openstack/ironic-inspector
Code Issues Proposed changes

Merge "Add upgrade check, and json2yaml policy handling"

Browse Source
This commit is contained in:
Zuul 2021-02-17 14:36:57 +00:00 committed by Gerrit Code Review
commit 8d06567a6e
11 changed files with 206 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
devstack/plugin.sh
View File

@ -126,7 +126,8 @@ function inspector_iniset {
function install_inspector {
setup_develop $IRONIC_INSPECTOR_DIR
# Check if things look okay
ironic-inspector-status upgrade check
if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
install_apache_wsgi
# NOTE(rpittau) since devstack doesn't install test-requirements

9
doc/source/cli/index.rst Normal file
View File

@ -0,0 +1,9 @@
Command References
==================
Here are references for commands not elsewhere documented.
.. toctree::
:maxdepth: 1
ironic-inspector-status

83
doc/source/cli/ironic-inspector-status.rst Normal file
View File

@ -0,0 +1,83 @@
=======================
ironic-inspector-status
=======================
Synopsis
========
::
ironic-inspector-status <category> <command> [<args>]
Description
===========
:program:`ironic-inspector-status` is a tool that provides routines for
checking the status of the ironic-inspector deployment.
Options
=======
The standard pattern for executing a :program:`ironic-inspector-status`
command is::
ironic-inspector-status <category> <command> [<args>]
Run without arguments to see a list of available command categories::
ironic-inspector-status
Categories are:
* ``upgrade``
Detailed descriptions are below.
You can also run with a category argument such as ``upgrade`` to see a list of
all commands in that category::
ironic-inspector-status upgrade
These sections describe the available categories and arguments for
:program:`ironic-inspector-status`.
Upgrade
~~~~~~~
.. _ironic-inspector-status-checks:
``ironic-status upgrade check``
Performs a release-specific readiness check before restarting services with
new code. This command expects to have complete configuration and access
to databases and services.
**Return Codes**
.. list-table::
:widths: 20 80
:header-rows: 1
* - Return code
- Description
* - 0
- All upgrade readiness checks passed successfully and there is nothing
to do.
* - 1
- At least one check encountered an issue and requires further
investigation. This is considered a warning but the upgrade may be OK.
* - 2
- There was an upgrade status check failure that needs to be
investigated. This should be considered something that stops an
upgrade.
* - 255
- An unexpected error occurred.
**History of Checks**
**Wallaby**
* Adds initial status check command as it was not previously needed
as the database structure and use of ironic-inspector's of
ironic-inspector did not require the command previously.
* Adds a check to validate the configured policy file is not JSON
based as JSON based policies have been deprecated.

10
doc/source/configuration/policy.rst
View File

@ -2,6 +2,16 @@
Policies
========
.. warning::
JSON formatted policy files were deprecated in the Wallaby development
cycle due to the Victoria deprecation by the ``olso.policy`` library.
Use the `oslopolicy-convert-json-to-yaml`__ tool
to convert the existing JSON to YAML formatted policy file in backward
compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
The following is an overview of all available policies in **ironic inspector**.
For a sample configuration file, refer to :doc:`sample-policy`.

1
doc/source/index.rst
View File

@ -7,6 +7,7 @@ Using Ironic Inspector
:maxdepth: 2
install/index
cli/index
configuration/index
user/index
admin/index

58
ironic_inspector/cmd/status.py Normal file
View File

@ -0,0 +1,58 @@
# Copyright (c) 2018 NEC, Corp.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import sys
from oslo_config import cfg
from oslo_upgradecheck import common_checks
from oslo_upgradecheck import upgradecheck
from ironic_inspector.common.i18n import _
import ironic_inspector.conf as conf
from ironic_inspector import policy # noqa Import for configuratiog loading.
CONF = conf.CONF
class Checks(upgradecheck.UpgradeCommands):
"""Upgrade checks for the ironic-status upgrade check command
Upgrade checks should be added as separate methods in this class
and added to _upgrade_checks tuple.
"""
# A tuple of check tuples of (<name of check>, <check function>).
# The name of the check will be used in the output of this command.
# The check function takes no arguments and returns an
# oslo_upgradecheck.upgradecheck.Result object with the appropriate
# oslo_upgradecheck.upgradecheck.Code and details set. If the
# check function hits warnings or failures then those should be stored
# in the returned Result's "details" attribute. The
# summary will be rolled up at the end of the check() method.
_upgrade_checks = (
# Added in Wallaby to raise visibility of the Victoria deprecation
# of oslo.policy's json policy support.
(_('Policy File JSON to YAML Migration'),
(common_checks.check_policy_json, {'conf': CONF})),
)
def main():
return upgradecheck.main(
cfg.CONF, project='ironic', upgrade_command=Checks())
if __name__ == '__main__':
sys.exit(main())

18
ironic_inspector/policy.py
View File

@ -16,12 +16,21 @@ import sys
from oslo_concurrency import lockutils
from oslo_config import cfg
from oslo_policy import opts
from oslo_policy import policy
CONF = cfg.CONF
_ENFORCER = None
# TODO(gmann): Remove setting the default value of config policy_file
# once oslo_policy change the default value to 'policy.yaml'.
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
DEFAULT_POLICY_FILE = 'policy.yaml'
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
default_policies = [
policy.RuleDefault(
'is_admin',
@ -154,10 +163,11 @@ def init_enforcer(policy_file=None, rules=None,
if _ENFORCER:
return
_ENFORCER = policy.Enforcer(CONF, policy_file=policy_file,
rules=rules,
default_rule=default_rule,
use_conf=use_conf)
_ENFORCER = policy.Enforcer(
CONF, policy_file=policy_file,
rules=rules,
default_rule=default_rule,
use_conf=use_conf)
_ENFORCER.register_defaults(list_policies())

6
ironic_inspector/test/unit/policy_fixture.py
View File

@ -21,8 +21,8 @@ from ironic_inspector import policy as inspector_policy
CONF = cfg.CONF
policy_data = """{
}
policy_data = """
---
"""
@ -31,7 +31,7 @@ class PolicyFixture(fixtures.Fixture):
super(PolicyFixture, self).setUp()
self.policy_dir = self.useFixture(fixtures.TempDir())
self.policy_file_name = os.path.join(self.policy_dir.path,
'policy.json')
'policy.yaml')
with open(self.policy_file_name, 'w') as policy_file:
policy_file.write(policy_data)
policy_opts.set_defaults(CONF)

20
releasenotes/notes/default-policy-file-change-a1d0a4aa19dcb37d.yaml Normal file
View File

@ -0,0 +1,20 @@
---
upgrade:
- |
The default value of ``[oslo_policy] policy_file`` config option has been
changed from ``policy.json`` to ``policy.yaml``.
Operators who are utilizing customized policy files or previously generated
static policy files (which are not needed by default), should generate
new policy files and modify them to meet their needs in the event of
any new policies or rules have been added.
Please consult the `oslopolicy-convert-json-to-yaml <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
tool to convert a JSON to YAML formatted policy file in
backward compatible way.
deprecations:
- |
Use of legacy policy files was deprecated by the ``oslo.policy`` library
during the Victoria development cycle. As a result, this deprecation is
being noted in the Wallaby with an anticipated future removal of support
by ``oslo.policy``. As such operators will need to convert to YAML policy
files. Please see the upgrade notes for details on migration of any
custom policy files.

9
requirements.txt
View File

@ -4,7 +4,7 @@
automaton>=1.9.0 # Apache-2.0
alembic>=1.4.2 # MIT
construct>=2.9.39 # MIT
eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT
eventlet>=0.26.0 # MIT
Flask>=1.1.0 # BSD
futurist>=1.2.0 # Apache-2.0
ironic-lib>=4.3.0 # Apache-2.0
@ -18,18 +18,19 @@ pytz>=2013.6 # MIT
PyYAML>=5.3.1
openstacksdk>=0.40.0 # Apache-2.0
oslo.concurrency>=3.26.0 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
oslo.config>=6.8.0 # Apache-2.0
oslo.context>=2.19.2 # Apache-2.0
oslo.db>=6.0.0 # Apache-2.0
oslo.i18n>=3.15.3 # Apache-2.0
oslo.log>=3.36.0 # Apache-2.0
oslo.messaging>=5.32.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.policy>=1.30.0 # Apache-2.0
oslo.policy>=3.6.0 # Apache-2.0
oslo.rootwrap>=5.8.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
oslo.utils>=3.33.0 # Apache-2.0
oslo.upgradecheck>=1.2.0 # Apache-2.0
oslo.utils>=4.5.0 # Apache-2.0
tenacity>=6.2.0 # Apache-2.0
stevedore>=1.20.0 # Apache-2.0
SQLAlchemy>=1.2.19 # MIT

1
setup.cfg
View File

@ -33,6 +33,7 @@ console_scripts =
ironic-inspector-conductor = ironic_inspector.cmd.conductor:main
ironic-inspector-rootwrap = oslo_rootwrap.cmd:main
ironic-inspector-migrate-data = ironic_inspector.cmd.migration:main
ironic-inspector-status = ironic_inspector.cmd.status:main
wsgi_scripts =
ironic-inspector-api-wsgi = ironic_inspector.cmd.wsgi:initialize_wsgi_app
ironic_inspector.hooks.processing =