Remove `nova-consoleauth` package as of Train

The Nova console authorization has been moved to the database backend and the separate service and package is no longer necessary. Change-Id: I672ae9538dc687a1c868bf99001041a54241ec24 Closes-Bug: #1848478
2019-10-17 12:29:40 +02:00 · 2019-10-17 12:29:40 +02:00 · bf2cd49829
commit bf2cd49829
parent 81860afeca
4 changed files with 77 additions and 24 deletions
--- a/hooks/nova_cc_common.py
+++ b/hooks/nova_cc_common.py
@ -30,20 +30,20 @@ API_PORTS = {

 CONSOLE_CONFIG = {
    'spice': {
-        'packages': ['nova-spiceproxy', 'nova-consoleauth'],
-        'services': ['nova-spiceproxy', 'nova-consoleauth'],
+        'packages': ['nova-spiceproxy'],
+        'services': ['nova-spiceproxy'],
        'proxy-page': '/spice_auto.html',
        'proxy-port': 6082,
    },
    'novnc': {
-        'packages': ['nova-novncproxy', 'nova-consoleauth'],
-        'services': ['nova-novncproxy', 'nova-consoleauth'],
+        'packages': ['nova-novncproxy'],
+        'services': ['nova-novncproxy'],
        'proxy-page': '/vnc_auto.html',
        'proxy-port': 6080,
    },
    'xvpvnc': {
-        'packages': ['nova-xvpvncproxy', 'nova-consoleauth'],
-        'services': ['nova-xvpvncproxy', 'nova-consoleauth'],
+        'packages': ['nova-xvpvncproxy'],
+        'services': ['nova-xvpvncproxy'],
        'proxy-page': '/console',
        'proxy-port': 6081,
    },
--- a/hooks/nova_cc_hooks.py
+++ b/hooks/nova_cc_hooks.py
@ -292,7 +292,7 @@ def config_changed():
    for rid in hookenv.relation_ids('ha'):
        ha_joined(rid)
    if (not ch_utils.is_unit_paused_set() and
-            ncc_utils.is_console_auth_enabled()):
+            ncc_utils.is_consoleauth_enabled()):
        ch_host.service_resume('nova-consoleauth')
    # call the policy overrides handler which will install any policy overrides
    policyd.maybe_do_policyd_overrides_on_config_changed(
--- a/hooks/nova_cc_utils.py
+++ b/hooks/nova_cc_utils.py
@ -222,9 +222,8 @@ CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
 NOVA_SSH_DIR = '/etc/nova/compute_ssh/'

 SERIAL_CONSOLE = {
-    'packages': ['nova-serialproxy', 'nova-consoleauth',
-                 'websockify'],
-    'services': ['nova-serialproxy', 'nova-consoleauth'],
+    'packages': ['nova-serialproxy', 'websockify'],
+    'services': ['nova-serialproxy'],
 }


@ -283,6 +282,9 @@ def resource_map(actual_services=True):
    if is_serial_console_enabled(cmp_os_release):
        _resource_map[NOVA_CONF]['services'] += SERIAL_CONSOLE['services']

+    if is_consoleauth_enabled(cmp_os_release):
+        _resource_map[NOVA_CONF]['services'] += ['nova-consoleauth']
+
    # also manage any configs that are being updated by subordinates.
    vmware_ctxt = ch_context.SubordinateConfigContext(
        interface='nova-vmware', service='nova', config_file=NOVA_CONF)
@ -404,6 +406,8 @@ def determine_packages():
        packages.extend(common.console_attributes('packages'))
    if is_serial_console_enabled(release):
        packages.extend(SERIAL_CONSOLE['packages'])
+    if is_consoleauth_enabled(release):
+        packages.extend(['nova-consoleauth'])
    packages.extend(
        ch_utils.token_cache_pkgs(source=hookenv.config('openstack-origin')))
    if release >= 'rocky':
@ -558,14 +562,30 @@ def is_serial_console_enabled(cmp_os_release=None):
    return hookenv.config('enable-serial-console') and cmp_os_release >= 'juno'


-def is_console_auth_enabled():
-    """Determine whether console auth is enabled in this deploy
+def is_consoleauth_enabled(cmp_os_release=None):
+    """Determine whether the ``consoleauth`` service is enabled in this deploy

-    :returns: Whether console auth is enabled in this deploy
+    Note that the fact that the service is enabled or not may not be tied to
+    the reality of Nova doing console access authorization.
+
+    Since OpenStack Rocky the console token authorization storage has been
+    moved to the database backend, and in OpenStack Train the service
+    was removed.
+
+    https://github.com/openstack/nova/blob/master/releasenotes/notes/deprecate-nova-consoleauth-ed6ccbc324a0fb10.yaml
+
+    :param cmp_os_release: Release comparison object.
+    :type cmp_os_release: charmhelpers.contrib.openstack.utils.
+                          CompareOpenStackReleases
+    :returns: Whether ``consoleauth`` service is enabled in this deploy
    :rtype: bool
    """
-    return bool(is_serial_console_enabled() or
-                hookenv.config('console-access-protocol'))
+    if not cmp_os_release:
+        release = ch_utils.os_release('nova-common')
+        cmp_os_release = ch_utils.CompareOpenStackReleases(release)
+    return cmp_os_release < 'train' and (bool(is_serial_console_enabled() or
+                                         hookenv.config(
+                                             'console-access-protocol')))


 def is_db_initialised():
--- a/unit_tests/test_nova_cc_utils.py
+++ b/unit_tests/test_nova_cc_utils.py
@ -278,6 +278,11 @@ class NovaCCUtilsTests(CharmTestCase):
        console_services = ['nova-xvpvncproxy', 'nova-consoleauth']
        for service in console_services:
            self.assertIn(service, _map['/etc/nova/nova.conf']['services'])
+        self.os_release.return_value = 'train'
+        _map = utils.resource_map()
+        self.assertNotIn(
+            'nova-consoleauth',
+            _map['/etc/nova/nova.conf']['services'])

    @patch('charmhelpers.contrib.openstack.context.SubordinateConfigContext')
    def test_resource_map_console_novnc(self, subcontext):
@ -288,6 +293,11 @@ class NovaCCUtilsTests(CharmTestCase):
        console_services = ['nova-novncproxy', 'nova-consoleauth']
        for service in console_services:
            self.assertIn(service, _map['/etc/nova/nova.conf']['services'])
+        self.os_release.return_value = 'train'
+        _map = utils.resource_map()
+        self.assertNotIn(
+            'nova-consoleauth',
+            _map['/etc/nova/nova.conf']['services'])

    @patch('charmhelpers.contrib.openstack.context.SubordinateConfigContext')
    def test_resource_map_console_vnc(self, subcontext):
@ -299,6 +309,11 @@ class NovaCCUtilsTests(CharmTestCase):
                            'nova-consoleauth']
        for service in console_services:
            self.assertIn(service, _map['/etc/nova/nova.conf']['services'])
+        self.os_release.return_value = 'train'
+        _map = utils.resource_map()
+        self.assertNotIn(
+            'nova-consoleauth',
+            _map['/etc/nova/nova.conf']['services'])

    def test_console_attributes_none(self):
        self.test_config.set('console-access-protocol', 'None')
@ -326,6 +341,11 @@ class NovaCCUtilsTests(CharmTestCase):
        console_services = ['nova-spiceproxy', 'nova-consoleauth']
        for service in console_services:
            self.assertIn(service, _map['/etc/nova/nova.conf']['services'])
+        self.os_release.return_value = 'train'
+        _map = utils.resource_map()
+        self.assertNotIn(
+            'nova-consoleauth',
+            _map['/etc/nova/nova.conf']['services'])

    @patch('charmhelpers.contrib.openstack.neutron.os_release')
    @patch('os.path.exists')
@ -419,8 +439,8 @@ class NovaCCUtilsTests(CharmTestCase):
        _servs = utils.common.console_attributes('services')
        _pkgs = utils.common.console_attributes('packages')
        _proxy_page = utils.common.console_attributes('proxy-page')
-        vnc_pkgs = ['nova-novncproxy', 'nova-xvpvncproxy', 'nova-consoleauth']
-        vnc_servs = ['nova-novncproxy', 'nova-xvpvncproxy', 'nova-consoleauth']
+        vnc_pkgs = ['nova-novncproxy', 'nova-xvpvncproxy']
+        vnc_servs = ['nova-novncproxy', 'nova-xvpvncproxy']
        self.assertEqual(_proto, 'vnc')
        self.assertEqual(sorted(_servs), sorted(vnc_servs))
        self.assertEqual(sorted(_pkgs), sorted(vnc_pkgs))
@ -472,6 +492,10 @@ class NovaCCUtilsTests(CharmTestCase):
        console_pkgs = ['nova-spiceproxy', 'nova-consoleauth']
        for console_pkg in console_pkgs:
            self.assertIn(console_pkg, pkgs)
+        self.os_release.return_value = 'train'
+        pkgs = utils.determine_packages()
+        self.assertNotIn(
+            'nova-consoleauth', pkgs)

    @patch('charmhelpers.contrib.openstack.context.SubordinateConfigContext')
    def test_determine_packages_base_icehouse(self, subcontext):
@ -541,6 +565,9 @@ class NovaCCUtilsTests(CharmTestCase):
        console_pkgs = ['nova-serialproxy', 'nova-consoleauth']
        for console_pkg in console_pkgs:
            self.assertIn(console_pkg, pkgs)
+        self.os_release.return_value = 'train'
+        pkgs = utils.determine_packages()
+        self.assertNotIn('nova-consoleauth', pkgs)

    @patch('charmhelpers.contrib.openstack.context.SubordinateConfigContext')
    def test_determine_packages_serial_console_icehouse(self, subcontext):
@ -1409,28 +1436,34 @@ class NovaCCUtilsTests(CharmTestCase):
            utils.is_serial_console_enabled())

    @patch.object(utils, 'is_serial_console_enabled')
-    def test_is_console_auth_enabled(self, is_serial_console_enabled):
+    def test_is_consoleauth_enabled(self, is_serial_console_enabled):
+        self.os_release.return_value = 'mitaka'
        is_serial_console_enabled.return_value = True
        self.test_config.set('console-access-protocol', 'vnc')
        self.assertTrue(
-            utils.is_console_auth_enabled())
+            utils.is_consoleauth_enabled())
+        self.os_release.return_value = 'train'
+        self.assertFalse(
+            utils.is_consoleauth_enabled())

    @patch.object(utils, 'is_serial_console_enabled')
-    def test_is_console_auth_enabled_no_serial(self,
-                                               is_serial_console_enabled):
+    def test_is_consoleauth_enabled_no_serial(self,
+                                              is_serial_console_enabled):
+        self.os_release.return_value = 'mitaka'
        is_serial_console_enabled.return_value = False
        self.test_config.set('console-access-protocol', 'vnc')
        self.assertTrue(
-            utils.is_console_auth_enabled())
+            utils.is_consoleauth_enabled())

    @patch.object(utils, 'is_serial_console_enabled')
-    def test_is_console_auth_enabled_no_serial_no_console(
+    def test_is_consoleauth_enabled_no_serial_no_console(
            self,
            is_serial_console_enabled):
+        self.os_release.return_value = 'mitaka'
        is_serial_console_enabled.return_value = False
        self.test_config.set('console-access-protocol', None)
        self.assertFalse(
-            utils.is_console_auth_enabled())
+            utils.is_consoleauth_enabled())

    @patch.object(utils, 'get_cell_uuid')
    @patch('subprocess.check_output')