Currently iSCSI volume attachment fails if iscsi_use_multipath is
set to True. This is because the encryptor requests cryptsetup
to create the symlink to the LUKS device with the same name of
the device-mapper multipath device. To avoid the name collision,
this patch adds the 'crypt-' prefix to the symlink.
Change-Id: I01a3104025a9c479e40933ca24024355df9dfb8b
Closes-Bug: #1439869
Recently the http_proxy_to_wsgi middleware was added before the
versions resource; This correctly sets the URL scheme for keystone
version discovery, however, this is missing the URL schemes for
pagination URLs. So for this to work, the middleware needs to be
added to the application pipelines. Note that a similar commit
was done in cinder [1].
[1] If5aab9cc25a2e7c66a0bb13b5f7488a667b30309
Change-Id: I808469f24066d382decf55b9dad5312d6e068da7
Closes-Bug: #1573766
This patch removes the APIRouter because there is not any code
which uses the APIRouter. In addition, this patch update the
corresponding reno for explaining actual way for api-paste.ini.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: I136eb6ce7478f9ff692ebcbe1b14aa76222826bf
This sets up the HTTPProxyToWSGI middleware in front of Nova-API. The
purpose of thise middleware is to set up the request URL correctly in
case there is a proxy (For instance, a loadbalancer such as HAProxy)
in front of Nova.
So, for instance, when TLS connections are being terminated in the
proxy, and one tries to get the versions from the / resource of
Nova, one will notice that the protocol is incorrect; It will show
'http' instead of 'https'. So this middleware handles such cases.
Thus helping Keystone discovery work correctly.
The HTTPProxyToWSGI is off by default and needs to be enabled via a
configuration value.
Change-Id: Ia78f73e96585ab33a379a0b0be6d9682f7fbd810
Closes-Bug: #1573766
The default flavor was introduced for the ec2 API. That API is
deprecated and this option is not used in functional code anymore
but in unit tests.
A follow up patch will deprecate this option. In the next cycle we
can then remove it. I've put the option to its own module to avoid
merge conflicts with the nova.conf.compute module.
As this option was the last one for the "oslo.config" generator
namespace "nova.compute", the generator file was changed too and
the nova.compute.ops module was deleted.
blueprint centralize-config-options-newton
Change-Id: Ie2be972673498ef984dfd3b5164512d77ef85ace
The config options of the "nova.conf" section "cache" got
moved to the new central location "nova/conf/cache.py".
Change-Id: I1b7aebb9f7d44ff8312b98c88093bf01f44dfa58
Implements: blueprint centralize-config-options-newton
The 'memcached_server' option in DEFAULT section which was deprecated in
Mitaka has been completely removed in Newton. This has been replaced by
options from oslo cache section.
Change-Id: I0b23fd65a04de6a35e8ce9efd1110caad63ad562
The config options of the "nova.conf" section "libvirt" got
moved to the new central location "nova/conf/libvirt.py".
This is the last patch in a long-chain patchs.
The next chain of patch-set will focus on improve libvirt
help texts.
Change-Id: Ieaa9092dcb53c405b60ff4f4c9ea68f8d90e8435
Co-Authored-by: Markus Zoeller <mzoeller@de.ibm.com>
Implements: blueprint centralize-config-options-newton
In api-paste.ini, legacy_ratelimit has been unused since the patch
I1476b2e364032d7c98f71df0cd61f1d1c19e005d. And there is a dependency
of limits module on legacy v2 API code because the legacy_ratelimit
remains.
This patch removes these code for removing the dependency.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: I4ecf1c9bd8b419769d474ddbb8116fe834199843
The api sample tests and functional tests already stopped to
run against with legacy v2 API. This patch removes the legacy
V2 API entry from api-paste.ini, it stops user from using
legacy V2 API. This patch also adds deprecated report in pipeline
factory method to notice the user update their api-paste.ini
after upgrade code.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: I1476b2e364032d7c98f71df0cd61f1d1c19e005d
Move remaining config options of nova.conf section "neutron"
to a centralized location nova/conf/neutron.py.
Remove namespace nova.network.neutronv2 in Oslo generator
config.
Change-Id: I2c7245083e84ddb8cb54e90fac447a8ed900ddb4
Implements: blueprint centralize-config-options-newton
The config options of the "nova.conf" section "ssl"
now moved to the new central location "nova/conf/ssl.py".
Ssl options mainly locate at oslo.service sslutils.
Implements: blueprint centralize-config-options-newton
Change-Id: Idac61dc88ef349c14daa73e861c05b205ef168d9
Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.
When Cinder is doing a volume migration, it calls Nova's swap-volume
API to detach the old volume that we're migrating from and attach
the volume that we're migrating to. Then Nova calls Cinder's
migrate_volume_completion API to signal Nova is done and Cinder
can finish the volume migration.
The problem is that swap-volume is not an admin-only API in Nova
per the default policy. So if a non-admin user tries to perform
a swap-volume operation, it will fail with a 403 when calling
Cinder's migrate_volume_completion API, since that requires an
admin user.
Also, because of 98739761f17b5e0b32abd8cd262f5beda030f886 we can't
simply avoid calling migrate_volume_completion for non-migration
cases because that API handles the actual detach/attach for the old
and new volumes, swap-volume is broken without calling that.
So given swap-volume relies on an admin-only Cinder API, and is called
from an admin-only Cinder operation (volume migration), we should
just make it default to admin-only also.
Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
Closes-Bug: #1522705
Added new controller which allows the following:
- add tag to the server
- replace set of server tags with new set of tags
- get list of tags for server
- check if tag exists on a server
- remove specified tag from server
- remove all tags from server
Functional tests and annotations "@wsgi.Controller.api_version(*)"
for controller methods will be added in next patch
with creation of new API microversion.
APIImpact
Implements: blueprint tag-instances
Change-Id: Ibc44228aeae94c17353af7fccfcfb2c11b2e9190
The current README-nova.conf.txt implies that you need to clone the
entire repo and build the sample configuration file yourself. While that
is a viable option for some, we should also point out that you can see
an example of the latest nova.conf on docs.openstack.org, which
obviously has a much lower barrier to entry.
Change-Id: I94aa183c64287549d30bf09b01c3c3f7fa86be27
This change adds the command required to start the os-brick privsep
privileged helper process.
This should be the last "routine" merge to rootwrap filters from
os-brick, since os-brick privileged operations will now go through the
privsep mechanism. The now-obsolete os-brick rootwrap entries will be
removed in a followup change that also bumps the os-brick minimum
version appropriately.
Change-Id: I4e333e73ddfd45c045b9d32dac1506fc25858c4d
This change adds a DELETE call on the server-migrations object to cancel
a running live migration of a specific instance.
TO perform the cancellation the virtualization driver needs to support
it, in case that the feature is not supported we return an error.
We allow a cancellation of a migration only if the migration is
running at the moment of the request and if the migration type is equal
to 'live-migration'.
In this change we implement this feature for the libvirt driver.
When the cancellation of a live migration succeeded we rollback the live
migration and we set the state of the Migration object equals to
'cancelled'.
The implementation of this change is based on the work done by the
implementation of the feature called 'force live migration':
https://review.openstack.org/245921
DocImpact
ApiImpact
Implements blueprint: abort-live-migration
Change-Id: I1ff861e54997a069894b542bd764ac3ef1b3dbb2
This patch does two things:
1. Add two APIs /servers/migrations:index/show for server migrations.
Two new novaclient commands server-migration-list and
server-migration-show will also be added.
ref: I071198fa9ba0699383bdebf4fab54714a435e6c3
2. Add ref link for /os-migrations
The old top-level resource `/os-migrations` won't be extended anymore.
It is deprecated.
Adding migration_type for it, also add ref link to
/servers/{uuid}/migrations/{id} for it when the migration is an
in progress migration.
Partially implements blueprint live-migration-progress-report
Change-Id: Ia92ecbe3c99082e3a34adf4fd29041b1a95ef21e
Co-authored-by: ShaoHe Feng <shaohe.feng@intel.com>
The "os_compute_api:<extension>:discoverable" policies control whether
or not the extension is advertised as being available. By default they
should all be advertised so the policy should make it clear that it's
explicitly allowed.
Change-Id: I8aaeea571165f4052ecd6ad4348673e0f9a187ac
A blank policy is equivalent to a policy that allows everything. In
practice this is probably not what you want, and there is no indication
that the policies were set this way for that reason, except for one
case. It appears to be a matter of copy/paste.
The exception is the policy check for default quota-sets. The default
quota set is not scoped to a project or user so checking for ownership
does not make sense. And since it is the same for every project there's
no reason to require an admin context in order to view it. So it's set
to "@" here to be visible to all.
The rest of the calls end up having ownership verified in the db api by
filtering on project_id, unless it's an admin context. So admin_or_owner
ends up being equivalent to what's in place, but verification happens at
the policy level which is where it should be checked.
Change-Id: I698c8aa54e90fc285a4a6e0a9105e8d1ccb90c8a
/usr/local/{sbin,bin} is a standardised location for admins to install
non-distro executables, and these executables are no less "trustworthy"
than /usr/bin and friends. See neutron and cinder's rootwrap.conf (and
probably others), and typical distro default values for
sudoers/secure_path for extremely similar precedents that all include
/usr/local/*bin.
In particular, some sort of change like this is required for
oslo.privsep to find its "privsep-helper" executable in
devstack (installed into /usr/local/bin via pip). The only open
question (imo) is whether this change is made here in nova (and any
other project that doesn't already have this), or rootwrap.conf is
modified in the same way at "deployment time" by devstack and other
deployment methods. Doing it here means it is far more likely to "just
work" for the common case of installing at least one affected command
into /usr/local.
See I710cf142b834381c00e651cfc062299ae755c33f for some brief discussion
of doing this via devstack, and pointers to earlier neutron, etc
discussion.
Change-Id: I6a0a4b7f952193ce0f4ed2594613188854d36bf1
Common memorycache was replaced by analogous tool
from oslo.cache lib. In-memory cache was replaced
by oslo.cache.dict backend. Memcached was replaced
by dogpile.cache.memcached backend.
Implements blueprint oslo-for-mitaka
Closes-Bug: #1483322
Co-Authored-By: Sergey Nikitin <snikitin@mirantis.com>
Co-Authored-By: Pavel Kholkin <pkholkin@mirantis.com>
Change-Id: I371f7a68e6a6c1c4cd101f61b9ad96c15187a80e
move os_compute_api:servers:discoverable to other
policy defined position to make them easier
to be recognized and used by end user.
Change-Id: I5fc4b55418f187817e81343e9224b731f8eea5e2
This change adds manual knob to force ongoing live migration to
complete. It is implemented as a new server-migrations API.
DocImpact
ApiImpact
Implements: blueprint pause-vm-during-live-migration
Change-Id: I034b4041414a797f65ede52db2963107f2ef7456
ImageCacheManager deletes base image while image backend is copying
image to the instance path leading instance to go in the error state.
Acquired lock before removing image from cache. If libvirt is copying
image to the instance path, image cache manager won't be able to remove
it until libvirt finishes copying image completely.
Closes-Bug: 1256838
Closes-Bug: 1470437
Co-Authored-By: Michael Still <mikal@stillhq.com>
Depends-On: I337ce28e2fc516c91bec61ca3639ebff0029ad49
Change-Id: I376cc951922c338669fdf3f83da83e0d3cea1532
Change I9b649aafba011d537e3fe4eebef7a678ff6733e4 has added a
compute API to trigger crash dump in instance. This patch adds
the REST API to nova. It enables users to trigger crash dump in
an instance through REST API.
Change-Id: I6ed777ff637254b4b79417008f9055dd19fc7405
Implements: blueprint instance-crash-dump
Co-Authored-By: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Co-Authored-By: Tang Chen <tangchen@cn.fujitsu.com>
When a compute service fails, the power states of the hosted VMs are not
updated. A normal user querying his or her VMs does not get any indication
about the failure. Also there is no indication about maintenance.
This change will expose new attribute host_status to user querying his
VMs. Attribute is only seen if policy allows.
DocImpact: This adds API microversion
Implements blueprint get-valid-server-state
APIImpact
Change-Id: I5abea08bdc27624a7f23a7db8964f8c2a7b0eaa7
It's used to plug/unplug VIF_TYPE_MIDONET vifs on compute nodes.
Closes-Bug: #1533473
Related-Bug: #1235132
Change-Id: Ic8e8b19ec1083d1c9cdab3d17dcaddbe43bb76b4
To create a "nova.conf.sample" file, we use "tox -e genconfig".
This command triggers the generator from "oslo.config" which needs
entry points in "setup.cfg". Right now we have multiple entry points
to "opts.py" files which are going to be consolidated to one single
point of entry "nova/conf/opts.py". Until all config options are
moved to that central place, we would often face merge conflicts
when multiple contributors commit patches to that one "opts.py".
To prevent that, and to make it easier for future config option
moduls in "nova/conf/", the new "nova/conf/opts.py" module collects
the config options in a dynamic way.
Co-Author: EdLeafe <ed@leafe.com>
bp centralize-config-options
Change-Id: I4e5d643cd93bb2822ff59c71669cedf3de7f86fc
The get_lock method in compute/api.py is no longer in use.
Need to remove the get_lock method and the get_lock policy
action from the default policy.json file.
Change-Id: I6a8bb58f749ecb64bd22be1fc8f96beebd75e38b
