Add support for application of apparmor profiles to
neutron and nova daemons that run on neutron-gateway
units.
By default this is disabled but may be enabled by setting
the aa-profile-mode option to ether 'complain' or 'enforce'.
Note that the apparmor profiles do not try to reproduce the
permissions required for all operations that may be undertaken
using oslo.rootwrap; daemons are granted permission to run
'sudo' without any apparmor based restrictions.
Change-Id: Ibe568a46ee4c1f1148c162f0f0b2907153770efe
It's possible that the nova-api-metadata will startup during the
time that the nova-conductor processes on the nova-cloud-controller
units are still starting up, resulting in a messaging timeout which
causes the daemon to exit 0.
Upstart will restart a service in this scenario, however systemd is
configured in packaging to only restart 'on-failure' so will not
attempt to restart.
This points to two other bugs - one that a messaging timeout results
in a exit code of 0, and that the OpenStack services under systemd
behave differently to under upstart.
Install an override file for systemd based installs to mimic the
behaviour of upstart, and deal with a code logic problem in the
restart_trigger handling to ensure that the charm does at least
try to restart the nova-api-metadata service at the right points
in time.
Change-Id: Ia08b7840efa33fd301d0e2c55bb30ae1a102cbfa
Closes-Bug: 1547122
The nova-cloud-controller charm set the relation key 'restart_trigger';
this charm was using 'restart_nonce' which obviously never gets set,
so the nova-api-metadata service would never actually get restarted
when required.
Use the correct relation key, fixing remote restart triggers for
nova-api-metadata, resolving races in deployment.
Change-Id: Ic3dbdd41f87c0362f7f725d0f58458f5239ea093
Closes-Bug: 1547122
The nova-cloud-controller presents a restart_nonce key on the
quantum-network-service relation once db migration has been
completed and the nova-conductor service is able to respond to
RPC calls.
Restart the nova-api-metadata when this data changes to ensure
a running service post deployment.
Change-Id: Iafc27fbb2a70e3195fc189e4056a1ca58ff6b663
Closes-Bug: 1547122
Adds pause and resume unit to the charm such that the
charm stays paused during maintenance operations.
Change-Id: I2ee7c87549279b29a9cb2e4e6747953cd6825b79
Partial-Bug: 1558642
Add charmhelpers.contrib.hardening and calls to install,
config-changed, upgrade-charm and update-status hooks.
Also add new config option to allow one or more hardening
modules to be applied at runtime.
Change-Id: I0f3035c8f8feae90ad3572297fab0ac28e7d97e2
Includes dropping support for quantum, nvp plugin (renamed
nsx long ago) and generally refactoring the unit tests
around no longer having to deal with neutron and quantum in
the same codebase.
Drop support for database connections - these are no longer
required as all DB access is now via RPC to nova-conductor
or neutron-server.
Roll-up configuration file templates < icehouse, remove any
that are no longer required.
Refactor basic_deployment a bit as it was using the shared-db
relation to retrieve the n-gateway units private-address.
Change-Id: I22957c0e21c4dd49e5aa74795173b4fc8f043f55