Commit Graph

322 Commits (c98e9525c7db34734afb29d1b9fb409a08d16ef7)

Author SHA1 Message Date
Kirsten G d9e590bdc6 Cache barbican certs for periodic tasks
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.

Closes-Bug: #1659545

Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
2018-04-03 06:15:58 +00:00
Zuul 7aa0c0a285 Merge "federation api: api endpoints" 2018-02-14 12:19:08 +00:00
Clenimar Filemon ec950be894 federation api: api endpoints
this commit introduces a new '/federations'
endpoint to Magnum API, as well as its controllers,
entities and conductor handlers.

this corresponds to the first phase of the
federation-api spec. please refer to [1] for more


Change-Id: I662ac2d6ddec07b50712109541486fd26c5d21de
Partially-Implements: blueprint federation-api
2018-02-09 00:59:31 -03:00
Spyros Trigazis 2329cb7fb4 k8s: Fix kubelet, add RBAC and pass e2e tests
Due to a few several small connected patches for the
fedora atomic driver, this patch includes 4 smaller patches.

Patch 1:
k8s: Do not start kubelet and kube-proxy on master

Patch [1], misses the removal of kubelet and kube-proxy from and therefore they are started if they
exist in the image or the script will fail.
Closes-Bug: #1726482

Patch 2:
k8s: Set require-kubeconfig when needed

From kubernetes 1.8 [1] --require-kubeconfig is deprecated and
in kubernetes 1.9 it is removed.

Add --require-kubeconfig only for k8s <= 1.8.


Closes-Bug: #1718926

Patch 3:
k8s_fedora: Add RBAC configuration

* Make certificates and kubeconfigs compatible
  with NodeAuthorizer [1].
* Add CoreDNS roles and rolebindings.
* Create the system:kube-apiserver-to-kubelet ClusterRole.
* Bind the system:kube-apiserver-to-kubelet ClusterRole to
  the kubernetes user.
* remove creation of kube-system namespaces, it is created
  by default
* update client cert generation in the conductor with
  kubernetes' requirements
* Add --insecure-bind-address= to work on
  multi-master too. The controller manager on each
  node needs to contact the apiserver (on the same node)


Closes-Bug: #1742420
Depends-On: If43c3d0a0d83c42ff1fceffe4bcc333b31dbdaab

Patch 4:
k8s_fedora: Update coredns config to pass e2e

To pass the e2e conformance tests, coredns needs to
be configured with POD-MODE verified. Otherwise, pods
won't be resolvable [1].

Closes-Bug: #1738633

Change-Id: Ibd5245ca0f5a11e1d67a2514cebb2ffe8aa5e7de
2018-02-08 13:35:00 +00:00
coldmoment ba8ad5e37f Add a hacking rule for string interpolation at logging
String interpolation should be delayed to be handled
by the logging code, rather than being done at the point
of the logging call.
See the oslo i18n guideline

Change-Id: I8a4f5f896865aebbff88ee894f0081e58cfce9ef
2017-07-15 14:49:45 +08:00
yuanpeng 71d25456d2 Remove log translations
Log messages are no longer being translated. This removes all use of
the _LE, _LI, and _LW translation markers to simplify logging and to
avoid confusion with new contributions.


Change-Id: If1f4bd2f6be967368f52fb367c5a428d3eb58a9d
2017-03-30 17:05:10 +08:00
Johannes Grassler e93d82e8b3 Fix CVE-2016-7404
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:

* Permissions for /etc/sysconfig/heat-params inside Magnum
  created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
  for a Keystone trust.
* The cluster's Keystone trust id is only passed into
  instances for clusters where that is actually needed. This
  prevents the trustee user from consuming the trust in cases
  where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
  default) is introduced. It needs to be explicitely enabled
  by the cloud operator to allow clusters that need the
  trust_id to be passed into instances to work. Without this
  setting, attempts to create such clusters will fail.

Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.

Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
2017-02-09 16:44:27 +01:00
Jenkins 4e1ada7914 Merge "Integrate OSProfiler in Magnum" 2017-01-25 06:47:12 +00:00
Jason Dunsmore a65ef7d3c3 Add an API to rotate a cluster CA certificate
This will give admins a way to revoke access to an existing cluster
once a user has been granted access.

Bumped the API microversion to 1.5 for the new endpoint.

Deprecated policy certificate:get in favor of certificate:get_ca for
clarity and consistency.

Depends-On: Ie960464e45445e195e75b91e8d65a4046eb21e93
Implements: blueprint revoke-cluster-cert
Change-Id: Ief28bef3a79f212acf4166e443a96e5419fbb757
2017-01-23 21:26:05 -06:00
Tovin Seven 32d088b2c1 Integrate OSProfiler in Magnum
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
  1) It checks that person who wants to trace is trusted and knows
     secret HMAC key.
  2) It starts tracing in case of proper trace headers
     and adds first wsgi trace point, with info about HTTP request

* Add initialization of osprofiler at start of service
  Currently that includes oslo.messaging notifer instance creation
  to send Ceilometer backend notifications.

* Traces HTTP/RPC/DB API calls


Co-Authored-By: Hieu LE <>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
2017-01-24 07:43:31 +07:00
Danil Golov 9cbb142c2e Add cluster record to db right after API request
This commit changes the incorrect behavior of cluster create workflow.
Now db record with status CREATE_IN_PROGRESS is created right after
related API request.

Change-Id: I11692c4126823d49672ba5172fa45774bf0ce544
Closes-bug: #1640729
2016-12-27 13:19:13 +03:00
Randall Burt 759c1b3b2b Move cluster status updates into driver
This is an alternative implementation to:

This version implements an earlier proposal from the
spec that adds a driver method for synchronizing
cluster state. This method is optional so that drivers
that do not wish to leverage the existing periodic
synchronization task can do so in whatever manner
they wish and Magnum will not force them to do anything

1. add an update_cluster_status method to the driver
2. implment update_cluster_status for Heat drivers
   using the existing tested logic
3. Remove cluster status updates from the cluster conductor
   in favor of the periodic sync_cluster_status task - this
   should avoid timeouts and race conditions possible in the
   previous implementation
4. Update the periodic sync_cluster_status method to use
   the driver to update cluster status rather than calling
   Heat directly

Change-Id: Iae0ec7af2542343cc51e85f0efd21086d693e540
Partial-Blueprint: bp-driver-consolodation
2016-12-01 19:52:06 -06:00
Randall Burt 7890725c52 Refactor driver interface (pt 1)
Refactor driver interface to encapsulate the orchestration
strategy. This first patch only refactors the main driver
operations. A follow-on will handle the state synchronization
and removing the poller from the conductor.

1. Make driver interface abstract
2. Move external cluster operations into driver interface
3. Make Heat-based driver abstract and update based on
   driver interface changes
4. Move Heat driver code into its own module
5. Update existing Heat drivers based on interface changes

Change-Id: Icfa72e27dc496862d950ac608885567c911f47f2
Partial-Blueprint: bp-driver-consolodation
2016-12-01 09:23:46 -06:00
murali allada 0d6deae21b Move cluster delete method to driver
This patch moves the cluster deletion logic into driver to conform
with the driver spec.

Change-Id: I8a4f9a94b70feddae4a137942bbb98fa36388676
Partially-Implements: blueprint bay-drivers
2016-10-17 20:59:41 -05:00
Jenkins ba11900215 Merge "Cluster Drivers" 2016-10-10 17:18:26 +00:00
murali allada 104501cfe6 Cluster Drivers
- Dynamically load drivers using stevedore
- Changed the entry points to reference drivers instead of
  template definitions
- Implement Create and update driver operations

Change-Id: I5c3259404c796e1935c872cf3109ffecae3cee02
Partially-Implements: blueprint bay-drivers
2016-10-06 08:57:52 -05:00
Wenzhi Yu 4a7d265aeb Implement mesos cluster smart scale down
We currently allow Magnum to scale down mesos cluster by removing nodes
from the cluster's ResourceGroup by updating the heat stack that created
the cluster. The problem with this approach is that Heat decides which
nodes to delete, and all containers on that node will also be deleted.

The smart cluster scale down feature has been implemented for k8s bays(
for k8s cluster, we'll ask Heat to delete nodes that have NO CONTAINERS
on them).

This patch proposes a similar implementation for a mesos cluster.

Change-Id: I00cda7f35c9db978bdc604cf86603ef58e339256
Implements: blueprint mesos-smart-bay-scale-down
2016-09-30 11:13:30 +08:00
Hieu LE 8f9eeb801a Centralize config option: cluster_heat section
Centralize config option of Cluster Heat section.
Replace oslo_conf cfg to magnum.conf.

Change-Id: I9118eeb17061a0aa26269ea9deaba28e79f28b76
Implements: blueprint centralize-config-magnum
2016-09-22 05:56:43 +00:00
Madhuri Kumari 9f7295475d Add exceptions to cluster db to show failures
After changing create to async operation, all the exceptions goes hidden
and no db entry is created to show the actual failure. One has to go through
the logs to find the actual error. This patch creates a db entry in cluster
table to show the actual error in column 'status_reason'.

Change-Id: Iad6e8bfce7326b34dea04914e4552f87d2796e86
Closes-bug: #1623387
2016-09-14 20:27:10 +05:30
Jaycen Grant 729c2d0ab4 Rename Bay DB, Object, and internal usage to Cluster
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel.  This patch updates Bay to Cluster in DB and
Object as well as all the usages.  No functionality should be
changed by this patch, just naming and db updates.

Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
2016-09-08 13:01:12 -07:00
Cao Xuan Hoang 33bd24252f Clean imports in code
This patch set modifies lines which are importing objects
instead of modules. As per openstack import guide lines, user should
import modules in a file not objects.

Closes-Bug: #1620161

Change-Id: I7ec9022a6b1cec36c678a2cec2a1856e70a51c68
2016-09-05 09:51:38 +07:00
Jaycen Grant 0b7c6401dd Rename BayModel DB, Object, and internal usage to ClusterTemplate
This patch is the first of 3 patches to change the internal
usage of the terms Bay and BayModel. This patch updates
BayModel to ClusterTemplate. No functionality should be
changed by this patch, just naming and db updates.

Change-Id: I0803e81be6482962be2878a8ea2c7480f89111ac
Implements: blueprint rename-bay-to-cluster
2016-09-01 14:47:39 -07:00
Jenkins 42abb07835 Merge "Rename bay to cluster in certificate object and references" 2016-09-01 21:43:28 +00:00
Jaycen Grant 8e0de76aff Rename bay to cluster in certificate object and references
This is patch #2 of 3 to rename the term bay to cluster within
the internal references and objects of magnum. This patch changes
all references to the certificate objects bay_uuid field to
cluster_uuid.  Certifcate does not have a db table so no db
changes were made. No functionality is changed by this patch,
just internal naming.

Change-Id: I68a3b87b75b49de43a7855355807b50a4ae695f3
Implements: blueprint rename-bay-to-cluster
2016-09-01 08:48:24 -07:00
Stephen Watson 6ead3e4780 Updates CONF usage from bay to cluster.
Renames bay-related CONF options to their respective cluster names.
Adds release notes for CONF changes.

Change-Id: I7bbe0927e54c1f40a47bfdea448a88b467fef106
Implements: blueprint rename-bay-to-cluster
2016-08-31 22:21:34 +00:00
Jenkins 5258fddf9d Merge "Include version info in bay/cluster show operation" 2016-08-31 19:15:49 +00:00
Vijendar Komalla 50bc376c4d Include version info in bay/cluster show operation
Currently bay-show operation does not return bay/cluster
version information. This change contain changes to return
bay/cluster version and container version info.

Change-Id: Ie12b6583e6d85faa3607f87295c04d72698034a5
Closes-Bug: #1613413
2016-08-31 09:39:42 -05:00
ztetfger 23b2610973 Fix bay status: after bay-delete status is not DELETE_IN_PROGRESS
After bay-delete, the bay status will not change until the bay is
deleted. To change the bay status, should be added.

Change-Id: Ib16e9896cdf980c9f9c1f2fc581aa723dfc52ac0
Closes-Bug: #1615891
2016-08-31 13:45:34 +00:00
Jaycen Grant eaddb942fd Rename Bay to Cluster in api
This is the first of several patches to add new Cluster commands
that will replace the Bay terminalogy in Magnum. This patch adds
the new Cluster and ClusterTemplate commands in addition to the
Bay and Baymodel commands.  Additional patches will be created
for client, docs, and additional functional tests.

Change-Id: Ie686281a6f98a1a9931158d2a79eee6ac21ed9a1
Implements: blueprint rename-bay-to-cluster
2016-08-17 22:24:45 +00:00
Jenkins 5372cd92b4 Merge "Rollback bay on update failure" 2016-08-16 04:59:35 +00:00
Wenzhi Yu 63b5c21c8d Rollback bay on update failure
There is a rollback mechanism in heat after the stack
update failed. There should be a rollback mechanism in
magnum after bay update failed.

This patch add new microversion 1.3 to add rollback
support for Magnum bay, user can enable rollback on bay
update failure by specifying microversion 1.3 in header(
{'OpenStack-API-Version': 'container-infra 1.3'}) and
passing 'rollback=True'(http://XXX/v1/bays/XXX/?rollback=True)
when issuing bay update reqeust.

Change-Id: Idd02769f98078702404a11dc9f7a3339ce4e22eb
Partially-Implements: blueprint bay-rollback-on-update-failure
2016-08-15 17:09:23 +08:00
yatin karel 52f30927af Set bay status: DELETE_IN_PROGRESS before updated by poll
Set bay status to DELETE_IN_PROGRESS as soon as delete stack
request returns. Currently this status is updated by Heat

Change-Id: I44a3cea1a5d6e9735b0b74637d7c62db2e9cffa3
Closes-Bug: #1612408
2016-08-15 11:46:48 +05:30
Vijendar Komalla bf30b9b4cb Support for async bay operations
Current implementation of magnum bay operations are synchronous
and as a result API requests are blocked until response from HEAT
service is received. With this change bay-create, bay-update and
bay-delete calls will be asynchronous.
Please note that with this change bay-create/bay-update api calls
will return bay uuid instead of bay object and also microversion
1.2 is added for new behavior.

Change-Id: I4ca1f9f386b6417726154c466e7a9104b6e6e5e1
Closes-Bug: #1588425
2016-08-11 09:28:34 -05:00
Spyros Trigazis e6a29fb252 Remove ReplicationController object
Following the removal of service [1], pod [2] and container [3], remove
COE specific object ReplicationController.

This change also removes k8s_conductor.

[1] I4f06bb779caa0ad369a2b96b4714e1bf2db8acc6
[2] I8c2499ccb97aae39d80868ce02fbef292d762c10
[3] I288fa7a9717519b1ae8195820975676d99b4d6d2

Change-Id: Ica100c8d2dfdd7dc709feb1f5cdc5a3f3d6c7318
Partially-Implements: blueprint delete-container-endpoint
Partially-Implements: blueprint bay-drivers
2016-08-10 17:56:48 +02:00
Tom Cammann 40aa6550f1 Remove container object
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.

Remove the container object, drop the db table and remove references to
the container object. The docker_conductor has also been removed as this
was used for managing containers using Magnum objects.

Change-Id: I288fa7a9717519b1ae8195820975676d99b4d6d2
Partially-Implements: blueprint delete-container-endpoint
Co-Authored-By: Spyros Trigazis <>
2016-08-01 16:16:20 +02:00
Bin-Lu 4427374c06 Fix the permission of these files -rwxr-xr-x
As shown above,these files have executable attribute that need be removed.

Change-Id: I1955360afe17ec83c7b759d44a5bf60d9b055594
2016-07-20 22:55:38 +00:00
qinchunhua 894f03b9f0 Correct the rest of the reraising of exception
When an exception was caught and rethrown, it should call 'raise'
without any arguments because it shows the place where an exception
occured initially instead of place where the exception re-raised.

Change-Id: I696054fc273edb62e87e5d567da6b99cdf5ec358
2016-07-12 03:20:35 +00:00
Jenkins cb99c64614 Merge "Bay driver implementation" 2016-07-06 19:47:52 +00:00
Jenkins 02291e5914 Merge "Bay_create_timeout should be set to 60 default" 2016-07-06 09:02:39 +00:00
Murali Allada 4080d4a84c Bay driver implementation
Moved all the swarm templates and template_definition code
to the magnum/drivers folder.

Moved base template_definition classes to drivers/common

Change-Id: Ieff57f0f47835c35d9f17c3d7d1b7e6a40907462
Partially-Implements: blueprint bay-drivers
Co-Authored-by: Spyros Trigazis <>
2016-07-05 22:30:31 +02:00
PanFengyun f5150078ee Bay_create_timeout should be set to 60 default
Bay_create_timeout default is 0 and means that magnum create bay
without timeout. But heat create stack with timeout absolutely.
So it is impossible to create bay without timeout. And I had send
a patch which allow heat to create stack without timeout, but the
core of heat did not agree with it.
The patch is:

Change-Id: Iebc9915dcf2894a2dbed912244a2c7c308b4d9d7
Closes-bug: #1590636
2016-07-03 23:26:32 +08:00
Madhuri Kumari e31ef64e6e Delete certs when deleting bay
Currently Magnum fails to delete certificates when barbican
cert manager is used. The code was copied from neutron-lbaas and
they have different usecase. In our case, certificate is managed by
Magnum not users, so we should delete certificates when deleting bay.
So this patch deletes all the certs related to a bay.

Change-Id: I5aab01641b9447153911680c5f68e5fe2c5a1409
Closes-bug: #1587033
2016-06-30 12:40:16 +05:30
Jenkins af7cd43652 Merge "Allow Bay templates to include Heat environments" 2016-06-29 05:05:29 +00:00
Drago Rosson db61da3f8f Allow Bay templates to include Heat environments
Change-Id: I96ebd1687654193ea8cfbcfb816d9276594400ac
Partially-Implements: blueprint decouple-lbaas
Partially-Implements: blueprint allow-user-softwareconfig
2016-06-28 08:41:41 +00:00
Madhuri Kumari 5f193f2e0e Add x509keypair_cert_manager to store certs in DB
x509keypair_cert_manager stores certs in Magnum DB.

Change-Id: Id8106d7bd5c270679bc189fc0dc17bcbde367d73
Implements: blueprint  blueprint barbican-alternative-store
2016-06-23 09:08:52 +05:30
Jenkins af6c774d03 Merge "Remove service object" 2016-06-06 11:09:10 +00:00
Jenkins d12433a49a Merge "Support trustee_domain_name in config file" 2016-06-06 11:09:04 +00:00
OTSUKA, Yuanying 1d74849193 Support trustee_domain_name in config file
To setup magnum easier, name based configuration is important.
This patch makes config file support trustee_domain_name and
trustee_domain_admin_name in trust section.
If name and id of trustee domain are provided by user, both
values are passed through into keystone.

Closes-Bug: #1581372
Change-Id: Ia691aca7c29a471f6ba36a1a371ec1edf830b365
2016-06-06 08:23:43 +09:00
Tom Cammann 3e02840628 Remove service object
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.

Remove the service object, drop the db table and remove references to
the service object.

Change-Id: I4f06bb779caa0ad369a2b96b4714e1bf2db8acc6
Partially-Implements: blueprint delete-container-endpoint
2016-06-02 10:46:13 +01:00
Madhuri Kumari 303d14dde0 X509keypair cleanup
This patch does following:

* Removes X509keypair controller as there is already Certificate
  controller for same purpose.
* Removes X509keypair conductor.
* Removes name, ca_cert and bay_uuid from x509keypair model as
  Bay model already holds certificate references.
* Add intermediates and private_key_passphrase to x509keypair
* Remove related tests and changes.

Change-Id: I9271221cd1d07c672c4a380a4ae3593237fca66a
Partially-Implements: blueprint barbican-alternative-storeX
2016-05-30 12:02:26 +05:30