With the plan [1] to stop enabling it by Neutron iptables firewall
driver itself, deployment tools should catch up and enable the firewall
themselves.
This is needed for distributions that decided to disable the kernel
firewall by default (upstream kernel has it enabled). This is also
needed for distributions that ship newer kernels but don't load the
br_netfilter module before starting nova-network or Neutron iptables
firewall driver. In the latter case, firewall may not work, depending on
the order of operations executed by the driver.
To isolate devstack setups from the difference in distribution
kernel configuration and version, the following steps are done:
- we load bridge kernel module, and br_netfilter if present, to get
access to sysctl knobs controlling the firewall;
- once knobs are available, we unconditionally set them to 1, to make
sure the firewall is in effect.
More details at:
http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
[1] I9137ea017624ac92a05f73863b77f9ee4681bbe7
Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Related-Bug: #1622914
Nova ships with an empty policy.json file which it does not need.
oslo.policy previously required the empty file to be there but as of
version 1.14.0 it is possible to run with no policy file at all. Since
there are no policies defined in the sample file let's no install it.
Change-Id: I85a251376dfe38caa4b100861bf764014a98bc37
Depends-On: I09fa842ffbe75bed269cef6edc9c82d18bfe9297
Stud is now abandonware (see https://github.com/bumptech/stud) and is
not packaged in xenial. Lets use Apache for SSL termination since its
there already.
Change-Id: Ifcba410f5969521e8b3d30f02795541c1661f83a
This patch setup cellsv2 for Nova after plugin initialization phase.
Since this requires compute hosts to be started, we need to do it
after we have initialized all other plugins. Things like ironic
aren't setup when we were running this as part of nova setup, and
thus this command can fail.
When cellsv1 is used (n-cell is enabled) skip calling
cells_v2 simple_cell_setup, which will never have hosts
at the top level and which will always fail.
Change-Id: Ic7d0115da51d6ea17ee49071af259a7789c62ab9
Depends-On: I9bbaa4c92503222c9fd015fe075926b50f3dcc8c
As part of Nova cellsv2 there is now a third database that must be setup
for use by Nova. This database is an exact copy of the 'nova' database.
Only do this if NOVA_CONFIGURE_CELLSV2 is overridden.
Change-Id: I8775b8066ba85fbdbcdfb42c28cb567fc7759fe5
We really should be using the metadata server more in our normal
testing, this changes the default to use it.
Change-Id: I8ef14e6110da1160163c0106e32032d27226f929
Run "nova-manage cell_v2 simple_cell_setup --transport_url ..." after
Nova is started. This will add all compute hosts into a new cell, and
setup a db for cell0.
Change-Id: I50a955b97d0e18426406c15397bdfbc9e807d908
Depends-On: I559f9c87e89926414b368cac9442dec4eadcb89b
This config option is requied in order for nova notificaions to
function, and enabling it doesn't cause any harm (there is another
option for turning notifications on).
Change-Id: I309af6cc43af485f795c368d304ebe71fceb1a03
nova-net is deprecated, and it's long time to switch to neutron by
default. This patch does that, and has an auto configuration mode that
mostly just works for the basic case.
It does this by assuming that unless the user specifies an interface
for it to manage, that it will not automatically have access to a
physical interface. The floating range is put on br-ex (per normal),
fixed ranges stay on their OVS interfaces.
Because there is no dedicated interface managed by neutron, we add an
iptables rule which allows guests to route out. While somewhat
synthetic, it does provide a working out of the box developer
experience, and is not hugely more synthetic then all the other
interface / route setup we have to do for the system.
You should be able to run this with a local.conf of just
[[local|localrc]]
ADMIN_PASSWORD=pass
DATABASE_PASSWORD=pass
RABBIT_PASSWORD=pass
SERVICE_PASSWORD=pass
And get a working neutron on a single interface box
Documentation will come in subsequent patches, however getting the
code out there and getting feedback is going to help shape this
direction.
Change-Id: I185325a684372e8a2ff25eae974a9a2a2d6277e0
The privsep helper should have a sane default for all libraries,
pushing this into devstack means we cheat past a part of the upgrade
that we really shouldn't be.
Change-Id: I52259e2023e277e8fd62be5df4fd7f799e9b36d7
privsep will default to invoking privsep-helper directly
via sudo, which won't work for people with a locked down
sudo config. To deal with this we should explicitly
configure the os-vif plugins to use nova-rootwrap for
running privsep-helper. This change makes such a change
for the two official in-tree os-vif plugins.
Change-Id: I3d26251206a57599385f2b9f3e0ef7d91daafe35
Future oslo.messaging is going to deprecate usage of driver-specific
options for hosts/port/user/password options.
This change uses transport_url that exists since a while now and
works with all drivers (even devstack handles only the rabbit one).
Change-Id: I3006b96ff93a3468249177c31c359c2f9ddc5db6
When the nova backend is LVM we set some libvirt configs
in nova.conf. Those should happen in the libvirt plugin
file rather than the generic nova file since it's specific
to running nova-compute with libvirt.
Change-Id: I37a63a5fba2e9eea4daafe4ec390b2e7aac236f3
There are a few CI efforts going on related to jobs that use the lvm
image backend for the libvirt driver in Nova. We don't want to waste
time zero'ing out volumes during CI runs, so we need a way to configure
nova to not clear the volumes in these jobs.
This change adds a variable used to set the CONF.libvirt.volume_clear
value in nova.conf. If the variable isn't set, Nova just uses the default.
This will be set to 'none' in the jobs that are going to use LVM.
Co-Authored-By: Matt Riedemann <mriedem@us.ibm.com>
Change-Id: I1e97ba6ab4772a87192ae2689a25050d432358ab
Currently, the db sync operation does not specify the config dir or
config file.
If there is a config file in the home path, it will use this one,
but not the right one devstack write.
Set config file to these operations.
Change-Id: Id1fbc3d85280c19596f5ebd301c46bcf018fa2f6
Closes-Bug: #1578098
There are two implementation code for similar API in Nova repository.
One is newer: v2.1 API, another is legacy: v2 API. v2.1 API has been
used as the default API since Liberty and legacy v2 API has been marked
as deprecated. We have used and tested v2.1 API so well and now is
nice time to remove legacy API code based on the consensus of the
design summit of Austin.
This patch removes NOVA_V2_LEGACY which set up legacy API code.
NOTE: The gate job which uses this NOVA_V2_LEGACY option has been
removed already since Iac81b7d569b76b99e9d86eaa5001ae7f9b78cdfe.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: I0e16b7ce608d7eeb3a35fd77e66531dfc8c142ef
In a multiregion installation of devstack, conflicts occur in the
creation of images, networks, or volume types, when the region is not
set.
This patch adjusts commands to include the region, and
also adjusts the region_name in the nova configuration section of
neutron.conf to include the region.
Change-Id: Ifedff6a124fa49d57cc7b2f35916d8d96f5e5f7a
This reverts commit 7d1ec430046256ac3f536f4920a43936e28ef0c4.
This broke the sahara and layer4 dsvm jobs. The layer4 job
is voting on tempest changes so tempest is also broken.
Change-Id: Ide69f10cd85bf7ff0d86bc8cba56dedd26850362
Partial-Bug: #1573868
We really should only have code that create endpoints once, making all
osc calls get_or_set adds 3 seconds per call for no really good
reason.
This also stops creating the internal endpoints in the service
catalog. It's a pattern that we're trying not to propogate, so lets
not have it in devstack any more.
Change-Id: Ia8cefe43753900d62117beae330db46deb6a9fc9
Make it possible to construct the service users in their own seperate
domain. Changing this away from Default will not work for everyone yet,
though it does work for basic service interaction however enabling it
will allow us to start testing and hopefully gating that services aren't
relying on v2 only concepts.
Change-Id: I7e73df5dd1caabf355783da2bc0f3007ade92fba
The test job "gate-tempest-dsvm-cells" uses the Nova cells concept.
This triggered a deprecation warning:
WARNING oslo_config.cfg [...]
Option "rabbit_virtual_host" from group "DEFAULT" is deprecated.
Use option "rabbit_virtual_host" from group "oslo_messaging_rabbit".
This change removes that warning.
Change-Id: Ieaf437ecbf58edb8994f6afcb0ac2afcd5585a1e
Change 0b9e378cca2be4e034ad401d71fbe4470907f93a moved the
api_paste_config from the DEFAULT group to the wsgi group
and deprecated it's usage in DEFAULT.
Change-Id: I283db638e76b986d3e728c6caf34a0b3f37fc9b6
This makes us depend on n-api being enabled, which should avoid running
this on subnodes, where it fails because of no credentials.
Change-Id: I209bd59cd57be27c3375f5a2074361307abcafe9
Closes-Bug: #1567065
Nova API itself supports both URL modes:
with project-id and without project-id
However, we are changing service catalogs for removing project-id
based on the discussion.
We have agreement on https://review.openstack.org/#/c/181393 like the
following:
- Standard required naming for endpoints (versioned vs. unversioned,
contains project ID vs. no project ID).
* We want unversioned endpoints so that the user can get
information about multiple available versions in a given cloud.
* We do not want project ID, account ID, or tenant ID as part of
the resource URI for an OpenStack API endpoint.
So this patch removes project-id from Nova service catalog for this
direction.
Change-Id: Ifd74152727b5c0c75924419a7a52e024a69ce72c
This makes devstack create default flavors in nova, like cinder, now
that nova no longer hard-codes them into its database.
The flavors created here match the legacy default flavors that nova
kept for so long, and also creates a new devstack-namespaces set of
flavors which are likely more useful for people.
Change-Id: Ic275887e97221d9ce5ce6f12cdcfb5ac94e300b0
This is a normal step in the process for upgrade and is now
required for migration of flavors from the main DB to the API DB.
Since we previously made a bad decision to encode those flavors into
the first database migration, that means that even on new installs we
need to run these.
Deployment tools are going to be running this command any time they
do anything to the database post-deployment, which means adding this
to devstack is putting it in line with what normal deployments will
be doing.
Change-Id: I8ab03af9d2f4974f26a7f8487ec978caea957e45
