Merge "Simplify pip install"
diff --git a/.zuul.yaml b/.zuul.yaml
index 5dc2169..517e12b 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -80,7 +80,7 @@
name: devstack-single-node-fedora-latest
nodes:
- name: controller
- label: fedora-32
+ label: fedora-34
groups:
- name: tempest
nodes:
@@ -581,6 +581,17 @@
SERVICE_HOST: ""
- job:
+ name: devstack-enforce-scope
+ parent: devstack
+ description: |
+ This job runs the devstack with scope checks enabled.
+ vars:
+ devstack_localrc:
+ # Keep enabeling the services here to run with system scope
+ CINDER_ENFORCE_SCOPE: true
+ GLANCE_ENFORCE_SCOPE: true
+
+- job:
name: devstack-multinode
parent: devstack
nodeset: openstack-two-node-focal
@@ -711,6 +722,7 @@
jobs:
- devstack
- devstack-ipv6
+ - devstack-enforce-scope
- devstack-platform-fedora-latest
- devstack-platform-centos-8-stream
- devstack-async
@@ -765,6 +777,7 @@
jobs:
- devstack
- devstack-ipv6
+ - devstack-enforce-scope
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 9f477ab..08ce4cb 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -63,7 +63,7 @@
.. code-block:: console
$ echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
- $ sudo su - stack
+ $ sudo -u stack -i
Download DevStack
-----------------
diff --git a/doc/source/plugin-registry.rst b/doc/source/plugin-registry.rst
index 691fffa..490132e 100644
--- a/doc/source/plugin-registry.rst
+++ b/doc/source/plugin-registry.rst
@@ -98,6 +98,7 @@
openstack/solum `https://opendev.org/openstack/solum <https://opendev.org/openstack/solum>`__
openstack/storlets `https://opendev.org/openstack/storlets <https://opendev.org/openstack/storlets>`__
openstack/tacker `https://opendev.org/openstack/tacker <https://opendev.org/openstack/tacker>`__
+openstack/tap-as-a-service `https://opendev.org/openstack/tap-as-a-service <https://opendev.org/openstack/tap-as-a-service>`__
openstack/telemetry-tempest-plugin `https://opendev.org/openstack/telemetry-tempest-plugin <https://opendev.org/openstack/telemetry-tempest-plugin>`__
openstack/trove `https://opendev.org/openstack/trove <https://opendev.org/openstack/trove>`__
openstack/trove-dashboard `https://opendev.org/openstack/trove-dashboard <https://opendev.org/openstack/trove-dashboard>`__
@@ -179,7 +180,6 @@
x/scalpels `https://opendev.org/x/scalpels <https://opendev.org/x/scalpels>`__
x/slogging `https://opendev.org/x/slogging <https://opendev.org/x/slogging>`__
x/stackube `https://opendev.org/x/stackube <https://opendev.org/x/stackube>`__
-x/tap-as-a-service `https://opendev.org/x/tap-as-a-service <https://opendev.org/x/tap-as-a-service>`__
x/tap-as-a-service-dashboard `https://opendev.org/x/tap-as-a-service-dashboard <https://opendev.org/x/tap-as-a-service-dashboard>`__
x/tatu `https://opendev.org/x/tatu <https://opendev.org/x/tatu>`__
x/trio2o `https://opendev.org/x/trio2o <https://opendev.org/x/trio2o>`__
diff --git a/lib/cinder b/lib/cinder
index 7f2f29f..f3e2430 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -98,6 +98,22 @@
fi
fi
+# When Cinder is used as a backend for Glance, it can be configured to clone
+# the volume containing image data directly in the backend instead of
+# transferring data from volume to volume. Value is a comma separated list of
+# schemes (currently only 'file' and 'cinder' are supported). The default
+# configuration in Cinder is empty (that is, do not use this feature). NOTE:
+# to use this feature you must also enable GLANCE_SHOW_DIRECT_URL and/or
+# GLANCE_SHOW_MULTIPLE_LOCATIONS for glance-api.conf.
+CINDER_ALLOWED_DIRECT_URL_SCHEMES=${CINDER_ALLOWED_DIRECT_URL_SCHEMES:-}
+if [[ -n "$CINDER_ALLOWED_DIRECT_URL_SCHEMES" ]]; then
+ if [[ "${GLANCE_SHOW_DIRECT_URL:-False}" != "True" \
+ && "${GLANCE_SHOW_MULTIPLE_LOCATIONS:-False}" != "True" ]]; then
+ warn $LINENO "CINDER_ALLOWED_DIRECT_URL_SCHEMES is set, but neither \
+GLANCE_SHOW_DIRECT_URL nor GLANCE_SHOW_MULTIPLE_LOCATIONS is True"
+ fi
+fi
+
# For backward compatibility
# Before CINDER_BACKUP_DRIVER was introduced, ceph backup driver was configured
# along with ceph backend driver.
@@ -266,6 +282,9 @@
fi
iniset $CINDER_CONF key_manager backend cinder.keymgr.conf_key_mgr.ConfKeyManager
iniset $CINDER_CONF key_manager fixed_key $(openssl rand -hex 16)
+ if [[ -n "$CINDER_ALLOWED_DIRECT_URL_SCHEMES" ]]; then
+ iniset $CINDER_CONF DEFAULT allowed_direct_url_schemes $CINDER_ALLOWED_DIRECT_URL_SCHEMES
+ fi
# Avoid RPC timeouts in slow CI and test environments by doubling the
# default response timeout set by RPC clients. See bug #1873234 for more
diff --git a/lib/glance b/lib/glance
index cd26d97..9111146 100644
--- a/lib/glance
+++ b/lib/glance
@@ -51,6 +51,18 @@
if is_opensuse; then
GLANCE_STORE_ROOTWRAP_BASE_DIR=/usr/etc/glance
fi
+# When Cinder is used as a glance store, you can optionally configure cinder to
+# optimize bootable volume creation by allowing volumes to be cloned directly
+# in the backend instead of transferring data via Glance. To use this feature,
+# set CINDER_ALLOWED_DIRECT_URL_SCHEMES for cinder.conf and enable
+# GLANCE_SHOW_DIRECT_URL and/or GLANCE_SHOW_MULTIPLE_LOCATIONS for Glance. The
+# default value for both of these is False, because for some backends they
+# present a grave security risk (though not for Cinder, because all that's
+# exposed is the volume_id where the image data is stored.) See OSSN-0065 for
+# more information: https://wiki.openstack.org/wiki/OSSN/OSSN-0065
+GLANCE_SHOW_DIRECT_URL=$(trueorfalse False GLANCE_SHOW_DIRECT_URL)
+GLANCE_SHOW_MULTIPLE_LOCATIONS=$(trueorfalse False GLANCE_SHOW_MULTIPLE_LOCATIONS)
+
# Glance multi-store configuration
# Boolean flag to enable multiple store configuration for glance
GLANCE_ENABLE_MULTIPLE_STORES=$(trueorfalse False GLANCE_ENABLE_MULTIPLE_STORES)
@@ -333,6 +345,9 @@
if [ "$VIRT_DRIVER" = 'libvirt' ] && [ "$LIBVIRT_TYPE" = 'parallels' ]; then
iniset $GLANCE_API_CONF DEFAULT disk_formats "ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso,ploop"
fi
+ # Only use these if you know what you are doing! See OSSN-0065
+ iniset $GLANCE_API_CONF DEFAULT show_image_direct_url $GLANCE_SHOW_DIRECT_URL
+ iniset $GLANCE_API_CONF DEFAULT show_multiple_locations $GLANCE_SHOW_MULTIPLE_LOCATIONS
# Configure glance_store
configure_glance_store $USE_CINDER_FOR_GLANCE $GLANCE_ENABLE_MULTIPLE_STORES
diff --git a/lib/keystone b/lib/keystone
index e282db0..66e867c 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -134,12 +134,6 @@
# Cache settings
KEYSTONE_ENABLE_CACHE=${KEYSTONE_ENABLE_CACHE:-True}
-# Flag to set the oslo_policy.enforce_scope. This is used to switch
-# the Identity API policies to start checking the scope of token. By Default,
-# this flag is False.
-# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
-KEYSTONE_ENFORCE_SCOPE=$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)
-
# Functions
# ---------
@@ -287,11 +281,6 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
- if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
- iniset $KEYSTONE_CONF oslo_policy enforce_scope true
- iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
- iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
- fi
}
# create_keystone_accounts() - Sets up common required keystone accounts
diff --git a/lib/libraries b/lib/libraries
old mode 100644
new mode 100755
index c7aa815..67ff21f
--- a/lib/libraries
+++ b/lib/libraries
@@ -59,6 +59,7 @@
# Non oslo libraries are welcomed below as well, this prevents
# duplication of this code.
GITDIR["os-brick"]=$DEST/os-brick
+GITDIR["os-resource-classes"]=$DEST/os-resource-classes
GITDIR["os-traits"]=$DEST/os-traits
# Support entry points installation of console scripts
@@ -122,6 +123,7 @@
#
# os-traits for nova
_install_lib_from_source "os-brick"
+ _install_lib_from_source "os-resource-classes"
_install_lib_from_source "os-traits"
#
# python client libraries we might need from git can go here
diff --git a/lib/tempest b/lib/tempest
index a1c02ef..8fd54c5 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -600,15 +600,6 @@
fi
done
- # ``enforce_scope``
- # If services enable the enforce_scope for their policy
- # we need to enable the same on Tempest side so that
- # test can be run with scoped token.
- if [[ "$KEYSTONE_ENFORCE_SCOPE" == True ]] ; then
- iniset $TEMPEST_CONFIG enforce_scope keystone true
- iniset $TEMPEST_CONFIG auth admin_system 'all'
- iniset $TEMPEST_CONFIG auth admin_project_name ''
- fi
iniset $TEMPEST_CONFIG enforce_scope glance "$GLANCE_ENFORCE_SCOPE"
iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
diff --git a/stack.sh b/stack.sh
index 1aa96c9..48f61fb 100755
--- a/stack.sh
+++ b/stack.sh
@@ -300,10 +300,14 @@
}
function _install_rdo {
- # NOTE(ianw) 2020-04-30 : when we have future branches, we
- # probably want to install the relevant branch RDO release as
- # well. But for now it's all master.
- sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
+ if [[ "$TARGET_BRANCH" == "master" ]]; then
+ # rdo-release.el8.rpm points to latest RDO release, use that for master
+ sudo dnf -y install https://rdoproject.org/repos/rdo-release.el8.rpm
+ else
+ # For stable branches use corresponding release rpm
+ rdo_release=$(echo $TARGET_BRANCH | sed "s|stable/||g")
+ sudo dnf -y install https://rdoproject.org/repos/openstack-${rdo_release}/rdo-release-${rdo_release}.el8.rpm
+ fi
sudo dnf -y update
}
diff --git a/stackrc b/stackrc
old mode 100644
new mode 100755
index 0501659..620b1fc
--- a/stackrc
+++ b/stackrc
@@ -548,6 +548,10 @@
GITBRANCH["neutron-lib"]=${NEUTRON_LIB_BRANCH:-$TARGET_BRANCH}
GITDIR["neutron-lib"]=$DEST/neutron-lib
+# os-resource-classes library containing a list of standardized resource classes for OpenStack
+GITREPO["os-resource-classes"]=${OS_RESOURCE_CLASSES_REPO=:-${GIT_BASE}/openstack/os-resource-classes.git}
+GITBRANCH["os-resource-classes"]=${OS_RESOURCE_CLASSES_BRANCH:-$TARGET_BRANCH}
+
# os-traits library for resource provider traits in the placement service
GITREPO["os-traits"]=${OS_TRAITS_REPO:-${GIT_BASE}/openstack/os-traits.git}
GITBRANCH["os-traits"]=${OS_TRAITS_BRANCH:-$TARGET_BRANCH}
diff --git a/tests/test_libs_from_pypi.sh b/tests/test_libs_from_pypi.sh
index 5b53389..ce1b344 100755
--- a/tests/test_libs_from_pypi.sh
+++ b/tests/test_libs_from_pypi.sh
@@ -44,7 +44,7 @@
ALL_LIBS+=" oslo.cache oslo.reports osprofiler cursive"
ALL_LIBS+=" keystoneauth ironic-lib neutron-lib oslo.privsep"
ALL_LIBS+=" diskimage-builder os-vif python-brick-cinderclient-ext"
-ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken"
+ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken os-resource-classes"
# Generate the above list with
# echo ${!GITREPO[@]}