This patch brings the Fedora Atomic version used in gating to
the latest one which includes some improvements alongside a newer
version of Docker (which seems to run things better overall).
Change-Id: Iad0a1f57b29aec9a0cdb2a104fdaa5970133cfb4
Switch to systemd logging to take advantage of some of the newer
logging features.
Story: 2004272
Task: 27820
Change-Id: I475bf26e24b3a725f68c7da355807374bf1e189b
We do currently not support www_authentication_uri at all, which
is the new standard, as auth_uri has long been deprecated.
* Make sure we support both auth_uri and www_authenticate_uri.
* Switched to www_authenticate_uri for devstack.
* Fixed a bug where a bad exception would be thrown if auth_uri
was not set.
Story: 2004271
Task: 27819
Change-Id: Ibc932d35f3d6ba2ac7ffb6193aa37bd4a3d4422e
We are currently hitting this error with the gate.
> NOT_ALLOWED - access to vhost 'None' refused for user 'stackrabbit'
This patch fixes this by using the inbuilt devstack construct
to create an appropriate transport_url.
Change-Id: I9aae96094b7bd8bc148ae3e42c118ba160eff8ae
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.
Closes-Bug: #1659545
Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
In Fedora Atomic 27 etcd and flanneld are removed from the base image.
Install them as a system containers.
* update docker-storage configuration
* add etcd and flannel tags as labels
Change-Id: I2103c7c3d50f4b68ddc11abff72bc9e3f22839f3
Closes-Bug: #1735381
Added configuration parameter, send_cluster_metrics, to magnum.conf
with default value of True. If set to True, periodic tasks will pull
COE data and send to ceilometer. This parameter can be set to False to
disable periodic collection of data to avoid unnecessary load from the
cluster.
Closes-Bug: #1668330
Related-Bug: #1746510
Change-Id: I9945293e7b2b52731f6e220d0925c1f6ad097caa
Until [1] is in kubernetes we need to redirect from /v2 to
/identity/v2 for the cloud provider to work.
[1] https://github.com/gophercloud/gophercloud/pull/423
Change-Id: I5206e75e9528ceb8428c70df67e6ba26d01c4772
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Fix wrongly used start_tls_proxy function and correctly set api port
when tls-proxy is enabled.
Also remove start_tls_proxy for ec2 which is not required.
Co-Authored-By: yatin <ykarel@redhat.com>
Change-Id: I71b85b5cb018dd790e13aaa1eeefcbb8ac0b3b85
Closes-Bug: #1727613
This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
* Swarm-mode is the fastest cluster to deploy since it doesn't
require to pull anything from outside.
* Add the output nodes for swarm-mode too.
* Disable copy logs (I think a better practice is to copy logs
on demand).
* Don't run test_create_list_sign_delete_clusters, because it is
very unstable on the CI.
Partially-Implements: blueprint swarm-mode-support
2nd commit message:
Update to Fedora Atomic 26
This patch moves the current master to test against Fedora Atomic 26,
in addition, it switches to downloading from Fedora mirrors.
2nd-Change-Id: I9a97c0eb78b2c9d10e8be1501babb19e73ee70c1
3rd commit message:
Set default iptables FORWARD policy to ACCEPT
With the release of Docker 1.13 which is available in Fedora
Atomic 26, it no longer sets the policy of the FORWARD chain
to ACCEPT[1]. Therefore, CNI networking such as Flannel will
cease to work.
This patch sets the policy to ACCEPT so that traffic can work
once again for deployments which are based on Docker versions
which are newer than 1.13
[1]: https://github.com/moby/moby/pull/28257
3rd-Change-Id: I1457602748619f38f87542fc01a2996ee80e58b7
Closes-Bug: #1708454
Co-Authored-By: Mohammed Naser <mnaser@vexxhost.com>
Change-Id: I86d4dcc94fff622be4ee2acc8dd60ed81bc5d433
* add docker_volume_type for the cinder volumes which are
used for docker storage.
* add default_docker_volume_type configuration option
Related-Bug: #1678153
Change-Id: Ie18096acf24873ef91a904df4f1a84694a2bb644
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
Post [1] we cannot use auth_uri/auth_url containing :5000, :35357.
Update keystone auth_uri and auth_url in magnum.conf to connect
with keystone using /identity/v3 and /identity_admin/v3.
[1] https://review.openstack.org/#/c/456344/
Change-Id: I5d69e7454cf8a5e8c92ff23b6c932184d82e8a98
devstack: Allow access to ports 80 and 443
So far, we were allowing access to port 5000 for keystone.
When devstack siwtched to uwsgi we couldn't access keystone
anymore.
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Change-Id: I4d3d482889fd9f6119ceec81757abac9d1251a97
With this patch we will use glance v2 api's for interacting
with glance.
[1] I7f962a07317cdad917ee896d79e49ee18938d074
Closes-Bug: 1672535
Change-Id: Iedc25b55ad2751e14d3794b1cb80f724f1a735c4
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Copy magnum.bash_completion script to /etc/bash_completion.d
so that users/developers can take advantage of auto completion
of magnum commands.
Change-Id: I8d0ba953e7eb963be1d9e459c4015e882231e2c8
Closes-Bug: #1657004
If the services are disabled in the devstack/settings file, it disables
them for everyone who uses the magnum devstack plugin. Some people (like
shade) use both magnum and swift to test things. Putting this in the
gate hook means it's used in all of magnum's jobs, but not in other
people's jobs.
Change-Id: Icd82a4ab68533f39f967575c2125b0f61c70e0a6
Swift Ceilometer and horizon are not used. Disabling them
it will give us space.
Cleanup disabling of octavia and neutron/lbaas.
Closes-Bug: #1646870
Closes-Bug: #1648148
Change-Id: I4b177421f0eb0a058b8927b9d2dd12865d3c920e
This reverts commit 45f071e36eab4f3d20cacbc9cd610e536e1dd2b9.
The Temporary fix can be reverted as devstack has released
the fix in following patch:-
https://review.openstack.org/398012
Change-Id: I837f4925cf4c797bd1b02a7bf244ca5742159971
Closes-Bug: #1628267
Closes-Bug: #1629133
Patch: https://review.openstack.org/#/c/352806 has
set host=None and we don't change this parameter
neither in devstack installation nor in manual installation.
With this patch value of [DEFAULT]/host is set to
hostname of the host on which magnum is setup.
Also, updated manual installation step to set [DEFAULT]/host
to hostname.
Depends-on: I51feb6ccdc0fab91a591568866e6801f2bbb319b
Change-Id: Id43bfcc792b28c98c9bf1d888dd7ddcc167e8ea5
Closes-Bug: #1630190
We can merge this temporary fix and track the following
related bugs to revert. For details for the issue, please
refer to the bug descriptions.
Related-Bug: #1628267
Related-Bug: #1629133
Change-Id: I51feb6ccdc0fab91a591568866e6801f2bbb319b
"rabbit_userid", "rabbit_password", "rabbit_host" are deprecated for removal.
This patch changes these options to "transport_url" in DEFAULT group.
Change-Id: I0c33a1f84103d07e371e11229276c8cecdc485c4
Related-Bug: #1451226
Now that heat is available as a devstack plugin, we should
use it. In-tree devstack code for heat is planned to be
removed soon[1].
And also, this patch remove `update_heat_policy` function
in devstack plugin. Because fetching global stack list is
already option to use in Magnum.
[1] https://review.openstack.org/#/c/317618/
Change-Id: Iab675da5ea8d02b3f7e71f6169c81724a0066858
Co-Authored-By: OTSUKA, Yuanying <yuanying@fraction.jp>
LBaaS v1 api is completely removed by neutron, so it
cannot be used now. Added Support of LBaaS v2 API.
Now all COE's uses LBaaS v2.
Co-Authored-By: yatin karel <yatin.karel@nectechnologies.in>
Change-Id: Idbccbe1065857449fc8e158115b7833b68c2da9f
Partially-Implements: blueprint magnum-lbaasv2-support
Rule "context_is_admin" is defined in heat for admin role
and heat uses this rule to authorize admin operations.
Since default admin context can be updated by heat, we
should use the rule: context_is_admin.
In newton, heat updated the admin context to admin role
with admin tenant in following patch:-
https://review.openstack.org/#/c/316627/
Change-Id: Iea6f3a6124e0c4d29801641aff51e385f0399488
Closes-Bug: #1499302
To setup magnum easier, name based configuration is important.
This patch makes config file support trustee_domain_name and
trustee_domain_admin_name in trust section.
If name and id of trustee domain are provided by user, both
values are passed through into keystone.
Closes-Bug: #1581372
Change-Id: Ia691aca7c29a471f6ba36a1a371ec1edf830b365
After this patch [1], Magnum is no longer the "Container Service", it
became the "Container Infrastructure Management Service". This commit
updates the service name and description accordingly:
* Change service name from "container" to "container-infra"
* Update service description to reflect its mission
[1] https://review.openstack.org/#/c/311476/
Depends-On: I55205ff2b304678d2b53bbd4d66403078c6baac8
Closes-Bug: #1584251
Change-Id: I5c271bf3fc4d6ccecaf2918aca28ce946bcc6b22
* Add a CoreOS test class TestCoreosKubernetesAPIs
* Add a CoreOS test environment in tox.ini
* Create a base class BaseK8sTest and move OS-agnostic k8s testing
code to that class.
* Increase the disk size from 8G to 10G for m1.magnum and s1.magnum,
since CoreOS image requires more disk space to boot.
* Set os-distro property for CoreOS image.
Partial-Bug: #1546101
Change-Id: Ie56a9442ecebe05f39c7669bc950f5a6ca11df33
"m-api" is already used by Manila so switch to "magnum-api"
and "magnum-cond" for devstack.
Change-Id: I0f5e57dd263164652813088fe624f62cda664727
Closes-Bug: #1569879
It looks the official Fedora mirror is unstable right now, so we
uploaded the image to fedorapeople. This is a temprorary solution.
Once the official mirror become stable, we switch back to it.
Note: alt.fedoraproject.org seems to have a newer image and
the official mirrors (download.fedoraproject.org) do not seem to have
gotten the new image yet. So when download.fedoraproject.org
redirects (302) to a mirror the image does not exist there. We can
pull image from alt directly, but we opted for using fedorapeople as
we don't want to introduce load on alt.
Co-Authored-By: Hongbin Lu <hongbin.lu@huawei.com>
Closes-Bug: #1567124
Change-Id: I441898d846d1768b9723b293196b5339271a377e
