With Ubuntu bionic base image for drydock docker image, uwsig crashes
with segmentation fault when it tries to load/import the psycopg2 package.
The reason for this is that uwsgi and psycopg2 packages are built with
incopatible ssl libraries.
Upgrading uwsgi and psycopg2 to address this issue for bionic based
images.
Change-Id: I3d0bfb96c19849f5c2925366f8712bf47985df67
This patch implements Refish as new OOB driver for Drydock.
All the existing Drydock Orchestrator actions are implemented.
Change-Id: I31d653fb41189a18c34cfafb0f490ca4f4d661b5
The attempted rollback to 1.0.44 still showed instability
in controlling baremetal. This rolls all the way back to the version
used prior to the upgrade.
Change-Id: If8cb8580043575eb68510ca00a2cb19e881ae76e
- Pyghmi 1.0.44 uses pycrypto 2.6.1 which has an open CVE
against it.
- Updating Pyghmi to 1.1.0+ to absorb the change to cryptography
breaks functionality in all testing against baremetal IPMI
interfaces.
- This reversion has minimal risk because the only usage of pycrypto
in Drydock is via the Pyghmi library to initiate connections to
server IPMI interfaces. Arbitrary user input is not used for any
pycrypto arguments.
- This is a temporary solution, longterm Drydock will move away from
Pyghmi - either to a different IPMI library or to no IPMI support
and instead using Redfish.
Change-Id: Ie5cd021528f61a3a2c04b156bf60b94b8f42dd5c
- Updating pyghmi to 1.2.x to fix a vulnerability in dependency
pycrypto caused the baremetal gates to fail. Backing off to 1.1.0
does fix the pycrypto issue, but hopefully reverts the functionality
failure
Change-Id: Ie4927fc974b059c643ba32530ed5f3287726480b
The version of pyghmi being used depends on a vulnerable pycrypto
version. Updating to the latest, which depends on cryptography.
This also updates the `freeze` tox job to recreate to ensure proper
updating of the lockfile.
Change-Id: I4a7d82dc8bfad1609a5d5b4e663cf74266b7f6f0
Adding the baclient code to Drydock requires a refactor
of the build automation to support multiple languages
and multiple artifacts included in a single Docker image
NOTE: the go source here is a placeholder 'hello world' sample
Change-Id: I1b4883f018b33b3d4fcd7cbcb6cba660fcdc93de
Add additional tunables to how SQLalchemy creates connection pools
Also start including static doc assets to they can be published
Change-Id: I268dc265a6b6cf1a200b235a5f99e65e89a95637
- Support pkg_list bootactions in the MAAS driver by using
cloud-init user_data on deployment
- Add site definition caching to ease load on Deckhand
Change-Id: I2c8c7dfdd23992fae42fa32edab308f801d05867
- Support one or more repo specifications for a site
- Add object model for repository
- Add testing for repository parsing
Update freeze job with make target
- Update the requirements freeze job
to have a mark target that rebuilds the tox
virtualenv each run
- Update Dockerfile to create a valid /etc/protocols file
Change-Id: I9d09b7dd7226827995e23756ff968b36eaa4d16c
- Create a driver to support OOB actions via libvirt API
- Update Makefile with external dependency target
- Update Makefile and tooling to support new chart pipeline
- Add 'drydock' make target for chart building
- Add step to install helm binary
Change-Id: I8a3984d8fd70f99a82a954b7a869eab8e30145b4
* bson is incompatible w/ pip 10, migrate to pymongo bson
* Update tox to run tests w/ locked requirements file as this
is what production images are built with
Change-Id: Iacf3301ddc224f3525102b0204f349b733608138
Start writing JSON schema documents (in YAML) for
the YAML Kinds that Drydock defines
- Wrote schema for baremetalNode, hardwareProfile,
hostProfile, network, networkLink, rack, and region.
- Unit tests for testing validation schemas
Change-Id: Iff52d522fc61893ab07e567e4a4e842c4b4cb25e
Refactor orchestrator to break large
monolithic functions into small functions
per action.
- Update orchestrator to match new statemgmt API
- Pull most code out of __init__.py files
- Create action classes for Orchestrator actions
- Create action classes for Driver actions
- Orchestrator consumes tasks from database queue
- Additional encapsulation of task functionality into Task class
- Create shared integration test fixtures
- Fix Sphinx entrypoint so package install works
- Disable bootdata API until BootAction implementation
- Bring codebase into PEP8 compliance
- Update documentation reflect code changes
- Mark SQL #nosec for bandit
Change-Id: Id9a7bdedcdd5bbf07aeabbdb52db0f0b71f1e4a4
Add drydock client access to the enquiry API
endpoint and CLI commands to access this endpoit.
Use PrettyTable to output the data.
Add a tox job for creating the frozen dependency list
Change-Id: Ie1724052eb9ae9500e6b0df8f0c78e25ae0617f4
Move sample config to etc/drydock
Update docs to generate a config with tox
Update configuration for Keystone
- Add config generation to tox.ini
- Fix default in bootdata config
- Add keystone dependencies
- Add config generator config
- Move sample config to a skeleton etc/drydock tree
Use PasteDeploy for WSGI integration
Using keystonemiddleware outside of a PasteDeploy
pipeline is deprecated. Move Drydock to use PasteDeploy
and integrate with keystonemiddleware
Update Falcon context object
Add keystone identity fields to context object
Clean up context marker field
Fix AuthMiddleware for keystone
Update falcon middleware to harvest headers injected
by keystonemiddleware
Fix context middleware
Update context middleware to enforce
a UUID-formatted external context marker
Lock keystonemiddleware version
Lock keystonemiddleware version to the Newton release
Sample drydock.conf with keystone
This drydock.conf file is known to integrate successfully
with Keystone via keystonemiddleware and the password plugin
Add .dockerignore
Stop adding .tox environment to docker images
Integrate with oslo.policy
Add oslo.policy 1.9.0 to requirements (Newton release)
Add tox job to generate sample policy.yaml
Create DrydockPolicy as facade for RBAC
Inject policy engine into API init
Create a DrydockPolicy instance and inject it into
the Drydock API resources.
Remove per-resource authorization
Update Drydock context and auth middleware
Update Drydock context to use keystone IDs instead of names as required
by oslo.policy
Update AuthMiddleware to capture headers when request provides
a service token
Add RBAC for /designs API
Add RBAC enforcement for GET and POST of
/api/v1.0/designs endpoint
Refactor check_policy
Refactor check_policy into the base class
Enforce RBAC for /designs/id endpoint
Enforce RBAC on /designs/id/parts endpoint
Enforce RBAC on /designs/id/parts/kind
Enforce RBAC on /designs/id/parts/kinds/
Enforce RBAC on /tasks/ endpoints
Create unit tests
- New unit tests for DrydockPolicy
- New unit tests for AuthMiddleware w/ Keystone integration
Address impacting keystonemiddleware bug
Use v4.9.1 to address https://bugs.launchpad.net/keystonemiddleware/+bug/1653646
Add oslo_config fixtures for unit testing
API base class fixes
Fix an import error in API resource base class
More graceful error handling in drydock_client
Create shared function for checking API response status codes
Create client errors for auth
Create specific Exceptions for Unauthorized
and Forbidden responses
Ignore generated sample configs
Lock iso8601 version
oslo.versionedobjects appears to be impcompatible with
iso8601 0.1.12 on Python 3.2+
Update docs for Keystone
Note Keystone as a external depdendency and
add notes on correctly configuring Drydock for
Keystone integration
Add keystoneauth1 to list_opts
Explicitly pull keystoneauth password plugin
options when generating a config template
Update reference config for keystone
Update the reference config template
for Keystone integration
Add keystoneauth1 to requirements
Need to directly include keystoneauth1 so that
oslo_config options can be pulled from it
Update config doc for keystoneauth1
Use the keystoneauth1 generated configuration options
for the configuration docs
Remove auth options
Force dependence on Keystone as the only authentication
backend
Clean up imports
Fix how falcon modules are imported
Default to empty role list
Move param extraction
Enforce RBAC before starting to parse parameters
Implement DocumentedRuleDefault
Use DocumentedRuleDefault for policy defaults at request
of @tlam. Requires v 1.21.1 of oslo_policy, which is tied
to the Pike openstack release.
Change sample output filenames
Update filenames to follow Openstack convention
Fix tests to use hex formatted IDs
Openstack resource IDs are not hyphenated, so update
unit tests to reflect this
Fix formating and whitespace
Refactor a few small items for code review
Update keystone integration to be more
robust with Newton codebase
Centralize policy_engine reference to
support a decorator-based model
RBAC enforcement decorator
Add units tests for decorator-based
RBAC and the tasks API
Minor refactoring and format changes
Change-Id: I35f90b0c88ec577fda1077814f5eac5c0ffb41e9
Ahmad Mahmoudi
Hemanth Nakkina
Scott Hussey
Mark Burnett
Aaron Sheffield
Jason Beard