; then
# Drop the . release as we assume it's compatible
# XXX re-evaluate when we get RHEL10
DISTRO="rhel${os_RELEASE::1}"
+ elif [[ "$os_VENDOR" =~ (openEuler) ]]; then
+ # The DISTRO here is `openEuler-20.03`. While, actually only openEuler
+ # 20.03 LTS SP2 is fully tested. Other SP version maybe have bugs.
+ DISTRO="openEuler-$os_RELEASE"
else
# We can't make a good choice here. Setting a sensible DISTRO
# is part of the problem, but not the major issue -- we really
@@ -510,9 +515,11 @@
fi
[ "$os_VENDOR" = "Fedora" ] || [ "$os_VENDOR" = "Red Hat" ] || \
+ [ "$os_VENDOR" = "openEuler" ] || \
[ "$os_VENDOR" = "RedHatEnterpriseServer" ] || \
[ "$os_VENDOR" = "RedHatEnterprise" ] || \
[ "$os_VENDOR" = "CentOS" ] || [ "$os_VENDOR" = "CentOSStream" ] || \
+ [ "$os_VENDOR" = "AlmaLinux" ] || \
[ "$os_VENDOR" = "OracleServer" ] || [ "$os_VENDOR" = "Virtuozzo" ]
}
@@ -558,7 +565,12 @@
[ "$os_PACKAGE" = "deb" ]
}
-
+function is_openeuler {
+ if [[ -z "$os_PACKAGE" ]]; then
+ GetOSVersion
+ fi
+ [ "$os_VENDOR" = "openEuler" ]
+}
# Git Functions
# =============
diff --git a/lib/apache b/lib/apache
index 4bea07d..cbe61ad 100644
--- a/lib/apache
+++ b/lib/apache
@@ -82,19 +82,10 @@
apxs="apxs"
fi
- # This varies based on packaged/installed. If we've
- # pip_installed, then the pip setup will only build a "python"
- # module that will be either python2 or python3 depending on what
- # it was built with.
- #
- # For package installs, the distro ships both plugins and you need
- # to select the right one ... it will not be autodetected.
- UWSGI_PYTHON_PLUGIN=python3
-
if is_ubuntu; then
local pkg_list="uwsgi uwsgi-plugin-python3 libapache2-mod-proxy-uwsgi"
install_package ${pkg_list}
- elif is_fedora; then
+ elif is_fedora && ! is_openeuler; then
# Note httpd comes with mod_proxy_uwsgi and it is loaded by
# default; the mod_proxy_uwsgi package actually conflicts now.
# See:
@@ -122,7 +113,6 @@
popd
# delete the temp directory
sudo rm -rf $dir
- UWSGI_PYTHON_PLUGIN=python
fi
if is_ubuntu || is_suse ; then
@@ -283,7 +273,7 @@
# configured after graceful shutdown
iniset "$file" uwsgi worker-reload-mercy $WORKER_TIMEOUT
iniset "$file" uwsgi enable-threads true
- iniset "$file" uwsgi plugins http,${UWSGI_PYTHON_PLUGIN}
+ iniset "$file" uwsgi plugins http,python3
# uwsgi recommends this to prevent thundering herd on accept.
iniset "$file" uwsgi thunder-lock true
# Set hook to trigger graceful shutdown on SIGTERM
@@ -336,7 +326,7 @@
iniset "$file" uwsgi die-on-term true
iniset "$file" uwsgi exit-on-reload false
iniset "$file" uwsgi enable-threads true
- iniset "$file" uwsgi plugins http,${UWSGI_PYTHON_PLUGIN}
+ iniset "$file" uwsgi plugins http,python3
# uwsgi recommends this to prevent thundering herd on accept.
iniset "$file" uwsgi thunder-lock true
# Set hook to trigger graceful shutdown on SIGTERM
diff --git a/lib/cinder b/lib/cinder
index 76314c1..b029fa0 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -447,10 +447,6 @@
be_type=${be%%:*}
be_name=${be##*:}
if type init_cinder_backend_${be_type} >/dev/null 2>&1; then
- # Always init the default volume group for lvm.
- if [[ "$be_type" == "lvm" ]]; then
- init_default_lvm_volume_group
- fi
init_cinder_backend_${be_type} ${be_name}
fi
done
diff --git a/lib/cinder_backups/swift b/lib/cinder_backups/swift
index d7c977e..c7ec306 100644
--- a/lib/cinder_backups/swift
+++ b/lib/cinder_backups/swift
@@ -24,6 +24,9 @@
# to use it.
iniset $CINDER_CONF DEFAULT backup_driver "cinder.backup.drivers.swift.SwiftBackupDriver"
iniset $CINDER_CONF DEFAULT backup_swift_url "$SWIFT_SERVICE_PROTOCOL://$SERVICE_HOST:$SWIFT_DEFAULT_BIND_PORT/v1/AUTH_"
+ if is_service_enabled tls-proxy; then
+ iniset $CINDER_CONF DEFAULT backup_swift_ca_cert_file $SSL_BUNDLE_FILE
+ fi
}
# init_cinder_backup_swift: nothing to do
diff --git a/lib/database b/lib/database
index 7940cf2..78563f6 100644
--- a/lib/database
+++ b/lib/database
@@ -89,6 +89,10 @@
DATABASE_PASSWORD=$MYSQL_PASSWORD
fi
+ return 0
+}
+
+function define_database_baseurl {
# We configure Nova, Horizon, Glance and Keystone to use MySQL as their
# database server. While they share a single server, each has their own
# database and tables.
@@ -100,8 +104,6 @@
# NOTE: Don't specify ``/db`` in this string so we can use it for multiple services
BASE_SQL_CONN=${BASE_SQL_CONN:-$(get_database_type_$DATABASE_TYPE)://$DATABASE_USER:$DATABASE_PASSWORD@$DATABASE_HOST}
-
- return 0
}
# Recreate a given database
diff --git a/lib/databases/mysql b/lib/databases/mysql
index d0fa119..30e4b7c 100644
--- a/lib/databases/mysql
+++ b/lib/databases/mysql
@@ -12,6 +12,7 @@
set +o xtrace
MYSQL_DRIVER=${MYSQL_DRIVER:-PyMySQL}
+INSTALL_DATABASE_SERVER_PACKAGES=$(trueorfalse True INSTALL_DATABASE_SERVER_PACKAGES)
register_database mysql
@@ -175,18 +176,20 @@
chmod 0600 $HOME/.my.cnf
fi
# Install mysql-server
- if is_oraclelinux; then
- install_package mysql-community-server
- elif is_fedora; then
- install_package mariadb-server mariadb-devel
- sudo systemctl enable $MYSQL_SERVICE_NAME
- elif is_suse; then
- install_package mariadb-server
- sudo systemctl enable $MYSQL_SERVICE_NAME
- elif is_ubuntu; then
- install_package $MYSQL_SERVICE_NAME-server
- else
- exit_distro_not_supported "mysql installation"
+ if [[ "$INSTALL_DATABASE_SERVER_PACKAGES" == "True" ]]; then
+ if is_oraclelinux; then
+ install_package mysql-community-server
+ elif is_fedora; then
+ install_package mariadb-server mariadb-devel mariadb
+ sudo systemctl enable $MYSQL_SERVICE_NAME
+ elif is_suse; then
+ install_package mariadb-server
+ sudo systemctl enable $MYSQL_SERVICE_NAME
+ elif is_ubuntu; then
+ install_package $MYSQL_SERVICE_NAME-server
+ else
+ exit_distro_not_supported "mysql installation"
+ fi
fi
}
diff --git a/lib/databases/postgresql b/lib/databases/postgresql
index 618834b..4f0a5a0 100644
--- a/lib/databases/postgresql
+++ b/lib/databases/postgresql
@@ -13,7 +13,7 @@
MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-200}
-
+INSTALL_DATABASE_SERVER_PACKAGES=$(trueorfalse True INSTALL_DATABASE_SERVER_PACKAGES)
register_database postgresql
@@ -95,7 +95,6 @@
function install_database_postgresql {
echo_summary "Installing postgresql"
- deprecated "Use of postgresql in devstack is deprecated, and will be removed during the Pike cycle"
local pgpass=$HOME/.pgpass
if [[ ! -e $pgpass ]]; then
cat <<EOF > $pgpass
@@ -105,15 +104,17 @@
else
sed -i "s/:root:\w\+/:root:$DATABASE_PASSWORD/" $pgpass
fi
- if is_ubuntu; then
- install_package postgresql
- elif is_fedora || is_suse; then
- install_package postgresql-server
- if is_fedora; then
- sudo systemctl enable postgresql
+ if [[ "$INSTALL_DATABASE_SERVER_PACKAGES" == "True" ]]; then
+ if is_ubuntu; then
+ install_package postgresql
+ elif is_fedora || is_suse; then
+ install_package postgresql-server
+ if is_fedora; then
+ sudo systemctl enable postgresql
+ fi
+ else
+ exit_distro_not_supported "postgresql installation"
fi
- else
- exit_distro_not_supported "postgresql installation"
fi
}
diff --git a/lib/ldap b/lib/ldap
index 5a53d0e..ea5faa1 100644
--- a/lib/ldap
+++ b/lib/ldap
@@ -33,14 +33,17 @@
if is_ubuntu; then
LDAP_OLCDB_NUMBER=1
+ LDAP_OLCDB_TYPE=mdb
LDAP_ROOTPW_COMMAND=replace
elif is_fedora; then
LDAP_OLCDB_NUMBER=2
+ LDAP_OLCDB_TYPE=hdb
LDAP_ROOTPW_COMMAND=add
elif is_suse; then
# SUSE has slappasswd in /usr/sbin/
PATH=$PATH:/usr/sbin/
LDAP_OLCDB_NUMBER=1
+ LDAP_OLCDB_TYPE=hdb
LDAP_ROOTPW_COMMAND=add
LDAP_SERVICE_NAME=ldap
fi
@@ -56,6 +59,7 @@
local slappass=$2
sed -e "
s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|
+ s|\${LDAP_OLCDB_TYPE}|$LDAP_OLCDB_TYPE|
s|\${SLAPPASS}|$slappass|
s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|
s|\${BASE_DC}|$LDAP_BASE_DC|
@@ -157,7 +161,7 @@
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/domain string Users
slapd shared/organization string $LDAP_DOMAIN
- slapd slapd/backend string HDB
+ slapd slapd/backend string ${LDAP_OLCDB_TYPE^^}
slapd slapd/purge_database boolean true
slapd slapd/move_old_database boolean true
slapd slapd/allow_ldap_v2 boolean false
diff --git a/lib/libraries b/lib/libraries
index 67ff21f..9ea3230 100755
--- a/lib/libraries
+++ b/lib/libraries
@@ -38,6 +38,7 @@
GITDIR["oslo.context"]=$DEST/oslo.context
GITDIR["oslo.db"]=$DEST/oslo.db
GITDIR["oslo.i18n"]=$DEST/oslo.i18n
+GITDIR["oslo.limit"]=$DEST/oslo.limit
GITDIR["oslo.log"]=$DEST/oslo.log
GITDIR["oslo.messaging"]=$DEST/oslo.messaging
GITDIR["oslo.middleware"]=$DEST/oslo.middleware
@@ -102,6 +103,7 @@
_install_lib_from_source "oslo.context"
_install_lib_from_source "oslo.db"
_install_lib_from_source "oslo.i18n"
+ _install_lib_from_source "oslo.limit"
_install_lib_from_source "oslo.log"
_install_lib_from_source "oslo.messaging"
_install_lib_from_source "oslo.middleware"
diff --git a/lib/neutron b/lib/neutron
index 885df97..e7719d4 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -37,6 +37,11 @@
NEUTRON_AGENT=${NEUTRON_AGENT:-openvswitch}
NEUTRON_DIR=$DEST/neutron
+# If NEUTRON_ENFORCE_SCOPE == True, it will set "enforce_scope"
+# and "enforce_new_defaults" to True in the Neutron's config to enforce usage
+# of the new RBAC policies and scopes.
+NEUTRON_ENFORCE_SCOPE=$(trueorfalse False NEUTRON_ENFORCE_SCOPE)
+
NEUTRON_DISTRIBUTED_ROUTING=$(trueorfalse False NEUTRON_DISTRIBUTED_ROUTING)
# Distributed Virtual Router (DVR) configuration
# Can be:
@@ -141,6 +146,7 @@
# cleanup_neutron() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_neutron_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
source $TOP_DIR/lib/neutron_plugins/${NEUTRON_AGENT}_agent
if is_neutron_ovs_base_plugin; then
neutron_ovs_base_cleanup
@@ -164,6 +170,7 @@
# configure_neutron() - Set config files, create data dirs, etc
function configure_neutron_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR
(cd $NEUTRON_DIR && exec ./tools/generate_config_file_samples.sh)
@@ -232,6 +239,7 @@
if [[ "$NEUTRON_PORT_SECURITY" = "True" ]]; then
neutron_ml2_extension_driver_add port_security
fi
+ configure_rbac_policies
fi
# Neutron OVS or LB agent
@@ -353,6 +361,7 @@
# Takes a single optional argument which is the config file to update,
# if not passed $NOVA_CONF is used.
function configure_neutron_nova_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local conf=${1:-$NOVA_CONF}
iniset $conf neutron auth_type "password"
iniset $conf neutron auth_url "$KEYSTONE_SERVICE_URI"
@@ -379,6 +388,7 @@
# create_neutron_accounts() - Create required service accounts
function create_neutron_accounts_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local neutron_url
if [ "$NEUTRON_DEPLOY_MOD_WSGI" == "True" ]; then
@@ -402,6 +412,7 @@
# init_neutron() - Initialize databases, etc.
function init_neutron_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
recreate_database neutron
time_start "dbsync"
@@ -412,6 +423,7 @@
# install_neutron() - Collect source and prepare
function install_neutron_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
git_clone $NEUTRON_REPO $NEUTRON_DIR $NEUTRON_BRANCH
setup_develop $NEUTRON_DIR
@@ -485,6 +497,7 @@
# start_neutron() - Start running processes
function start_neutron_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
# Start up the neutron agents if enabled
# TODO(sc68cal) Make this pluggable so different DevStack plugins for different Neutron plugins
# can resolve the $NEUTRON_AGENT_BINARY
@@ -522,6 +535,7 @@
# stop_neutron() - Stop running processes
function stop_neutron_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
for serv in neutron-api neutron-agent neutron-l3; do
stop_process $serv
done
@@ -544,6 +558,7 @@
# neutron_service_plugin_class_add() - add service plugin class
function neutron_service_plugin_class_add_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local service_plugin_class=$1
local plugins=""
@@ -568,11 +583,13 @@
}
function neutron_server_config_add_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
_NEUTRON_SERVER_EXTRA_CONF_FILES_ABS+=($1)
}
# neutron_deploy_rootwrap_filters() - deploy rootwrap filters
function neutron_deploy_rootwrap_filters_new {
+ deprecated "Using lib/neutron is deprecated, and it will be removed in AA release!"
local srcdir=$1
sudo install -d -o root -g root -m 755 $NEUTRON_CONF_DIR/rootwrap.d
sudo install -o root -g root -m 644 $srcdir/etc/neutron/rootwrap.d/*.filters $NEUTRON_CONF_DIR/rootwrap.d
@@ -612,6 +629,19 @@
fi
}
+# configure_rbac_policies() - Configure Neutron to enforce new RBAC
+# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
+function configure_rbac_policies {
+ if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
+ iniset $NEUTRON_CONF oslo_policy enforce_scope True
+ else
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults False
+ iniset $NEUTRON_CONF oslo_policy enforce_scope False
+ fi
+}
+
+
function configure_neutron_nova {
if is_neutron_legacy_enabled; then
# Call back to old function
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index a5a608d..b906a1b 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -90,6 +90,11 @@
NEUTRON_UWSGI_CONF=$NEUTRON_CONF_DIR/neutron-api-uwsgi.ini
+# If NEUTRON_ENFORCE_SCOPE == True, it will set "enforce_scope"
+# and "enforce_new_defaults" to True in the Neutron's config to enforce usage
+# of the new RBAC policies and scopes.
+NEUTRON_ENFORCE_SCOPE=$(trueorfalse False NEUTRON_ENFORCE_SCOPE)
+
# Agent binaries. Note, binary paths for other agents are set in per-service
# scripts in lib/neutron_plugins/services/
AGENT_DHCP_BINARY="$NEUTRON_BIN_DIR/neutron-dhcp-agent"
@@ -489,6 +494,19 @@
if [[ $Q_SERVICE_PLUGIN_CLASSES != '' ]]; then
iniset $NEUTRON_CONF DEFAULT service_plugins $Q_SERVICE_PLUGIN_CLASSES
fi
+ configure_rbac_policies
+}
+
+# configure_rbac_policies() - Configure Neutron to enforce new RBAC
+# policies and scopes if NEUTRON_ENFORCE_SCOPE == True
+function configure_rbac_policies {
+ if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults True
+ iniset $NEUTRON_CONF oslo_policy enforce_scope True
+ else
+ iniset $NEUTRON_CONF oslo_policy enforce_new_defaults False
+ iniset $NEUTRON_CONF oslo_policy enforce_scope False
+ fi
}
# Start running OVN processes
diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent
index 099b639..09b28b6 100644
--- a/lib/neutron_plugins/ovn_agent
+++ b/lib/neutron_plugins/ovn_agent
@@ -24,11 +24,6 @@
# Load devstack ovs compliation and loading functions
source ${TOP_DIR}/lib/neutron_plugins/ovs_source
-# Defaults
-# --------
-
-Q_BUILD_OVS_FROM_GIT=$(trueorfalse True Q_BUILD_OVS_FROM_GIT)
-
# Set variables for building OVN from source
OVN_REPO=${OVN_REPO:-https://github.com/ovn-org/ovn.git}
OVN_REPO_NAME=$(basename ${OVN_REPO} | cut -f1 -d'.')
@@ -74,6 +69,9 @@
# unless the distro kernel includes ovs+conntrack support.
OVN_BUILD_MODULES=$(trueorfalse False OVN_BUILD_MODULES)
OVN_BUILD_FROM_SOURCE=$(trueorfalse False OVN_BUILD_FROM_SOURCE)
+if [[ "$OVN_BUILD_FROM_SOURCE" == "True" ]]; then
+ Q_BUILD_OVS_FROM_GIT=True
+fi
# Whether or not to install the ovs python module from ovs source. This can be
# used to test and validate new ovs python features. This should only be used
@@ -344,11 +342,6 @@
# install_ovn() - Collect source and prepare
function install_ovn {
- if [[ "$Q_BUILD_OVS_FROM_GIT" == "False" ]]; then
- echo "Installation of OVS from source disabled."
- return 0
- fi
-
echo "Installing OVN and dependent packages"
# Check the OVN configuration
diff --git a/lib/neutron_plugins/ovs_base b/lib/neutron_plugins/ovs_base
index 2e63fe3..8acf586 100644
--- a/lib/neutron_plugins/ovs_base
+++ b/lib/neutron_plugins/ovs_base
@@ -7,6 +7,12 @@
_XTRACE_NEUTRON_OVS_BASE=$(set +o | grep xtrace)
set +o xtrace
+# Load devstack ovs compliation and loading functions
+source ${TOP_DIR}/lib/neutron_plugins/ovs_source
+
+# Defaults
+# --------
+
OVS_BRIDGE=${OVS_BRIDGE:-br-int}
# OVS recognize default 'system' datapath or 'netdev' for userspace datapath
OVS_DATAPATH_TYPE=${OVS_DATAPATH_TYPE:-system}
@@ -60,26 +66,33 @@
}
function _neutron_ovs_base_install_agent_packages {
- # Install deps
- install_package $(get_packages "openvswitch")
- if is_ubuntu; then
- _neutron_ovs_base_install_ubuntu_dkms
- restart_service openvswitch-switch
- elif is_fedora; then
- restart_service openvswitch
- sudo systemctl enable openvswitch
- elif is_suse; then
- if [[ $DISTRO == "sle12" ]] && vercmp "$os_RELEASE" "<" "12.2" ; then
+ if [ "$Q_BUILD_OVS_FROM_GIT" == "True" ]; then
+ remove_ovs_packages
+ compile_ovs False /usr /var
+ load_conntrack_gre_module
+ start_new_ovs
+ else
+ # Install deps
+ install_package $(get_packages "openvswitch")
+ if is_ubuntu; then
+ _neutron_ovs_base_install_ubuntu_dkms
restart_service openvswitch-switch
- else
- # workaround for https://bugzilla.suse.com/show_bug.cgi?id=1085971
- if [[ $DISTRO =~ "tumbleweed" ]]; then
- sudo sed -i -e "s,^OVS_USER_ID=.*,OVS_USER_ID='root:root'," /etc/sysconfig/openvswitch
+ elif is_fedora; then
+ restart_service openvswitch
+ sudo systemctl enable openvswitch
+ elif is_suse; then
+ if [[ $DISTRO == "sle12" ]] && vercmp "$os_RELEASE" "<" "12.2" ; then
+ restart_service openvswitch-switch
+ else
+ # workaround for https://bugzilla.suse.com/show_bug.cgi?id=1085971
+ if [[ $DISTRO =~ "tumbleweed" ]]; then
+ sudo sed -i -e "s,^OVS_USER_ID=.*,OVS_USER_ID='root:root'," /etc/sysconfig/openvswitch
+ fi
+ restart_service openvswitch || {
+ journalctl -xe || :
+ systemctl status openvswitch
+ }
fi
- restart_service openvswitch || {
- journalctl -xe || :
- systemctl status openvswitch
- }
fi
fi
}
diff --git a/lib/neutron_plugins/ovs_source b/lib/neutron_plugins/ovs_source
index 08951d1..9c87dce 100644
--- a/lib/neutron_plugins/ovs_source
+++ b/lib/neutron_plugins/ovs_source
@@ -14,6 +14,7 @@
# Defaults
# --------
+Q_BUILD_OVS_FROM_GIT=$(trueorfalse False Q_BUILD_OVS_FROM_GIT)
# Set variables for building OVS from source
OVS_REPO=${OVS_REPO:-https://github.com/openvswitch/ovs.git}
diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3
index 72f7a32..a8844c4 100644
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@@ -100,6 +100,11 @@
SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-26}
SUBNETPOOL_SIZE_V6=${SUBNETPOOL_SIZE_V6:-64}
+NEUTRON_ADMIN_CLOUD_NAME="devstack-admin"
+if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ NEUTRON_ADMIN_CLOUD_NAME="devstack-system-admin"
+fi
+
default_v4_route_devs=$(ip -4 route | grep ^default | awk '{print $5}')
default_v6_route_devs=$(ip -6 route list match default table all | grep via | awk '{print $5}')
@@ -151,6 +156,10 @@
project_id=$(openstack project list | grep " demo " | get_field 1)
die_if_not_set $LINENO project_id "Failure retrieving project_id for demo"
+ local admin_project_id
+ admin_project_id=$(openstack project list | grep " admin " | get_field 1)
+ die_if_not_set $LINENO admin_project_id "Failure retrieving project_id for admin"
+
# Allow drivers that need to create an initial network to do so here
if type -p neutron_plugin_create_initial_network_profile > /dev/null; then
neutron_plugin_create_initial_network_profile $PHYSICAL_NETWORK
@@ -159,10 +168,10 @@
if is_networking_extension_supported "auto-allocated-topology"; then
if [[ "$USE_SUBNETPOOL" == "True" ]]; then
if [[ "$IP_VERSION" =~ 4.* ]]; then
- SUBNETPOOL_V4_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet pool create $SUBNETPOOL_NAME_V4 --default-prefix-length $SUBNETPOOL_SIZE_V4 --pool-prefix $SUBNETPOOL_PREFIX_V4 --share --default -f value -c id)
+ SUBNETPOOL_V4_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet pool create $SUBNETPOOL_NAME_V4 --project "$admin_project_id" --default-prefix-length $SUBNETPOOL_SIZE_V4 --pool-prefix $SUBNETPOOL_PREFIX_V4 --share --default -f value -c id)
fi
if [[ "$IP_VERSION" =~ .*6 ]]; then
- SUBNETPOOL_V6_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet pool create $SUBNETPOOL_NAME_V6 --default-prefix-length $SUBNETPOOL_SIZE_V6 --pool-prefix $SUBNETPOOL_PREFIX_V6 --share --default -f value -c id)
+ SUBNETPOOL_V6_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet pool create $SUBNETPOOL_NAME_V6 --project "$admin_project_id" --default-prefix-length $SUBNETPOOL_SIZE_V6 --pool-prefix $SUBNETPOOL_PREFIX_V6 --share --default -f value -c id)
fi
fi
fi
@@ -170,14 +179,14 @@
if is_provider_network; then
die_if_not_set $LINENO PHYSICAL_NETWORK "You must specify the PHYSICAL_NETWORK"
die_if_not_set $LINENO PROVIDER_NETWORK_TYPE "You must specify the PROVIDER_NETWORK_TYPE"
- NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create $PHYSICAL_NETWORK --project $project_id --provider-network-type $PROVIDER_NETWORK_TYPE --provider-physical-network "$PHYSICAL_NETWORK" ${SEGMENTATION_ID:+--provider-segment $SEGMENTATION_ID} --share | grep ' id ' | get_field 2)
+ NET_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" network create $PHYSICAL_NETWORK --project $project_id --provider-network-type $PROVIDER_NETWORK_TYPE --provider-physical-network "$PHYSICAL_NETWORK" ${SEGMENTATION_ID:+--provider-segment $SEGMENTATION_ID} --share | grep ' id ' | get_field 2)
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PHYSICAL_NETWORK $project_id"
if [[ "$IP_VERSION" =~ 4.* ]]; then
if [ -z $SUBNETPOOL_V4_ID ]; then
fixed_range_v4=$FIXED_RANGE
fi
- SUBNET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create --project $project_id --ip-version 4 ${ALLOCATION_POOL:+--allocation-pool $ALLOCATION_POOL} $PROVIDER_SUBNET_NAME --gateway $NETWORK_GATEWAY ${SUBNETPOOL_V4_ID:+--subnet-pool $SUBNETPOOL_V4_ID} --network $NET_ID ${fixed_range_v4:+--subnet-range $fixed_range_v4} | grep ' id ' | get_field 2)
+ SUBNET_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create --project $project_id --ip-version 4 ${ALLOCATION_POOL:+--allocation-pool $ALLOCATION_POOL} $PROVIDER_SUBNET_NAME --gateway $NETWORK_GATEWAY ${SUBNETPOOL_V4_ID:+--subnet-pool $SUBNETPOOL_V4_ID} --network $NET_ID ${fixed_range_v4:+--subnet-range $fixed_range_v4} | grep ' id ' | get_field 2)
die_if_not_set $LINENO SUBNET_ID "Failure creating SUBNET_ID for $PROVIDER_SUBNET_NAME $project_id"
fi
@@ -187,7 +196,7 @@
if [ -z $SUBNETPOOL_V6_ID ]; then
fixed_range_v6=$IPV6_PROVIDER_FIXED_RANGE
fi
- IPV6_SUBNET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create --project $project_id --ip-version 6 --gateway $IPV6_PROVIDER_NETWORK_GATEWAY $IPV6_PROVIDER_SUBNET_NAME ${SUBNETPOOL_V6_ID:+--subnet-pool $SUBNETPOOL_V6_ID} --network $NET_ID ${fixed_range_v6:+--subnet-range $fixed_range_v6} | grep ' id ' | get_field 2)
+ IPV6_SUBNET_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create --project $project_id --ip-version 6 --gateway $IPV6_PROVIDER_NETWORK_GATEWAY $IPV6_PROVIDER_SUBNET_NAME ${SUBNETPOOL_V6_ID:+--subnet-pool $SUBNETPOOL_V6_ID} --network $NET_ID ${fixed_range_v6:+--subnet-range $fixed_range_v6} | grep ' id ' | get_field 2)
die_if_not_set $LINENO IPV6_SUBNET_ID "Failure creating IPV6_SUBNET_ID for $IPV6_PROVIDER_SUBNET_NAME $project_id"
fi
@@ -197,7 +206,7 @@
sudo ip link set $PUBLIC_INTERFACE up
fi
else
- NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create --project $project_id "$PRIVATE_NETWORK_NAME" | grep ' id ' | get_field 2)
+ NET_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" network create --project $project_id "$PRIVATE_NETWORK_NAME" | grep ' id ' | get_field 2)
die_if_not_set $LINENO NET_ID "Failure creating NET_ID for $PRIVATE_NETWORK_NAME $project_id"
if [[ "$IP_VERSION" =~ 4.* ]]; then
@@ -215,11 +224,11 @@
# Create a router, and add the private subnet as one of its interfaces
if [[ "$Q_L3_ROUTER_PER_TENANT" == "True" ]]; then
# create a tenant-owned router.
- ROUTER_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router create --project $project_id $Q_ROUTER_NAME | grep ' id ' | get_field 2)
+ ROUTER_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" router create --project $project_id $Q_ROUTER_NAME | grep ' id ' | get_field 2)
die_if_not_set $LINENO ROUTER_ID "Failure creating ROUTER_ID for $project_id $Q_ROUTER_NAME"
else
# Plugin only supports creating a single router, which should be admin owned.
- ROUTER_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router create $Q_ROUTER_NAME | grep ' id ' | get_field 2)
+ ROUTER_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" router create $Q_ROUTER_NAME --project $admin_project_id | grep ' id ' | get_field 2)
die_if_not_set $LINENO ROUTER_ID "Failure creating ROUTER_ID for $Q_ROUTER_NAME"
fi
@@ -229,9 +238,9 @@
fi
# Create an external network, and a subnet. Configure the external network as router gw
if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
- EXT_NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS --provider-network-type ${PUBLIC_PROVIDERNET_TYPE:-flat} ${PUBLIC_PROVIDERNET_SEGMENTATION_ID:+--provider-segment $PUBLIC_PROVIDERNET_SEGMENTATION_ID} --provider-physical-network ${PUBLIC_PHYSICAL_NETWORK} | grep ' id ' | get_field 2)
+ EXT_NET_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS --provider-network-type ${PUBLIC_PROVIDERNET_TYPE:-flat} ${PUBLIC_PROVIDERNET_SEGMENTATION_ID:+--provider-segment $PUBLIC_PROVIDERNET_SEGMENTATION_ID} --provider-physical-network ${PUBLIC_PHYSICAL_NETWORK} --project $admin_project_id | grep ' id ' | get_field 2)
else
- EXT_NET_ID=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS | grep ' id ' | get_field 2)
+ EXT_NET_ID=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" network create "$PUBLIC_NETWORK_NAME" $EXTERNAL_NETWORK_FLAGS --project $admin_project_id | grep ' id ' | get_field 2)
fi
die_if_not_set $LINENO EXT_NET_ID "Failure creating EXT_NET_ID for $PUBLIC_NETWORK_NAME"
@@ -258,11 +267,12 @@
if [[ -n "$NETWORK_GATEWAY" ]]; then
subnet_params+="--gateway $NETWORK_GATEWAY "
fi
+
subnet_params+="${SUBNETPOOL_V4_ID:+--subnet-pool $SUBNETPOOL_V4_ID} "
subnet_params+="${fixed_range_v4:+--subnet-range $fixed_range_v4} "
subnet_params+="--network $NET_ID $PRIVATE_SUBNET_NAME"
local subnet_id
- subnet_id=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create $subnet_params | grep ' id ' | get_field 2)
+ subnet_id=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create $subnet_params | grep ' id ' | get_field 2)
die_if_not_set $LINENO subnet_id "Failure creating private IPv4 subnet for $project_id"
echo $subnet_id
}
@@ -285,14 +295,17 @@
subnet_params+="${fixed_range_v6:+--subnet-range $fixed_range_v6} "
subnet_params+="$ipv6_modes --network $NET_ID $IPV6_PRIVATE_SUBNET_NAME "
local ipv6_subnet_id
- ipv6_subnet_id=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create $subnet_params | grep ' id ' | get_field 2)
+ ipv6_subnet_id=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create $subnet_params | grep ' id ' | get_field 2)
die_if_not_set $LINENO ipv6_subnet_id "Failure creating private IPv6 subnet for $project_id"
echo $ipv6_subnet_id
}
# Create public IPv4 subnet
function _neutron_create_public_subnet_v4 {
- local subnet_params="--ip-version 4 "
+ local admin_project_id
+ admin_project_id=$(openstack project list | grep " admin " | get_field 1)
+ die_if_not_set $LINENO admin_project_id "Failure retrieving project_id for admin"
+ local subnet_params="--ip-version 4 --project $admin_project_id "
subnet_params+="${Q_FLOATING_ALLOCATION_POOL:+--allocation-pool $Q_FLOATING_ALLOCATION_POOL} "
if [[ -n "$PUBLIC_NETWORK_GATEWAY" ]]; then
subnet_params+="--gateway $PUBLIC_NETWORK_GATEWAY "
@@ -300,26 +313,29 @@
subnet_params+="--network $EXT_NET_ID --subnet-range $FLOATING_RANGE --no-dhcp "
subnet_params+="$PUBLIC_SUBNET_NAME"
local id_and_ext_gw_ip
- id_and_ext_gw_ip=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create $subnet_params | grep -e 'gateway_ip' -e ' id ')
+ id_and_ext_gw_ip=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create $subnet_params | grep -e 'gateway_ip' -e ' id ')
die_if_not_set $LINENO id_and_ext_gw_ip "Failure creating public IPv4 subnet"
echo $id_and_ext_gw_ip
}
# Create public IPv6 subnet
function _neutron_create_public_subnet_v6 {
- local subnet_params="--ip-version 6 "
+ local admin_project_id
+ admin_project_id=$(openstack project list | grep " admin " | get_field 1)
+ die_if_not_set $LINENO admin_project_id "Failure retrieving project_id for admin"
+ local subnet_params="--ip-version 6 --project $admin_project_id "
subnet_params+="--gateway $IPV6_PUBLIC_NETWORK_GATEWAY "
subnet_params+="--network $EXT_NET_ID --subnet-range $IPV6_PUBLIC_RANGE --no-dhcp "
subnet_params+="$IPV6_PUBLIC_SUBNET_NAME"
local ipv6_id_and_ext_gw_ip
- ipv6_id_and_ext_gw_ip=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" subnet create $subnet_params | grep -e 'gateway_ip' -e ' id ')
+ ipv6_id_and_ext_gw_ip=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create $subnet_params | grep -e 'gateway_ip' -e ' id ')
die_if_not_set $LINENO ipv6_id_and_ext_gw_ip "Failure creating an IPv6 public subnet"
echo $ipv6_id_and_ext_gw_ip
}
# Configure neutron router for IPv4 public access
function _neutron_configure_router_v4 {
- openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router add subnet $ROUTER_ID $SUBNET_ID
+ openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" router add subnet $ROUTER_ID $SUBNET_ID
# Create a public subnet on the external network
local id_and_ext_gw_ip
id_and_ext_gw_ip=$(_neutron_create_public_subnet_v4 $EXT_NET_ID)
@@ -327,7 +343,7 @@
ext_gw_ip=$(echo $id_and_ext_gw_ip | get_field 2)
PUB_SUBNET_ID=$(echo $id_and_ext_gw_ip | get_field 5)
# Configure the external network as the default router gateway
- openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
+ openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
# This logic is specific to using OVN or the l3-agent for layer 3
if ([[ $Q_AGENT == "ovn" ]] && [[ "$OVN_L3_CREATE_PUBLIC_NETWORK" == "True" ]] && is_service_enabled q-svc neutron-server) || is_service_enabled q-l3 neutron-l3; then
@@ -354,7 +370,7 @@
sudo ip addr add $ext_gw_ip/$cidr_len dev $ext_gw_interface
sudo ip link set $ext_gw_interface up
fi
- ROUTER_GW_IP=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" port list -c 'Fixed IP Addresses' --device-owner network:router_gateway | awk -F'ip_address' '{ print $2 }' | cut -f2 -d\' | tr '\n' ' ')
+ ROUTER_GW_IP=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" port list -c 'Fixed IP Addresses' --device-owner network:router_gateway | awk -F'ip_address' '{ print $2 }' | cut -f2 -d\' | tr '\n' ' ')
die_if_not_set $LINENO ROUTER_GW_IP "Failure retrieving ROUTER_GW_IP"
fi
_neutron_set_router_id
@@ -363,7 +379,7 @@
# Configure neutron router for IPv6 public access
function _neutron_configure_router_v6 {
- openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router add subnet $ROUTER_ID $IPV6_SUBNET_ID
+ openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" router add subnet $ROUTER_ID $IPV6_SUBNET_ID
# Create a public subnet on the external network
local ipv6_id_and_ext_gw_ip
ipv6_id_and_ext_gw_ip=$(_neutron_create_public_subnet_v6 $EXT_NET_ID)
@@ -375,7 +391,7 @@
# If the external network has not already been set as the default router
# gateway when configuring an IPv4 public subnet, do so now
if [[ "$IP_VERSION" == "6" ]]; then
- openstack --os-cloud devstack-admin --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
+ openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" router set --external-gateway $EXT_NET_ID $ROUTER_ID
fi
# This logic is specific to using OVN or the l3-agent for layer 3
@@ -396,7 +412,7 @@
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Configure and enable public bridge
# Override global IPV6_ROUTER_GW_IP with the true value from neutron
- IPV6_ROUTER_GW_IP=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" port list -c 'Fixed IP Addresses' | grep $ipv6_pub_subnet_id | awk -F'ip_address' '{ print $2 }' | cut -f2 -d\' | tr '\n' ' ')
+ IPV6_ROUTER_GW_IP=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" port list -c 'Fixed IP Addresses' | grep $ipv6_pub_subnet_id | awk -F'ip_address' '{ print $2 }' | cut -f2 -d\' | tr '\n' ' ')
die_if_not_set $LINENO IPV6_ROUTER_GW_IP "Failure retrieving IPV6_ROUTER_GW_IP"
if is_neutron_ovs_base_plugin; then
@@ -424,7 +440,7 @@
function is_networking_extension_supported {
local extension=$1
# TODO(sc68cal) cache this instead of calling every time
- EXT_LIST=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" extension list --network -c Alias -f value)
+ EXT_LIST=$(openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" extension list --network -c Alias -f value)
[[ $EXT_LIST =~ $extension ]] && return 0
}
diff --git a/lib/nova b/lib/nova
index 5fcccff..4f98d4d 100644
--- a/lib/nova
+++ b/lib/nova
@@ -233,6 +233,10 @@
stop_process "n-api-meta"
remove_uwsgi_config "$NOVA_UWSGI_CONF" "$NOVA_UWSGI"
remove_uwsgi_config "$NOVA_METADATA_UWSGI_CONF" "$NOVA_METADATA_UWSGI"
+
+ if [[ "$NOVA_BACKEND" == "LVM" ]]; then
+ clean_lvm_volume_group $DEFAULT_VOLUME_GROUP_NAME
+ fi
}
# configure_nova() - Set config files, create data dirs, etc
@@ -315,6 +319,14 @@
sudo systemctl daemon-reload
fi
+ # set chap algorithms. The default chap_algorithm is md5 which will
+ # not work under FIPS.
+ # FIXME(alee) For some reason, this breaks openeuler. Openeuler devs should weigh in
+ # and determine the correct solution for openeuler here
+ if ! is_openeuler; then
+ iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
+ fi
+
# ensure that iscsid is started, even when disabled by default
restart_service iscsid
fi
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index 63882e0..3e7d280 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -90,7 +90,7 @@
install_package libvirt libvirt-devel python3-libvirt
if is_arch "aarch64"; then
- install_package edk2.git-aarch64
+ install_package edk2-aarch64
fi
fi
diff --git a/lib/tempest b/lib/tempest
index 8fd54c5..adffeda 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -90,6 +90,10 @@
# it will run tempest with
TEMPEST_CONCURRENCY=${TEMPEST_CONCURRENCY:-$(nproc)}
+NEUTRON_ADMIN_CLOUD_NAME="devstack-admin"
+if [ "$NEUTRON_ENFORCE_SCOPE" == "True" ]; then
+ NEUTRON_ADMIN_CLOUD_NAME="devstack-system-admin"
+fi
# Functions
# ---------
@@ -115,7 +119,9 @@
local tmp_c
tmp_c=$1
if [[ $TEMPEST_VENV_UPPER_CONSTRAINTS == "master" ]]; then
- (cd $REQUIREMENTS_DIR && git show origin/master:upper-constraints.txt) > $tmp_c
+ (cd $REQUIREMENTS_DIR &&
+ git show master:upper-constraints.txt 2>/dev/null ||
+ git show origin/master:upper-constraints.txt) > $tmp_c
else
echo "Using $TEMPEST_VENV_UPPER_CONSTRAINTS constraints in Tempest virtual env."
cat $TEMPEST_VENV_UPPER_CONSTRAINTS > $tmp_c
@@ -287,8 +293,8 @@
if [[ "$NEUTRON_CREATE_INITIAL_NETWORKS" == "True" ]] && is_networking_extension_supported 'external-net'; then
public_network_id=$(openstack --os-cloud devstack-admin network show -f value -c id $PUBLIC_NETWORK_NAME)
# make sure shared network presence does not confuses the tempest tests
- openstack --os-cloud devstack-admin network create --share shared
- openstack --os-cloud devstack-admin subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet
+ openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" network create --share shared --project "$admin_project_id"
+ openstack --os-cloud "$NEUTRON_ADMIN_CLOUD_NAME" --os-region "$REGION_NAME" subnet create --description shared-subnet --subnet-range ${TEMPEST_SHARED_POOL:-192.168.233.0/24} --network shared shared-subnet --project "$admin_project_id"
fi
iniset $TEMPEST_CONFIG DEFAULT use_syslog $SYSLOG
@@ -443,6 +449,8 @@
iniset $TEMPEST_CONFIG network-feature-enabled ipv6_subnet_attributes "$IPV6_SUBNET_ATTRIBUTES_ENABLED"
iniset $TEMPEST_CONFIG network-feature-enabled port_security $NEUTRON_PORT_SECURITY
+ iniset $TEMPEST_CONFIG enforce_scope neutron "$NEUTRON_ENFORCE_SCOPE"
+
# Scenario
SCENARIO_IMAGE_DIR=${SCENARIO_IMAGE_DIR:-$FILES}
SCENARIO_IMAGE_FILE=$DEFAULT_IMAGE_FILE_NAME
diff --git a/roles/apache-logs-conf/tasks/main.yaml b/roles/apache-logs-conf/tasks/main.yaml
index bd64574..6b7ea37 100644
--- a/roles/apache-logs-conf/tasks/main.yaml
+++ b/roles/apache-logs-conf/tasks/main.yaml
@@ -64,6 +64,7 @@
'Debian': '/etc/apache2/sites-enabled/'
'Suse': '/etc/apache2/conf.d/'
'RedHat': '/etc/httpd/conf.d/'
+ 'openEuler': '/etc/httpd/conf.d/'
- name: Discover configurations
find:
diff --git a/stack.sh b/stack.sh
index a10e6ef..c92cc79 100755
--- a/stack.sh
+++ b/stack.sh
@@ -227,7 +227,7 @@
# Warn users who aren't on an explicitly supported distro, but allow them to
# override check and attempt installation with ``FORCE=yes ./stack``
-SUPPORTED_DISTROS="bullseye|focal|f34|opensuse-15.2|opensuse-tumbleweed|rhel8|rhel9"
+SUPPORTED_DISTROS="bullseye|focal|f34|opensuse-15.2|opensuse-tumbleweed|rhel8|rhel9|openEuler-20.03"
if [[ ! ${DISTRO} =~ $SUPPORTED_DISTROS ]]; then
echo "WARNING: this script has not been tested on $DISTRO"
@@ -278,6 +278,12 @@
sudo chown root:root $TEMPFILE
sudo mv $TEMPFILE /etc/sudoers.d/50_stack_sh
+# TODO(wxy): Currently some base packages are not installed by default in
+# openEuler. Remove the code below once the packaged are installed by default
+# in the future.
+if [[ $DISTRO == "openEuler-20.03" ]]; then
+ install_package hostname
+fi
# Configure Distro Repositories
# -----------------------------
@@ -691,6 +697,8 @@
# Last chance for the database password. This must be handled here
# because read_password is not a library function.
read_password DATABASE_PASSWORD "ENTER A PASSWORD TO USE FOR THE DATABASE."
+
+ define_database_baseurl
else
echo "No database enabled"
fi
@@ -757,7 +765,9 @@
# Bring down global requirements before any use of pip_install. This is
# necessary to ensure that the constraints file is in place before we
# attempt to apply any constraints to pip installs.
-git_clone $REQUIREMENTS_REPO $REQUIREMENTS_DIR $REQUIREMENTS_BRANCH
+# We always need the master branch in addition to any stable branch, so
+# override GIT_DEPTH here.
+GIT_DEPTH=0 git_clone $REQUIREMENTS_REPO $REQUIREMENTS_DIR $REQUIREMENTS_BRANCH
# Install package requirements
# Source it so the entire environment is available
diff --git a/stackrc b/stackrc
index 4fc09af..681e9de 100755
--- a/stackrc
+++ b/stackrc
@@ -403,6 +403,10 @@
GITREPO["oslo.i18n"]=${OSLOI18N_REPO:-${GIT_BASE}/openstack/oslo.i18n.git}
GITBRANCH["oslo.i18n"]=${OSLOI18N_BRANCH:-$TARGET_BRANCH}
+# oslo.limit
+GITREPO["oslo.limit"]=${OSLOLIMIT_REPO:-${GIT_BASE}/openstack/oslo.limit.git}
+GITBRANCH["oslo.limit"]=${OSLOLIMIT_BRANCH:-$TARGET_BRANCH}
+
# oslo.log
GITREPO["oslo.log"]=${OSLOLOG_REPO:-${GIT_BASE}/openstack/oslo.log.git}
GITBRANCH["oslo.log"]=${OSLOLOG_BRANCH:-$TARGET_BRANCH}
diff --git a/tests/test_libs_from_pypi.sh b/tests/test_libs_from_pypi.sh
index ce1b344..839e3a1 100755
--- a/tests/test_libs_from_pypi.sh
+++ b/tests/test_libs_from_pypi.sh
@@ -45,6 +45,7 @@
ALL_LIBS+=" keystoneauth ironic-lib neutron-lib oslo.privsep"
ALL_LIBS+=" diskimage-builder os-vif python-brick-cinderclient-ext"
ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken os-resource-classes"
+ALL_LIBS+=" oslo.limit"
# Generate the above list with
# echo ${!GITREPO[@]}
diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index fe5dafa..750849d 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -148,8 +148,32 @@
sudo rm -rf /usr/lib/python3/dist-packages/simplejson-*.egg-info
}
+function fixup_openeuler {
+ if ! is_openeuler; then
+ return
+ fi
+
+ if is_arch "x86_64"; then
+ arch="x86_64"
+ elif is_arch "aarch64"; then
+ arch="aarch64"
+ fi
+
+ # Some packages' version in openEuler are too old, use the newer ones we
+ # provide in oepkg. (oepkg is an openEuler third part yum repo which is
+ # endorsed by openEuler community)
+ (echo '[openstack-ci]'
+ echo 'name=openstack'
+ echo 'baseurl=https://repo.oepkgs.net/openEuler/rpm/openEuler-20.03-LTS-SP2/budding-openeuler/openstack-master-ci/'$arch'/'
+ echo 'enabled=1'
+ echo 'gpgcheck=0') | sudo tee -a /etc/yum.repos.d/openstack-master.repo > /dev/null
+
+ yum_install liberasurecode-devel
+}
+
function fixup_all {
fixup_ubuntu
fixup_fedora
fixup_suse
+ fixup_openeuler
}
diff --git a/unstack.sh b/unstack.sh
index d9dca7c..4b57b6e 100755
--- a/unstack.sh
+++ b/unstack.sh
@@ -176,10 +176,6 @@
# enabled backends. So if Cinder is enabled, and installed successfully we are
# sure lvm2 (lvremove, /etc/lvm/lvm.conf, etc.) is here.
if is_service_enabled cinder && is_package_installed lvm2; then
- # Using /bin/true here indicates a BUG - maybe the
- # DEFAULT_VOLUME_GROUP_NAME doesn't exist? We should
- # isolate this further down in lib/cinder cleanup.
- clean_lvm_volume_group $DEFAULT_VOLUME_GROUP_NAME || /bin/true
clean_lvm_filter
fi