Add upgrade check, and json2yaml policy handling

Adds the ironic-inspector-status command as well with the
requried upgrade check.

Mostly based upon https://review.opendev.org/#/c/763262/
which is based upon https://review.opendev.org/#/c/748059/

Note: Also had to update the version of eventlet because
existing minimum requirement was seemingly incompatible with
prior versions and would prevent lower constraints testing
to proceed due to issues with ``os`` being patched by eventlet.

Change-Id: I1f479f834f1d79e9eeb591c58a52b6ab80c24534

devstack/plugin.sh

@@ -126,7 +126,8 @@ function inspector_iniset {
 
 function install_inspector {
     setup_develop $IRONIC_INSPECTOR_DIR
-
+    # Check if things look okay
+    ironic-inspector-status upgrade check
     if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then
         install_apache_wsgi
         # NOTE(rpittau) since devstack doesn't install test-requirements

doc/source/cli/index.rst

@@ -0,0 +1,9 @@
+Command References
+==================
+
+Here are references for commands not elsewhere documented.
+
+.. toctree::
+  :maxdepth: 1
+
+  ironic-inspector-status

doc/source/cli/ironic-inspector-status.rst

@@ -0,0 +1,83 @@
+=======================
+ironic-inspector-status
+=======================
+
+Synopsis
+========
+
+::
+
+  ironic-inspector-status <category> <command> [<args>]
+
+Description
+===========
+
+:program:`ironic-inspector-status` is a tool that provides routines for
+checking the status of the ironic-inspector deployment.
+
+Options
+=======
+
+The standard pattern for executing a :program:`ironic-inspector-status`
+command is::
+
+    ironic-inspector-status <category> <command> [<args>]
+
+Run without arguments to see a list of available command categories::
+
+    ironic-inspector-status
+
+Categories are:
+
+* ``upgrade``
+
+Detailed descriptions are below.
+
+You can also run with a category argument such as ``upgrade`` to see a list of
+all commands in that category::
+
+    ironic-inspector-status upgrade
+
+These sections describe the available categories and arguments for
+:program:`ironic-inspector-status`.
+
+Upgrade
+~~~~~~~
+
+.. _ironic-inspector-status-checks:
+
+``ironic-status upgrade check``
+  Performs a release-specific readiness check before restarting services with
+  new code. This command expects to have complete configuration and access
+  to databases and services.
+
+  **Return Codes**
+
+  .. list-table::
+     :widths: 20 80
+     :header-rows: 1
+
+     * - Return code
+       - Description
+     * - 0
+       - All upgrade readiness checks passed successfully and there is nothing
+         to do.
+     * - 1
+       - At least one check encountered an issue and requires further
+         investigation. This is considered a warning but the upgrade may be OK.
+     * - 2
+       - There was an upgrade status check failure that needs to be
+         investigated. This should be considered something that stops an
+         upgrade.
+     * - 255
+       - An unexpected error occurred.
+
+  **History of Checks**
+
+  **Wallaby**
+
+  * Adds initial status check command as it was not previously needed
+    as the database structure and use of ironic-inspector's of
+    ironic-inspector did not require the command previously.
+  * Adds a check to validate the configured policy file is not JSON
+    based as JSON based policies have been deprecated.

doc/source/configuration/policy.rst

@@ -2,6 +2,16 @@
 Policies
 ========
 
+.. warning::
+   JSON formatted policy files were deprecated in the Wallaby development
+   cycle due to the Victoria deprecation by the ``olso.policy`` library.
+   Use the `oslopolicy-convert-json-to-yaml`__ tool
+   to convert the existing JSON to YAML formatted policy file in backward
+   compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
+
 The following is an overview of all available policies in **ironic inspector**.
 For a sample configuration file, refer to :doc:`sample-policy`.
 

doc/source/index.rst

@@ -7,6 +7,7 @@ Using Ironic Inspector
   :maxdepth: 2
 
   install/index
+  cli/index
   configuration/index
   user/index
   admin/index

ironic_inspector/cmd/status.py

@@ -0,0 +1,58 @@
+# Copyright (c) 2018 NEC, Corp.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import sys
+
+from oslo_config import cfg
+from oslo_upgradecheck import common_checks
+from oslo_upgradecheck import upgradecheck
+
+from ironic_inspector.common.i18n import _
+import ironic_inspector.conf as conf
+from ironic_inspector import policy  # noqa Import for configuratiog loading.
+
+CONF = conf.CONF
+
+
+class Checks(upgradecheck.UpgradeCommands):
+
+    """Upgrade checks for the ironic-status upgrade check command
+
+    Upgrade checks should be added as separate methods in this class
+    and added to _upgrade_checks tuple.
+    """
+
+    # A tuple of check tuples of (<name of check>, <check function>).
+    # The name of the check will be used in the output of this command.
+    # The check function takes no arguments and returns an
+    # oslo_upgradecheck.upgradecheck.Result object with the appropriate
+    # oslo_upgradecheck.upgradecheck.Code and details set. If the
+    # check function hits warnings or failures then those should be stored
+    # in the returned Result's "details" attribute. The
+    # summary will be rolled up at the end of the check() method.
+    _upgrade_checks = (
+        # Added in Wallaby to raise visibility of the Victoria deprecation
+        # of oslo.policy's json policy support.
+        (_('Policy File JSON to YAML Migration'),
+         (common_checks.check_policy_json, {'conf': CONF})),
+    )
+
+
+def main():
+    return upgradecheck.main(
+        cfg.CONF, project='ironic', upgrade_command=Checks())
+
+
+if __name__ == '__main__':
+    sys.exit(main())

ironic_inspector/policy.py

@@ -16,12 +16,21 @@ import sys
 
 from oslo_concurrency import lockutils
 from oslo_config import cfg
+from oslo_policy import opts
 from oslo_policy import policy
 
 CONF = cfg.CONF
 
 _ENFORCER = None
 
+
+# TODO(gmann): Remove setting the default value of config policy_file
+# once oslo_policy change the default value to 'policy.yaml'.
+# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
+DEFAULT_POLICY_FILE = 'policy.yaml'
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+
+
 default_policies = [
     policy.RuleDefault(
         'is_admin',
@@ -154,7 +163,8 @@ def init_enforcer(policy_file=None, rules=None,
 
     if _ENFORCER:
         return
-    _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file,
+    _ENFORCER = policy.Enforcer(
+        CONF, policy_file=policy_file,
         rules=rules,
         default_rule=default_rule,
         use_conf=use_conf)

ironic_inspector/test/unit/policy_fixture.py

@@ -21,8 +21,8 @@ from ironic_inspector import policy as inspector_policy
 
 CONF = cfg.CONF
 
-policy_data = """{
-}
+policy_data = """
+---
 """
 
 
@@ -31,7 +31,7 @@ class PolicyFixture(fixtures.Fixture):
         super(PolicyFixture, self).setUp()
         self.policy_dir = self.useFixture(fixtures.TempDir())
         self.policy_file_name = os.path.join(self.policy_dir.path,
-                                             'policy.json')
+                                             'policy.yaml')
         with open(self.policy_file_name, 'w') as policy_file:
             policy_file.write(policy_data)
         policy_opts.set_defaults(CONF)

releasenotes/notes/default-policy-file-change-a1d0a4aa19dcb37d.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    The default value of ``[oslo_policy] policy_file`` config option has been
+    changed from ``policy.json`` to ``policy.yaml``.
+    Operators who are utilizing customized policy files or previously generated
+    static policy files (which are not needed by default), should generate
+    new policy files and modify them to meet their needs in the event of
+    any new policies or rules have been added.
+    Please consult the `oslopolicy-convert-json-to-yaml <https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
+    tool to convert a JSON to YAML formatted policy file in
+    backward compatible way.
+deprecations:
+  - |
+    Use of legacy policy files was deprecated by the ``oslo.policy`` library
+    during the Victoria development cycle. As a result, this deprecation is
+    being noted in the Wallaby with an anticipated future removal of support
+    by ``oslo.policy``. As such operators will need to convert to YAML policy
+    files. Please see the upgrade notes for details on migration of any
+    custom policy files.

requirements.txt

@@ -4,7 +4,7 @@
 automaton>=1.9.0 # Apache-2.0
 alembic>=1.4.2 # MIT
 construct>=2.9.39 # MIT
-eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT
+eventlet>=0.26.0 # MIT
 Flask>=1.1.0 # BSD
 futurist>=1.2.0 # Apache-2.0
 ironic-lib>=4.3.0 # Apache-2.0
@@ -18,18 +18,19 @@ pytz>=2013.6 # MIT
 PyYAML>=5.3.1
 openstacksdk>=0.40.0 # Apache-2.0
 oslo.concurrency>=3.26.0 # Apache-2.0
-oslo.config>=5.2.0 # Apache-2.0
+oslo.config>=6.8.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.db>=6.0.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
 oslo.log>=3.36.0 # Apache-2.0
 oslo.messaging>=5.32.0 # Apache-2.0
 oslo.middleware>=3.31.0 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=3.6.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
-oslo.utils>=3.33.0 # Apache-2.0
+oslo.upgradecheck>=1.2.0 # Apache-2.0
+oslo.utils>=4.5.0 # Apache-2.0
 tenacity>=6.2.0  # Apache-2.0
 stevedore>=1.20.0 # Apache-2.0
 SQLAlchemy>=1.2.19 # MIT

setup.cfg

@@ -33,6 +33,7 @@ console_scripts =
     ironic-inspector-conductor = ironic_inspector.cmd.conductor:main
     ironic-inspector-rootwrap = oslo_rootwrap.cmd:main
     ironic-inspector-migrate-data = ironic_inspector.cmd.migration:main
+    ironic-inspector-status = ironic_inspector.cmd.status:main
 wsgi_scripts =
     ironic-inspector-api-wsgi = ironic_inspector.cmd.wsgi:initialize_wsgi_app
 ironic_inspector.hooks.processing =