It was kept for backword compatibility but now returns the same value
as `is_service_enabled tls_proxy`[1].
[1] f3b2f4c85307b14f115a020f5eaf6c92026b55b4
Change-Id: I245b0ba9a81c934c808c0043a010f1ef82eee703
The Magnum service allow enables policies (RBAC) new defaults and scope by
default. The Default value of config options ``[oslo_policy] enforce_scope``
and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both to
``False``, but will change to ``True`` in following cycles.
To enable them then modify the below config options value in
``magnum.conf`` file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
reference tc goal for more detail:
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Related blueprint secure-rbac
Change-Id: I249942a355577c4f1ef51b3988f0cc4979959d0b
This patch brings Magnum in line with other services
by using uwsgi for the api service and replaces the use
of a custom api port with /container-infra.
- Switch to using uwsgi for functional tests.
- Use /container-infra instead of a custom api port.
Change-Id: Iab5b23b3874a46ccb5c942e64dc167258712bd31
The token end-point --os-url argument was removed in openstackclient
with I1b9fbb96e447889a41b705324725a2ffc8ecfd9f.
The plugin should be running as admin, I think we can remove all the
authentication arguments and just let it do it's thing.
Change-Id: I9b1dbc541c9fd6c0e3a894dd3a5dd9f2011f1e2a
Fedora Atomic 27 has end of life for a while, it's time to replace it
with Fedora Atomic 29 now.
Task: 36356
Story: 2006441
Change-Id: Iab131745854b0b908be17bd17c7510cd54dde1f5
With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.
The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.
NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.
Task: 30069
Story: 1755770
Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
The admin_* variables are a relic of the Keystone V2 api and
should no longer be used at all.
It's important to keep the devstack config clean, as it is often
used as a reference for configuring services.
* Removed deprecated admin_user, admin_password and admin_tenant.
Story: 2004272
Task: 27821
Change-Id: I132e670f446e5172dc4f1847be7779645060ca4d
This patch brings the Fedora Atomic version used in gating to
the latest one which includes some improvements alongside a newer
version of Docker (which seems to run things better overall).
Change-Id: Iad0a1f57b29aec9a0cdb2a104fdaa5970133cfb4
Switch to systemd logging to take advantage of some of the newer
logging features.
Story: 2004272
Task: 27820
Change-Id: I475bf26e24b3a725f68c7da355807374bf1e189b
We do currently not support www_authentication_uri at all, which
is the new standard, as auth_uri has long been deprecated.
* Make sure we support both auth_uri and www_authenticate_uri.
* Switched to www_authenticate_uri for devstack.
* Fixed a bug where a bad exception would be thrown if auth_uri
was not set.
Story: 2004271
Task: 27819
Change-Id: Ibc932d35f3d6ba2ac7ffb6193aa37bd4a3d4422e
We are currently hitting this error with the gate.
> NOT_ALLOWED - access to vhost 'None' refused for user 'stackrabbit'
This patch fixes this by using the inbuilt devstack construct
to create an appropriate transport_url.
Change-Id: I9aae96094b7bd8bc148ae3e42c118ba160eff8ae
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.
Closes-Bug: #1659545
Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
In Fedora Atomic 27 etcd and flanneld are removed from the base image.
Install them as a system containers.
* update docker-storage configuration
* add etcd and flannel tags as labels
Change-Id: I2103c7c3d50f4b68ddc11abff72bc9e3f22839f3
Closes-Bug: #1735381
Added configuration parameter, send_cluster_metrics, to magnum.conf
with default value of True. If set to True, periodic tasks will pull
COE data and send to ceilometer. This parameter can be set to False to
disable periodic collection of data to avoid unnecessary load from the
cluster.
Closes-Bug: #1668330
Related-Bug: #1746510
Change-Id: I9945293e7b2b52731f6e220d0925c1f6ad097caa
Until [1] is in kubernetes we need to redirect from /v2 to
/identity/v2 for the cloud provider to work.
[1] https://github.com/gophercloud/gophercloud/pull/423
Change-Id: I5206e75e9528ceb8428c70df67e6ba26d01c4772
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Fix wrongly used start_tls_proxy function and correctly set api port
when tls-proxy is enabled.
Also remove start_tls_proxy for ec2 which is not required.
Co-Authored-By: yatin <ykarel@redhat.com>
Change-Id: I71b85b5cb018dd790e13aaa1eeefcbb8ac0b3b85
Closes-Bug: #1727613
This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
* Swarm-mode is the fastest cluster to deploy since it doesn't
require to pull anything from outside.
* Add the output nodes for swarm-mode too.
* Disable copy logs (I think a better practice is to copy logs
on demand).
* Don't run test_create_list_sign_delete_clusters, because it is
very unstable on the CI.
Partially-Implements: blueprint swarm-mode-support
2nd commit message:
Update to Fedora Atomic 26
This patch moves the current master to test against Fedora Atomic 26,
in addition, it switches to downloading from Fedora mirrors.
2nd-Change-Id: I9a97c0eb78b2c9d10e8be1501babb19e73ee70c1
3rd commit message:
Set default iptables FORWARD policy to ACCEPT
With the release of Docker 1.13 which is available in Fedora
Atomic 26, it no longer sets the policy of the FORWARD chain
to ACCEPT[1]. Therefore, CNI networking such as Flannel will
cease to work.
This patch sets the policy to ACCEPT so that traffic can work
once again for deployments which are based on Docker versions
which are newer than 1.13
[1]: https://github.com/moby/moby/pull/28257
3rd-Change-Id: I1457602748619f38f87542fc01a2996ee80e58b7
Closes-Bug: #1708454
Co-Authored-By: Mohammed Naser <mnaser@vexxhost.com>
Change-Id: I86d4dcc94fff622be4ee2acc8dd60ed81bc5d433
* add docker_volume_type for the cinder volumes which are
used for docker storage.
* add default_docker_volume_type configuration option
Related-Bug: #1678153
Change-Id: Ie18096acf24873ef91a904df4f1a84694a2bb644
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
Post [1] we cannot use auth_uri/auth_url containing :5000, :35357.
Update keystone auth_uri and auth_url in magnum.conf to connect
with keystone using /identity/v3 and /identity_admin/v3.
[1] https://review.openstack.org/#/c/456344/
Change-Id: I5d69e7454cf8a5e8c92ff23b6c932184d82e8a98
devstack: Allow access to ports 80 and 443
So far, we were allowing access to port 5000 for keystone.
When devstack siwtched to uwsgi we couldn't access keystone
anymore.
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Change-Id: I4d3d482889fd9f6119ceec81757abac9d1251a97
With this patch we will use glance v2 api's for interacting
with glance.
[1] I7f962a07317cdad917ee896d79e49ee18938d074
Closes-Bug: 1672535
Change-Id: Iedc25b55ad2751e14d3794b1cb80f724f1a735c4
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Copy magnum.bash_completion script to /etc/bash_completion.d
so that users/developers can take advantage of auto completion
of magnum commands.
Change-Id: I8d0ba953e7eb963be1d9e459c4015e882231e2c8
Closes-Bug: #1657004
If the services are disabled in the devstack/settings file, it disables
them for everyone who uses the magnum devstack plugin. Some people (like
shade) use both magnum and swift to test things. Putting this in the
gate hook means it's used in all of magnum's jobs, but not in other
people's jobs.
Change-Id: Icd82a4ab68533f39f967575c2125b0f61c70e0a6
Swift Ceilometer and horizon are not used. Disabling them
it will give us space.
Cleanup disabling of octavia and neutron/lbaas.
Closes-Bug: #1646870
Closes-Bug: #1648148
Change-Id: I4b177421f0eb0a058b8927b9d2dd12865d3c920e
