Commit Graph

1065 Commits (master)

Author SHA1 Message Date
Arnaud Morin 6b9342f6e2 Add os_vif in nova-config-generator
Some config in os_vif are affecting nova behavior, so we should add them
in nova.conf.sample in order to let people fine-tune this on demand
without looking into code.

This will also change the nova config reference docs.o.o

Signed-off-by: Arnaud Morin <>
Change-Id: Icfba423fda037be9cf071022283985297a989b07
2022-11-07 16:32:28 +01:00
Stephen Finucane 786a09ad7a etc: Highlight absence of packages from config gen
We manage the configuration of the oslo.messaging configuration options
ourselves. As a result, there's no reason to include this in
nova-config-generator.conf. Indicate this for others than might get
confused like I did.

Change-Id: I7419788d1d54979b5a2c1eb701895c635aac42ee
Signed-off-by: Stephen Finucane <>
2022-07-14 09:53:52 +01:00
Zuul 4e13d52b76 Merge "Add oslo.limit options to generated nova.conf" 2022-05-06 15:43:10 +00:00
Zuul 56b5aed08c Merge "Deprecate [api] use_forwarded_for" 2022-04-25 19:39:53 +00:00
Takashi Kajinami cf906cdcc2 Deprecate [api] use_forwarded_for
... because functionality of this parameter is effectively duplicate of
the HTTPProxyToWSGI middleware in oslo.middleware library.

Closes-Bug: #1967686
Change-Id: Ifebcfb6b5c1594c075bb9c152a06aa7af7c61bc8
2022-04-23 16:15:15 +00:00
Takashi Kajinami ca8e4dad7f Sync rootwrap.conf from oslo.rootwrap
The current rootwrap.conf file is outdated and doesn't include some
parameters. This change updates the content to make it consistent with
the latest example file in oslo.rootwrap.

Change-Id: I989b7da5ff6afae0c1a476e01c3df07870be5f74
2022-04-05 12:14:24 +01:00
Takashi Kajinami e3f36ff397 Add oslo.limit options to generated nova.conf
Since Unified Limits Integration was implemented, nova uses
the oslo.limit library to communicate with Keystone to manage quota

This change adds the oslo.limit library options to the auto-generated
nova.conf so that users can more easily understand the parameters used
by the library.

Related to blueprint unified-limits-nova

Change-Id: Icd464e3ee29d99e86d5af606e7c79306e384c3b1
2022-02-28 14:22:43 +00:00
Zuul 33a7daa4ca Merge "Add missing [oslo_reports] options" 2021-08-24 13:41:16 +00:00
Takashi Kajinami 9bae5f2ca5 Add missing [oslo_reports] options
The oslo.reports library provides some options under the [oslo_reports]
section. This change ensures these parameters are rendered by
the oslo-config-generator command.

Closes-Bug: #1940733
Change-Id: I135bce7bd557cd5067897486e91c97c1dc61aa2b
2021-08-21 17:19:36 +09:00
Stephen Finucane 100b9dc62c db: Unify 'nova.db.api', 'nova.db.sqlalchemy.api'
Merge these, removing an unnecessary layer of abstraction, and place
them in the new 'nova.db.main' directory. The resulting change is huge,
but it's mainly the result of 's/sqlalchemy import api/main import api/'
and 's/nova.db.api/nova.db.main.api/' with some necessary cleanup. We
also need to rework how we do the blocking of API calls since we no
longer have a 'DBAPI' object that we can monkey patch as we were doing
before. This is now done via a global variable that is set by the 'main'
function of 'nova.cmd.compute'.

The main impact of this change is that it's no longer possible to set
'[database] use_db_reconnect' and have all APIs automatically wrapped in
a DB retry. Seeing as this behavior is experimental, isn't applied to
any of the API DB methods (which don't use oslo.db's 'DBAPI' helper),
and is used explicitly in what would appear to be the critical cases
(via the explicit 'oslo_db.api.wrap_db_retry' decorator), this doesn't
seem like a huge loss.

Change-Id: Iad2e4da4546b80a016e477577d23accb2606a6e4
Signed-off-by: Stephen Finucane <>
2021-08-09 15:34:40 +01:00
Stephen Finucane 9799468d6f db: Drop support for experimental concurrency
The 'oslo_db.concurrency.TpoolDbapiWrapper' wrapper provides a way to
enable the experimental use of thread pooling for all DB API calls. This
has been part of 'oslo.db' since that project was first split out on
nova back in change I0649539e071b2318ec85ed5d70259c949408e64b and has
been part of nova for even longer, having been first introduced in
change Id7de85dce11f5ea61dfccddf80de7800a2bc4e37. However, this has not
graduated to non-experimental status in the 7 years since and is
unlikely to so now. It also isn't used for any of the API DB calls.
Hasta la vista, 'TpoolDbapiWrapper'. You've had a good ride.

Change-Id: I1ce8f180d6bef465f9faa0a10c837841ed7ab528
Signed-off-by: Stephen Finucane <>
2021-07-05 11:10:10 +01:00
Eric Fried 1e907602e3 Allow versioned discovery unauthenticated
Make routes to the versioned discovery documents (/v2, /v2.1) go through
paste pipelines that don't require authentication, while leaving their
sub-URLs (/v2.1/servers etc) requiring authentication.

To make this work, our URLMap matcher gets support for a very
rudimentary wildcard syntax, whereby api-paste.ini can differentiate
between {/v2.1, /v2.1/} and /v2.1/$anything_else. The former points to
the unauthenticated discovery app pipeline; the latter points to the
existing "real API" pipeline. Similar for legacy v2.

This entails a slight behavior change: requests to /v2 and /v2.1 used to
302 redirect to /v2/ and /v2.1/, respectively. Now they just work.

Change-Id: Id47515017982850b167d5c637d93b96ae00ba793
Closes-Bug: #1845530
Closes-Bug: #1728732
2020-04-03 21:24:28 +00:00
Stephen Finucane f5f73b4c4e nova-net: Kill it
Finish the job by removing all the now-unused modules. This also allows
us to - wait for it - kill mox at long last. It's a great day in the

Partial-Implements: blueprint remove-nova-network-ussuri
Partial-Implements: blueprint mox-removal-ussuri

Change-Id: Ia33ec2604b2fc2d3b6830b596cac669cc3ad6c96
2020-01-14 21:25:56 +00:00
Thierry Carrez 909d0de68e Remove unused rootwrap filters
Thanks to mikal, nova was fully transitioned to using privsep over
the past cycles. However the old rootwrap filter definitions have been
left behind, which basically means that there is limited security
benefit right now (code gone rogue could still call rootwrap to execute
some code as root).

As far as I can tell, those can be removed now. os-brick calls in
compute.filters should be covered by the os_brick.privileged.default

Rootwrap is now only used to launch the two privileged privsep contexts.
Since those are one-shot at the start of the service, there is little
point in using rootwrap-daemon on nova nodes.

network.filters and api-metadata.filters are being removed in as part of the nova-net cleanup.

Change-Id: Ie5e5ab17dabad713d4ad1261ab8b5d62b017f31e
2019-12-04 12:32:49 +01:00
Eric Fried 18de63deaa Deprecate [api]auth_strategy and noauth2
[api]auth_strategy defaults to `keystone`. The only other choice is
`noauth2`, which activates noauth paste pipelines, which go through
NoAuthMiddleware, which is crusty and bogus. It is used in our
functional tests to avoid having to fixture out keystone, but should not
be used in real deployments, ever. Deprecate the option for removal, and
add a deprecation warning in the paste pipeline if it is used.

When we remove the option, we could just hardcode to `keystone`. At that
time, we also need to move the middleware under the nova.tests package
-- or find a way to get rid of it entirely by instead stubbing out
keystone in tests if that's relatively easy.

Change-Id: I9e2be5423cc0821a628db7a68ad52bbd91264acd
2019-10-09 15:16:07 -05:00
Takashi NATSUME 338a0603d2 Remove an unused file and a related description
The following file should have been removed
in I4181f39dea7eb10b84e6f5057938767b3e422aff.

* etc/nova/placement-policy-generator.conf

A description of generating the placement policy.yaml file
should also have been removed in the commit.
Therefore remove them.

And the 'wsgi-intercept' package is used for OSAPIFixture and
not for placement functional tests currently.
So a comment is removed in test-requirements.txt.

Change-Id: Ie8d0d7085ccd82a47ea27b98be75c1bc9ba6195b
2019-09-13 10:33:32 +09:00
Michael Still e90c2ba868 Cleanup no longer required filters and add a release note.
Its the end of the road.

Change-Id: Ic966bc5f56e578ddf775acbf6e82dbe281fd5ffa
2019-02-27 20:45:16 +00:00
Zuul 2e6650fcec Merge "Summarize output of sample configuration generator" 2019-06-16 07:30:03 +00:00
Stephen Finucane ae40a29345 Remove 'etc/nova/cells.json'
This was added in change I7046ce55a0a294293c1b1a5fb0f092aeb891ee01 as an
example for how one could configure a cells v1 deployment via a JSON
file. It can be removed now.

Part of blueprint remove-cells-v1

Change-Id: I3235f38c432f1dbafde167ec0e856abe7a38aa8a
Signed-off-by: Stephen Finucane <>
2019-05-20 16:11:49 +01:00
ZhongShengping 7ecaa3fcf8 Replace URLs with URLs
Thorough replacement of URLs with their

Change-Id: I3e0af55e0707f04428a422b973d016ad30c82a12
2019-04-24 13:59:57 +08:00
Ben Nemec 6b453b21f5 Add oslo.privsep to config-generator list
We recently exposed the privsep opts for config generator use, so
projects that depend on oslo.privsep should include them in their
sample configs.

Change-Id: I7fab7002d51b2aaf1b0a6545d07b616120e26461
2019-03-01 16:43:21 +00:00
Stephen Finucane 3e0fb203db Summarize output of sample configuration generator
Our sample configuration files are long. Really, really long. Make them
shorter through use of the summarize option added to oslo.config years
ago [1]. This turns a help text like the following:


  # This option helps you specify initial virtual disk to physical disk
  # allocation ratio.
  # This is only used when initially creating the ``computes_nodes``
  # table record for a given nova-compute service.
  # See
  # for more details and usage scenarios.
  # Related options:
  # * ``disk_allocation_ratio``
  #  (floating point value)
  #  Minimum value: 0
  initial_disk_allocation_ratio = 1.0



  # This option helps you specify initial virtual disk to physical disk
  # allocation ratio. For more information, refer to the documentation.
  # (floating point value)
  # Minimum value: 0
  initial_disk_allocation_ratio = 1.0

Shorter, one line descriptions are kept as-is.


Change-Id: Iaa51b6a139fc9b7ffc97cd6881a9d49b29858b9b
2019-02-28 10:03:45 +00:00
Matt Riedemann dee92e6876 Add osprofiler config options to generated reference
osprofiler is optional, but if it's installed we'll
load up the configuration options from the library,
but they weren't in the generated config sample so
people would have to find the osprofiler docs, or
worse the code, to figure out how to configure it.

This simply adds the osprofiler config options to the
nova config sample, which will also show up in the
config reference docs.

Change-Id: I28d35165ed77487cd49d560fb1eda4f1d640734e
Closes-Bug: #1774208
2018-06-16 12:46:19 +00:00
Matt Riedemann 0a461979df Implement granular policy rules for placement
This adds a granular policy checking framework for
placement based on nova.policy but with a lot of
the legacy cruft removed, like the is_admin and
context_is_admin rules.

A new PlacementPolicyFixture is added along with
a new configuration option, [placement]/policy_file,
which is needed because the default policy file
that gets used in config is from [oslo_policy]/policy_file
which is being used as the nova policy file. As
far as I can tell, oslo.policy doesn't allow for
multiple policy files with different names unless
I'm misunderstanding how the policy_dirs option works.

With these changes, we can have something like:

  /etc/nova/policy.json - for nova policy rules
  /etc/nova/placement-policy.yaml - for placement rules

The docs are also updated to include the placement
policy sample along with a tox builder for the sample.

This starts by adding granular rules for CRUD operations
on the /resource_providers and /resource_providers/{uuid}
routes which use the same descriptions from the placement
API reference. Subsequent patches will add new granular
rules for the other routes.

Part of blueprint granular-placement-policy

Change-Id: I17573f5210314341c332fdcb1ce462a989c21940
2018-05-17 11:12:16 -04:00
Michael Still e94151c1c3 Convert users of tune2fs to privsep.
xenapi likes enabling and disabling ext3 filesystem journals. They can
do that via privsep now.

Change-Id: Iad8198fbd01aa80bde0a6b295963391715c5cd48
blueprint: hurrah-for-privsep
2018-02-28 07:14:51 +11:00
Michael Still 635d205268 Move remaining uses of parted to privsep.
Including updating their unit tests. We can now remove parted from
the rootwrap configuration.

Change-Id: I8cbfe296238976001e38997842059ec2f137f660
blueprint: hurrah-for-privsep
2018-01-24 22:26:36 +00:00
chenpengzi 798cf7c8b7 Add reference to policy sample
Change-Id: Iaf182506ba7d9d7c7b1c9da73d00275061aa202a
2018-01-09 07:49:26 +00:00
zhurong 45e5ac8283 Remove the unused request_id filter from api-paste.ini
Change-Id: I7a0b59e2cb399d09b3c69038dce966ec47df6569
2017-12-06 17:17:49 +08:00
Michael Still 2b75745179 Move contrail vif plugging to privsep.
The same pattern as the others, except with a generated command line.

Change-Id: Icfbe3566d8cb82e6878ab4097ed747b18fd5e28a
blueprint: hurrah-for-privsep
2017-11-02 12:09:27 +11:00
Michael Still c9610d62fa Move midonet vif plugging to privsep.
The same as the mellanox example, but for midonet.

Disturbingly midonet appears to not have unit tests either, but
again I feel that correcting that is outside the scope of the privsep

Change-Id: I672534691a94a0ac294410ea12dd4ba2c327c0e0
blueprint: hurrah-for-privsep
2017-11-02 12:09:27 +11:00
Michael Still 0c961741e0 Move infiniband vif plugging to privsep.
This code isn't well labelled, but I am pretty sure it is for
Mellanox Infifiband VIFs. Same pattern as the others.

As best as I can see these methods had no test coverage, but I think
that's outside the scope of the current privsep work to fix.

Change-Id: I323399643c9978a115fdc1213876da2d85dcd8db
blueprint: hurrah-for-privsep
2017-11-02 12:09:27 +11:00
Michael Still 3c7a72c213 Move blkid calls to privsep.
The same pattern as before.

Change-Id: If9aaca8dd9c9a82378807bbc5d2c157e719dab4d
blueprint: hurrah-for-privsep
2017-10-26 07:16:09 +11:00
Michael Still b12f0a6026 Move kpartx calls to privsep.
The same pattern as before.

Change-Id: Ia97d7023523208f834cb088bf290b0f3c01016bc
blueprint: hurrah-for-privsep
2017-10-24 12:24:16 +00:00
Michael Still c7dae4e19b Move nbd commands to privsep.
The same pattern as previous patches. Some of these unit tests
are starting to be a bit simpler as we finish the transition.

Change-Id: If0e1fe4c0466f2f88525dc575af2ef366d4bb59d
blueprint: hurrah-for-privsep
2017-10-24 18:50:34 +11:00
Michael Still fd4b2aa4cb Move loopback setup and removal to privsep.
Once more, again.

Change-Id: I602582927c30f2929722474f68601ce47b4e98f6
blueprint: hurrah-for-privsep
2017-10-24 18:50:33 +11:00
Michael Still 3f7995f586 Move the idmapshift binary into privsep.
I can't see any evidence that anyone else uses our nova-idmapshift
binary, and it adds a lot of complexity (flags we never call for
example). Move the code we do actually use into the privsep
directory and simplify our calls to it. Remove the extra binary
from our install and documentation.

Change-Id: Ibce28d20d166da154833376cf51f1877b829925e
blueprint: hurrah-for-privsep
2017-10-24 18:50:23 +11:00
Michael Still 4646c5cbc5 Move xend existence probes to privsep.
The cycle repeats.

Change-Id: Ia8ff5f243ee3c32bb7406e8efe31c7e81578e775
blueprint: hurrah-for-privsep
2017-10-23 09:36:35 +11:00
Michael Still 64036a68c2 Move shred to privsep.
The same pattern once again, this time for shred.

Change-Id: Ib6cf64d18f2ebde34030cc5b6a142af1dbf75c90
blueprint: hurrah-for-privsep
2017-10-23 09:36:28 +11:00
Michael Still 8dff381426 Move lvm handling to privsep.
Following the same pattern as the others.

Change-Id: I69e95d07ba9a67cdd40649b0d1a2d789171d9984
blueprint: hurrah-for-privsep
2017-10-18 17:53:38 +11:00
Michael Still 7ad72b0922 Cleanup mount / umount and associated rmdir calls
Add a new filesytem mounting helper in privsep, and then start
moving things across to it. This currently implements mount and
unmount. We get to cleanup some rmdir calls while we're at it
which is nice as well.

I've added an upgrade note mentioning that we no longer ignore
the value of stderr from mount calls, as requesed in code review.

Change-Id: Ib5e585fa4bfb99617cd3ca983674114d323a3cce
blueprint: hurrah-for-privsep
2017-10-18 17:52:58 +11:00
Michael Still a0235b187a Read from console ptys using privsep.
Instead of dd. The interesting bit here is that the read is
non-blocking, but apart from that its pretty cut and dried.

Change-Id: I14d2a15e4f5efbed605e581781873494f23393a4
2017-09-28 07:30:00 +10:00
Michael Still c1eb6f0e50 Move ploop commands to privsep.
The same pattern as the others, but with an added security concern.

Co-Authored-By: Evgeny Antyshev <>

Closes-Bug: #1717533

Change-Id: I1ac3a0ea4756ec68884866435c3da69171bbeb13
blueprint: hurrah-for-privsep
2017-09-28 07:29:51 +10:00
Michael Still 90e91ca052 Squash dacnet_admin privsep context.
As discussed at the PTG, we're going to use one big context for
ease of management.

Change-Id: I951abd402736735730e0868f31b85b1817055b2f
blueprint: hurrah-for-privsep
2017-09-18 23:17:35 +10:00
Michael Still e00d8eb759 Squash dac_admin privsep context.
As discussed at the PTG, squash the dac_admin privsep context into
the sysadmin context.

Change-Id: I10142be4baa404835fabebd50f7f976ca6ec402e
blueprint: hurrah-for-privsep
2017-09-18 23:15:10 +10:00
Michael Still 0952f80d01 Move execs of tee to privsep.
Instead of calling tee to write to files as root, we should just
write to files as root.

Change-Id: Ic48087fdf283b3ba503294a944be91be0c338132
2017-09-12 05:38:26 +10:00
Jenkins 4a8020c2e6 Merge "Move execs of touch to privsep." 2017-09-08 18:21:28 +00:00
Jenkins def81cace8 Merge "Move libvirt usages of chown to privsep." 2017-09-08 18:16:34 +00:00
Michael Still 8325d41d4e Move execs of touch to privsep.
Instead of starting a process to update the mtime of a file, just
use privsep.

Change-Id: I2f3cfdf157e0c8bfb699ef2b29c18e9359ddd63f
2017-09-08 03:08:41 +10:00
Michael Still 0908d338c4 Move libvirt usages of chown to privsep.
A nice simple example of how to move things to privsep (and the new set
of helpers). In a few of these cases I think a more complicated re-write
is actually required, but I've put TODOs there are will do those in a
followup patch.

Change-Id: Ibb6ef001e3f2add459b0e37dfbd9f51c9eff2eb7
2017-09-08 03:07:57 +10:00
Andreas Jaeger 4e6eec5c9b Fix broken URLs
Fix broken nova URLs that linked to the old developer/nova places and
use the new link instead.

Change-Id: Ideb50626e140201dded19fc82584440f1a407e47
2017-09-07 15:42:31 +02:00