The admin_* variables are a relic of the Keystone V2 api and
should no longer be used at all.
It's important to keep the devstack config clean, as it is often
used as a reference for configuring services.
* Removed deprecated admin_user, admin_password and admin_tenant.
Story: 2004272
Task: 27821
Change-Id: I132e670f446e5172dc4f1847be7779645060ca4d
Switch to systemd logging to take advantage of some of the newer
logging features.
Story: 2004272
Task: 27820
Change-Id: I475bf26e24b3a725f68c7da355807374bf1e189b
We do currently not support www_authentication_uri at all, which
is the new standard, as auth_uri has long been deprecated.
* Make sure we support both auth_uri and www_authenticate_uri.
* Switched to www_authenticate_uri for devstack.
* Fixed a bug where a bad exception would be thrown if auth_uri
was not set.
Story: 2004271
Task: 27819
Change-Id: Ibc932d35f3d6ba2ac7ffb6193aa37bd4a3d4422e
We are currently hitting this error with the gate.
> NOT_ALLOWED - access to vhost 'None' refused for user 'stackrabbit'
This patch fixes this by using the inbuilt devstack construct
to create an appropriate transport_url.
Change-Id: I9aae96094b7bd8bc148ae3e42c118ba160eff8ae
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.
Closes-Bug: #1659545
Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
Added configuration parameter, send_cluster_metrics, to magnum.conf
with default value of True. If set to True, periodic tasks will pull
COE data and send to ceilometer. This parameter can be set to False to
disable periodic collection of data to avoid unnecessary load from the
cluster.
Closes-Bug: #1668330
Related-Bug: #1746510
Change-Id: I9945293e7b2b52731f6e220d0925c1f6ad097caa
Until [1] is in kubernetes we need to redirect from /v2 to
/identity/v2 for the cloud provider to work.
[1] https://github.com/gophercloud/gophercloud/pull/423
Change-Id: I5206e75e9528ceb8428c70df67e6ba26d01c4772
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Fix wrongly used start_tls_proxy function and correctly set api port
when tls-proxy is enabled.
Also remove start_tls_proxy for ec2 which is not required.
Co-Authored-By: yatin <ykarel@redhat.com>
Change-Id: I71b85b5cb018dd790e13aaa1eeefcbb8ac0b3b85
Closes-Bug: #1727613
This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
* add docker_volume_type for the cinder volumes which are
used for docker storage.
* add default_docker_volume_type configuration option
Related-Bug: #1678153
Change-Id: Ie18096acf24873ef91a904df4f1a84694a2bb644
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
Post [1] we cannot use auth_uri/auth_url containing :5000, :35357.
Update keystone auth_uri and auth_url in magnum.conf to connect
with keystone using /identity/v3 and /identity_admin/v3.
[1] https://review.openstack.org/#/c/456344/
Change-Id: I5d69e7454cf8a5e8c92ff23b6c932184d82e8a98
devstack: Allow access to ports 80 and 443
So far, we were allowing access to port 5000 for keystone.
When devstack siwtched to uwsgi we couldn't access keystone
anymore.
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Change-Id: I4d3d482889fd9f6119ceec81757abac9d1251a97
With this patch we will use glance v2 api's for interacting
with glance.
[1] I7f962a07317cdad917ee896d79e49ee18938d074
Closes-Bug: 1672535
Change-Id: Iedc25b55ad2751e14d3794b1cb80f724f1a735c4
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Copy magnum.bash_completion script to /etc/bash_completion.d
so that users/developers can take advantage of auto completion
of magnum commands.
Change-Id: I8d0ba953e7eb963be1d9e459c4015e882231e2c8
Closes-Bug: #1657004
Patch: https://review.openstack.org/#/c/352806 has
set host=None and we don't change this parameter
neither in devstack installation nor in manual installation.
With this patch value of [DEFAULT]/host is set to
hostname of the host on which magnum is setup.
Also, updated manual installation step to set [DEFAULT]/host
to hostname.
Depends-on: I51feb6ccdc0fab91a591568866e6801f2bbb319b
Change-Id: Id43bfcc792b28c98c9bf1d888dd7ddcc167e8ea5
Closes-Bug: #1630190
"rabbit_userid", "rabbit_password", "rabbit_host" are deprecated for removal.
This patch changes these options to "transport_url" in DEFAULT group.
Change-Id: I0c33a1f84103d07e371e11229276c8cecdc485c4
Related-Bug: #1451226
Now that heat is available as a devstack plugin, we should
use it. In-tree devstack code for heat is planned to be
removed soon[1].
And also, this patch remove `update_heat_policy` function
in devstack plugin. Because fetching global stack list is
already option to use in Magnum.
[1] https://review.openstack.org/#/c/317618/
Change-Id: Iab675da5ea8d02b3f7e71f6169c81724a0066858
Co-Authored-By: OTSUKA, Yuanying <yuanying@fraction.jp>
Rule "context_is_admin" is defined in heat for admin role
and heat uses this rule to authorize admin operations.
Since default admin context can be updated by heat, we
should use the rule: context_is_admin.
In newton, heat updated the admin context to admin role
with admin tenant in following patch:-
https://review.openstack.org/#/c/316627/
Change-Id: Iea6f3a6124e0c4d29801641aff51e385f0399488
Closes-Bug: #1499302
To setup magnum easier, name based configuration is important.
This patch makes config file support trustee_domain_name and
trustee_domain_admin_name in trust section.
If name and id of trustee domain are provided by user, both
values are passed through into keystone.
Closes-Bug: #1581372
Change-Id: Ia691aca7c29a471f6ba36a1a371ec1edf830b365
After this patch [1], Magnum is no longer the "Container Service", it
became the "Container Infrastructure Management Service". This commit
updates the service name and description accordingly:
* Change service name from "container" to "container-infra"
* Update service description to reflect its mission
[1] https://review.openstack.org/#/c/311476/
Depends-On: I55205ff2b304678d2b53bbd4d66403078c6baac8
Closes-Bug: #1584251
Change-Id: I5c271bf3fc4d6ccecaf2918aca28ce946bcc6b22
* Add a CoreOS test class TestCoreosKubernetesAPIs
* Add a CoreOS test environment in tox.ini
* Create a base class BaseK8sTest and move OS-agnostic k8s testing
code to that class.
* Increase the disk size from 8G to 10G for m1.magnum and s1.magnum,
since CoreOS image requires more disk space to boot.
* Set os-distro property for CoreOS image.
Partial-Bug: #1546101
Change-Id: Ie56a9442ecebe05f39c7669bc950f5a6ca11df33
"m-api" is already used by Manila so switch to "magnum-api"
and "magnum-cond" for devstack.
Change-Id: I0f5e57dd263164652813088fe624f62cda664727
Closes-Bug: #1569879
Change the devstack image to the default Atomic 23 image.
Update templates not to rely on interface naming because the names
changed between Atomic 21 and Atomic 23 images.
Add a functional test to validate minion node registration.
Update docs to refer to a generic Atomic image.
Co-Authored-By: Hongbin Lu <hongbin.lu@huawei.com>
Implements: blueprint atomic23
Change-Id: Id67244e3f452b3c7c3c46fdabcca3a5c141a76c0
Currently, we use the users auth token, which expires after a while.
We need to use a trust instead.
Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d
Closes-Bug: #1503863
Partially-Implements: blueprint use-trust-for-tls-cert-generation
This patch does, basically, three things:
* Updates the default auth section to keystone_auth;
* Introduces keystoneauth sessions and plugins;
* Adds a deprecation warning and options when loading
legacy auth.
Config, tests and client code are also updated.
Co-Authored-By: Henrique Truta <henrique@lsd.ufcg.edu.br>
Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br>
Closes-Bug: 1496810
Closes-Bug: 1515014
Change-Id: I5c1cd24ca28d66ae7ae40e7f707b81870cf0e457
Looks like this function was not in use ever.
It adds nova networking related options to the magnum.conf,
which normally would belong to the nova.conf.
Change-Id: I8435c674db17af2d0641afcf3cab140830130784
This change replaces the hard coded WSGI app creation with a pipeline
of WSGI apps declared in a configuration file.
Paste Deploy was used to create the pipeline since it is used by many other
OpenStack projects and it is an active project
with new contributors and supports Python 3. Dependency on Paste is
localized so switching to another library would not be hard if OpenStack moves
to another package in the future.
Change-Id: I9a45f974c2c8c67a01748583639e6a6248003b85
Closes-Bug:#1551134
Previously,the mesos bay type did not support the Magnum Container
Volume Model. This patch adds support for volume through the following:
1. Add username, tenant_name, preempt, region_name, domain_name to
mesos bay type.
2. Add get_parameter to mesos.
3. Update mesos unit tests to support container volume.
4. Update mesos heat templates for container volume model
Change-Id: Icf7cb9fc38c7facb2d49904b6e52bbce974948f7
Partially-Implements: blueprint magnum-integrate-with-cinder
These two changes have to merge together to pass the gate.
Update import because of magnum client change
Magnum client has moved out apiclient and cliutils from
oslo-incubator, update the import reference here.
Refer to:
https://review.openstack.org/#/c/280050
for magnumclient change.
Change SERVICE_TENANT_NAME to SERVICE_PROJECT_NAME
Devstack is converting from TENANT to PROJECT[1]. This patch changes
SERVICE_TENANT_NAME to SERVICE_PROJECT_NAME in the devstack plugin to
match.
[1] https://review.openstack.org/#/c/281779/
Change-Id: Ib03e421e48a3aa40c11cbc892a3ca724cbd644e7
Closes-Bug: #1548634
Co-Authored-By: Yang Hongyang <hongyang.yang@easystack.cn>
Docker registry, k8s load balancer and volume driver have a similar
need to use trust, so we need to create a trustee for each bay.
Change-Id: If034e74ce2ea80a7faa886d4edf789e576c30eb5
Partially-Implements: blueprint create-trustee-user-for-each-bay
Option "notification_driver" from group "DEFAULT" is deprecated.
Use option "driver" from group "oslo_messaging_notifications"
Reference link:
[1] https://github.com/openstack/oslo.messaging/blob/master/
oslo_messaging/notify/notifier.py#L34
Change-Id: I3e211ac315bb582961ad03e2cf06d4409eb20ed3
Closes-Bug: #1535611
After this patch applied, we can pass MANGUM_GUEST_IMAGE_URL to devstack
environment to download a ubuntu image and upload it to glance with proper
os_distro set.
This is a preparation to add mesos function testing.
Implements: blueprint mesos-functional-testing
Change-Id: I98274cd2bf1cfb37f1a1c960d0a455d9c24d1e0b
Option "lock_path" from group "DEFAULT" is deprecated. Use option
"lock_path" from group "oslo_concurrency".
Change-Id: I306c8d909bc54dc6c6eb127a4a86d74dafd62236
Closes-Bug: #1528744
