This change documents configuring inspector for client-side
authentication with a standalone Ironic API service.
Since this documention refers to a keystone auth feature which is
about to be released, requirements and lower-constraints are updated
to reflect the required release (see https://review.opendev.org/737365 ).
Change-Id: I567fc8c7f2147339856563ad880334791f93d99b
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Change-Id: Iccf78a04a66dcef383d9e38ac3990f3c838bdf84
When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header to be
set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic-inspector/htpasswd`` and points to a file which supports the
Apache htpasswd syntax[1]. This file is read for every request, so no
service restart is required when changes are made.
The only password digest supported is bcrypt, and the ``bcrypt``
python library is used for password checks since it supports ``$2y$``
prefixed bcrypt passwords as generated by the Apache htpasswd utility.
To try basic authentication, the following can be done:
* Set ``/etc/ironic-inspector/inspector.conf`` ``DEFAULT`` ``auth_strategy``
to ``http_basic``
* Populate the htpasswd file with entries, for example:
``htpasswd -nbB myName myPassword >> /etc/ironic-inspector/htpasswd``
* Make basic authenticated HTTP requests, for example:
``curl --user myName:myPassword http://localhost:6385/v1/introspection``
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
Change-Id: If50dfbfc18445ad9fe27e17cb0ee1b317ff25a0b
Depends-On: https://review.opendev.org/729070
Story: 2007656
Task: 39826
The same timeout values are shared between different jobs and
they should just be the default for the base job.
Change-Id: Ic41fe7ade21ece2d1110ef8a6ccb74df6ddd2b6f
Now that we are running the Victoria tests that include a
voting py38, we can now add the Python 3.8 metadata to the
package information to reflect that support.
Change-Id: I0aa7f17f72438dd8eefb8f223ff7222064e4e99c
Most of the failures in this job is because tempest couldn't
finish the test on a given time, we increased the introspection
timeout but we forgot to allow tempest to run for more than
20 min (default)
Change-Id: I25435fe93f2f6d6cd50befe9cdf6bb1e548cef88
flake8 new release 3.8.0 added new checks and gate pep8
job start failing. hacking 3.0.1 fix the pinning of flake8 to
avoid bringing in a new version with new checks.
Though it is fixed in latest hacking but 2.0 and 3.0 has cap for
flake8 as <4.0.0 which mean flake8 new version 3.9.0 can also
break the pep8 job if new check are added.
To avoid similar gate break in future, we need to bump the hacking min
version.
- http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014828.html
Change-Id: I2a903c90d72cd596ef976d9aab478f96a2750680
Switch to openstackdocstheme 2.2.0 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Set openstackdocs_auto_version to not auto-version the documents.
Set openstackdocs_auto_name to use 'project' as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
Change-Id: I9591e0f0215e9eb790ec2e3ea1a7ccbd55bb76d0
The job is often failing during introspection because of a timeout error,
so increasing the timeout value to prevent multiple rechecks.
Change-Id: I4da76ec3cf7b82f7aed30c087bbfe31cbea91f45
The same information can be fetched from unprocessed introspection data,
which has an advantage of working without swift.
Change-Id: Id65644c27c78bb2c476166eb9095ef6acd94db7b
These translation sections are not needed anymore, Babel can
generate translation files without them.
Change-Id: I50b21243d9e12b2953ff9a02b7ed8030686176ec
We've been historically using endpoints without trailing slashes in
our API. Apparently, some libraries (like gophercloud) are quite
opinionated about it (see the story), so let's handle both.
The implementation could be simpler if we just added trailing slash
to all routes, but it would cause redirects for current users.
Change-Id: Icbd971a8e792f93f9c3fa66ba29bec055dcdee32
Story: #2007660
Task: #39749
Without manage_boot the only real action we do is updating the firewall,
which is supposed to be pretty fast. Making the call synchronous means
that ironic will receive information about PXE filter failures and will
not attempt to power on a failed node or before the PXE filter is updated.
Change-Id: I95b63d4e1d4c2c186c0e8234c4382b00aa918aa8
Story: #2007658
Task: #39746
When boot is managed by the ironic side, a node is powered on
right after starting introspection. Inspector's own delays play
no role and may actually prevent introspectin from happening if
a node boots faster than it's whitelisted in the PXE filter.
This changes moves the delay handling later in the process and
only does it when manage_boot is True.
Change-Id: If7de8b66ea42eff2966c62a9a0529ab9a5c06f26
Story: #2007658
Task: #39745
Remove the value of IRONIC_RAMDISK_TYPE when present to make
the base job and all children take the type from ironic-base
which now is set to use the dib image.
Change-Id: I59f00c0b135f209ca6258efe9c3e3eb722fff4cb
- Add ipa-builder to grenade
- Disabled smoke tests since they are not lightweight when
using Ironic.
- Using test_baremetal_introspection for the tempest run
pos-upgrade.
- added LIBVIRT_STORAGE_POOL_PATH since some cloud providers
may not have enough disk space.
- lowered the number of VMs to 3 (we don't have many tests)
Change-Id: Ifee10541f369d5bc850ce3d92305810cd3eedd34
Inspection can sometimes take longer based on multiple factors.
This patch adds a variable to control the node inspection timeout.
Change-Id: Iefac618d73ccba3b58baefdc6b993758622b8811
Steve Baker
Kaifeng Wang
Hervé Beraud
Zuul
Arne Wiebalck
Riccardo Pittau
maaoyu
Iury Gregory Melo Ferreira
zhangbailin
Andreas Jaeger
OpenStack Proposal Bot
Dmitry Tantsur
melissaml