1187 Commits

Author SHA1 Message Date
John Griffith
6d70d6adf9 Implement new attach Cinder flow
This change integrates support of the Cinder 3.44
volume attachment API.

The patch bumps the compute service version to
check whether all the compute nodes are upgraded to the
version that can handle attach and detach with the new
flow.

To enable the new flow we also need the 3.44 or higher
microversion from Cinder. We check that in the API and
if it's not available we fall back to the old
attach/detach flow.

Co-Authored-By: Ildiko Vancsa <ildiko.vancsa@gmail.com>

Partially Implements: blueprint cinder-new-attach-apis
Change-Id: Ifc01dbf98545104c998ab96f65ff8623a6db0f28
2017-12-07 10:29:15 -05:00
Matt Riedemann
9ddbaa15cb Fix 'force' parameter in os-quota-sets PUT schema
A regression was introduced in the 2.36 API microversion where the
'force' parameter was missing from the 'PUT /os-quota-sets/{tenant_id}'
API request schema so users could not force quota updates with
microversion 2.36 or later. The bug is now fixed so that the 'force'
parameter can once again be specified during quota updates. There is
no new microversion for this change since it is an admin-only API.

Change-Id: I947e927802f755ccb25a91efd82cac895779d19e
Closes-Bug: #1733886
2017-12-07 08:59:29 -05:00
ghanshyam
3e329e73e7 Deprecate configurable Hide Server Address Feature
This commit deprecates the config option and policy
for hide server address. They are marked for removal.

Implement blueprint remove-configurable-hide-server-address-feature

Depends-On: I6aed4909b0e7efe9c95d1f7398db613eca05e5ce
Change-Id: I6040e8c2b3e132b0dfd09f82ae041b4786a63483
2017-12-07 08:45:18 +00:00
ghanshyam
f2d18c2e99 Deprecate API extensions policies
Nova API extension concept is removed in Pike. These extensions
have their own policies enforcement which are not needed any more.

All the below policies which were added mainly for extensions are
deprecated for removal-
        - 'os_compute_api:os-config-drive'
        - 'os_compute_api:os-extended-availability-zone'
        - 'os_compute_api:os-extended-status'
        - 'os_compute_api:os-extended-volumes'
        - 'os_compute_api:os-keypairs'
        - 'os_compute_api:os-server-usage'
        - 'os_compute_api:os-security-groups' (only from /servers APIs)
        - 'os_compute_api:os-flavor-rxtx'
        - 'os_compute_api:os-flavor-access' (only from /flavors APIs)
        - 'os_compute_api:image-size'

Implement blueprint api-extensions-policy-removal

Depends-On: I6aed4909b0e7efe9c95d1f7398db613eca05e5ce

Change-Id: Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
2017-12-07 04:05:58 +00:00
Zuul
cbdc893032 Merge "Fix doubling allocations on rebuild" 2017-12-06 19:00:25 +00:00
Stephen Finucane
109f21f3c8 placement: adds REST API for nested providers
Adds a new microversion (1.14) to the placement REST API for supporting
nested resource providers.

For POST /resource_providers and PUT /resource_providers/{uuid}, a new
optional 'parent_provider_uuid' field is added to the request payload.

For GET /resource_providers/{uuid} responses, the
'parent_provider_uuid' field and a convenience field called
'root_provider_uuid' are provided.

For GET /resource_providers, a new '?in_tree=<rp_uuid>' parameter is
supported. This parameter accepts a UUID of a resource provider. This
will cause the resulting list of resource providers to be only the
providers within the same "provider tree" as the provider identified by
<rp_uuid>

Clients for the placement REST API can specify either
'OpenStack-API-Version: placement 1.14' or 'placement latest' to handle
the new 'parent_provider_uuid' attribute and to query for resource
providers in a provider tree.

Change-Id: I4db74e4dc682bc03df6ec94cd1c3a5f5dc927a7b
blueprint: nested-resource-providers
APIImpact
2017-12-06 10:48:09 -06:00
Huan Xie
fb8978b91e XenAPI: Don't use nicira-iface-id for XenServer VIF
When using neutron polling mode, booting a VM will timeout because
nova-compute cannot receive network-vif-plugged event. This is
because we set vif['id'](i.e. neutron port uuid) to two different
OVS ports. One is Xenserver VIF, the other is tap device qvo-XXXX
which neutron ovs agent will monitor and deal with.
My previous patch https://review.openstack.org/#/c/463246/ has
deprecated the setting of 'nicira-iface-id' to XenServer. This
patch is to remove the setting of 'nicira-iface-id'.

Closes-Bug: #1732624

Change-Id: I221e89686c8e9041651f5affc4e3542d75ff55bc
2017-12-06 15:48:12 +00:00
Zuul
4d07bccd33 Merge "Fail fast if changing image on a volume-backed server rebuild" 2017-12-06 10:49:17 +00:00
Kevin_Zheng
1d88440eb4 Add instance action record for shelve_offload instances
We currently don't record shelve_offload instance
actions. This is useful for auditing and debugging.

This patch adds instance shelve_offload actions.

Change-Id: I195082e82b092a9694a20111de50b12b60b4a58a
partial-implements: blueprint fill-the-gap-for-instance-action-records
2017-12-05 13:42:14 -05:00
Dan Smith
25a1d78e83 Fix doubling allocations on rebuild
Commit 984dd8ad6add4523d93c7ce5a666a32233e02e34 makes a rebuild
with a new image go through the scheduler again to validate the
image against the instance.host (we rebuild to the same host that
the instance already lives on). This fixes the subsequent doubling
of allocations that will occur by skipping the claim process if
a policy-only scheduler check is being performed.

Closes-Bug: #1732976

Related-CVE: CVE-2017-17051
Related-OSSA: OSSA-2017-006

Change-Id: I8a9157bc76ba1068ab966c4abdbb147c500604a8
2017-12-05 11:11:05 -05:00
Zuul
ad4398583f Merge "Deprecate the IronicHostManager" 2017-12-05 13:16:45 +00:00
Kevin_Zheng
f49ec409fd Mention API behavior change when over quota limit
In
https://blueprints.launchpad.net/nova/+spec/cells-count-resources-to-check-quota-in-api
we introduced a new workflow of Quota checks. It is possible that
concurrent requests can pass API layer checks, but blocked by
conductor layer checks.

This can actually trigger user-noticeable API behavior changes:
As an user, previously, If my request is blocked by quota checks, I will
get HTTP 403 response, and no instance records will be left.

After the above mentioned change, it is possible that when my requests
failed at conductor layer Quota check and I got an instance in ERROR
state. And in an busy cloud, users may got a lot of ERROR instances
according to this and the instance number may beyond the limit.

We should at least mention this behavior change in the release note.

Change-Id: I05606fffab4e24fc55465067b66c6a035a787d1e
Related-Bug: #1716706
2017-12-05 01:01:37 +00:00
Matt Riedemann
132636dd61 Fail fast if changing image on a volume-backed server rebuild
We don't support changing the image in the root disk of a volume-backed
server during a rebuild. The API will change the instance.image_ref
attribute to the newly supplied image_href to the rebuild API but the
actual image used by the server after the rebuild will be the original
image, which is wrong.

We need to just fail fast in this case in the API since the compute
service doesn't support it. We also need to ensure that instance.image_ref
doesn't get modified since a missing value here is used by novaclient and
probably other HTTP API users as an indication of a volume-backed server.

See the related mailing list discussion for more details:
http://lists.openstack.org/pipermail/openstack-dev/2017-October/123255.html

Co-Authored-By: Chris Friesen <chris.friesen@windriver.com>
Change-Id: If4c5fb782bb7e7714fb44f8ca9875121e066bc10
Closes-Bug: #1482040
2017-12-04 16:47:30 -05:00
jichenjc
b9b78fc252 Remove 'nova-manage account' and 'nova-manage project'
These commands were deprecated in 16.0.0 and can now be removed.

Change-Id: Icab97d0f46ab83b1f8584fd1d8c482e6d04a8795
2017-12-04 10:47:49 +08:00
jichenjc
726387e51a Remove 'nova-manage shell' command
This command was deprecated in 16.0.0 and can be removed.

Change-Id: I29c9e437fb7a99b0ecbd4ebda1518dd49d414e96
2017-12-04 10:46:40 +08:00
Zuul
100a194ab1 Merge "Remove setting of version/release from releasenotes" 2017-11-30 17:52:14 +00:00
Zuul
54f45b530c Merge "Enable cold migration with target host(2/2)" 2017-11-30 07:38:03 +00:00
Takashi NATSUME
d2ce4ca9ec Enable cold migration with target host(2/2)
This function enables users to specify a target host
when cold migrating a VM instance.

This patch modifies the migration API.

APIImpact
    Add an optional parameter 'host' in cold migration action.

Change-Id: Iee356c4dd097c846b6ca8617ead6a061300c83f8
Implements: blueprint cold-migration-with-target-queens
2017-11-29 20:48:16 -05:00
Zuul
690f8e4e24 Merge "Remove deprecated TrustedFilter" 2017-11-29 20:05:26 +00:00
Matt Riedemann
c99fc64271 Deprecate the IronicHostManager
The use_baremetal_filters and baremetal_enabled_filters options
along with the ExactRamFilter, ExactCoreFilter and ExactDiskFilter
filters were all deprecated in Pike:

  I843353427c90142a366ae9ca63ee4298b4f3ecd4

The IronicHostManager is configurable and relies on those options,
so if those options are deprecated then the IronicHostManager should
also be deprecated.

The sticky part with this is going to be filters that don't work with
ironic nodes today, like the NUMATopologyFilter, so a note is left
in the use_baremetal_filters option code to remind us that we can't
likely remove any of this until all filters work with ironic nodes.

Change-Id: Iebc74a09990dcda8cf0ee2a41f9ae1058d2a182a
2017-11-28 15:23:48 -05:00
Zuul
82a6ca21ba Merge "Remove 'nova-manage quota refresh' command" 2017-11-28 20:02:40 +00:00
zhangyangyang
aecc165a58 Remove deprecated TrustedFilter
The TrustedFilter and the related trusted_computing config options
were deprecated in Pike:

  If6e53feeb97e6050c1eb7962110ed89504c952fc

Co-Authored-By: Matt Riedemann <mriedem.os@gmail.com>

Change-Id: I0a7ab3a4fb2cfad567a8644bed4de574393ee11a
2017-11-28 14:54:31 -05:00
Zuul
caff225a1a Merge "Regenerate and pass configdrive when rebuild Ironic nodes" 2017-11-28 19:44:41 +00:00
Zuul
a201ce1891 Merge "[placement] Fix GET PUT /allocations nits" 2017-11-28 19:01:43 +00:00
Zuul
403d13247e Merge "[placement] POST /allocations to set allocations for >1 consumers" 2017-11-28 19:01:37 +00:00
Zuul
757626e781 Merge "Add instance action record for lock/unlock instances" 2017-11-28 18:57:10 +00:00
Zuul
ea51587508 Merge "Add instance action record for attach/detach/swap volumes" 2017-11-28 15:32:13 +00:00
Chris Dent
453fd67da1 [placement] Fix GET PUT /allocations nits
In the review of I49f5680c15413bce27f2abba68b699f3ea95dcdc, a few
non-blocking nits were identified. This change addresses some of
those nits, fixing some typos, clarifying method names and what
microversion is in use at particular times.

Change-Id: Iff15340502ce43eba3b98db26aa0652b1da24504
2017-11-28 12:25:13 +00:00
Chris Dent
8caf4f5148 [placement] POST /allocations to set allocations for >1 consumers
This provides microversion 1.13 of the placement API, giving the
ability to POST to /allocations to set (or clear) allocations for
more than one consumer uuid.

It builds on the recent work to support a dict-based JSON format
when doing a PUT to /allocations/{consumer_uuid}.

Being able to set allocations for multiple consumers in one request
helps to address race conditions when cleaning up allocations during
move operations in nova.

Clearing allocations is done by setting the 'allocations' key for a
specific consumer to an empty dict.

Updates to placement-api-ref, rest version history and a reno are
included.

Change-Id: I239f33841bb9fcd92b406f979674ae8c5f8d57e3
Implements: bp post-allocations
2017-11-28 12:15:53 +00:00
Kevin_Zheng
fbea321841 Add instance action record for lock/unlock instances
We currently don't record lock/unlock instance
actions. This is useful for auditing and debugging.

This patch adds instance lock/unlock actions.

Change-Id: I09fadf79aac1a74465af48015ef97d9e9d4ac580
partial-implements: blueprint fill-the-gap-for-instance-action-records
2017-11-28 19:22:15 +08:00
Zuul
b60a599b5f Merge "[placement] Symmetric GET and PUT /allocations/{consumer_uuid}" 2017-11-28 11:09:03 +00:00
Zuul
fa2c1567c1 Merge "Refined fix for validating image on rebuild" 2017-11-28 03:48:43 +00:00
Kevin_Zheng
1cea4f0135 Add instance action record for attach/detach/swap volumes
We currently don't record volume attach/detach/swap instance
actions. This is useful for auditing and debugging.

This patch adds volume attach/detach/swap actions.

Change-Id: I0a3d15f3e3d0d8d920a79b519e17e3228e99f293
partial-implements: blueprint fill-the-gap-for-instance-action-records
2017-11-27 16:34:48 -05:00
Dan Smith
f7c688b8ef Refined fix for validating image on rebuild
This aims to fix the issue described in bug 1664931 where a rebuild
fails to validate the existing host with the scheduler when a new
image is provided. The previous attempt to do this could cause rebuilds
to fail unnecessarily because we ran _all_ of the filters during a
rebuild, which could cause usage/resource filters to prevent an otherwise
valid rebuild from succeeding.

This aims to classify filters as useful for rebuild or not, and only apply
the former during a rebuild scheduler check. We do this by using an internal
scheduler hint, indicating our intent. This should (a) filter out
all hosts other than the one we're running on and (b) be detectable by
the filtering infrastructure as an internally-generated scheduling request
in order to trigger the correct filtering behavior.

Closes-Bug: #1664931
Change-Id: I1a46ef1503be2febcd20f4594f44344d05525446
2017-11-27 15:52:45 -05:00
Zuul
b9d9de8962 Merge "Versioned notifications for service create and delete" 2017-11-27 19:41:04 +00:00
liyingjun
8e793a6c6f Versioned notifications for service create and delete
New notifications service.create and service.delete are introduced
with INFO priority and the payload of the notification is the serialized
form of the already existing Service versioned object. Service.create
notification will be emitted after the service is created (so the uuid
is available) and also send the service.delete notification after the
service is deleted.

Implement blueprint: service-create-destroy-notification

Change-Id: I955d98f9fd4b121f98e172e5ab30eb668a24006d
2017-11-27 11:11:44 -05:00
Zuul
0f523c8a52 Merge "Add instance action record for attach/detach interface" 2017-11-24 18:10:56 +00:00
jichenjc
d614a8b8af Remove 'nova-manage quota refresh' command
This command was deprecated in 16.0.0 and can now be removed.

Change-Id: I016227cb20f8d6911e3cb57c7372835a75d122fd
2017-11-24 02:34:47 +08:00
Zuul
f69d98ea74 Merge "Allow shuffling hosts with the same best weight" 2017-11-22 14:14:13 +00:00
Mathieu Gagné
878c44f0cf Regenerate and pass configdrive when rebuild Ironic nodes
Previously, the configdrive could only be set when setting
the node's provisioning state to "active". When rebuilding,
the old configdrive was used and therefore was never updated
with latest content.

Since Ironic API microversion 1.35, it is now allowed to provide
a configdrive when setting the node's provisioning state to "rebuild".

Blueprint: rebuild-ironic-config-drive
Related-bug: #1575935
Depends-On: I9a5529f9fa796c75621e9f4354886bf3032cc248
Change-Id: I1f9056f66519b9ca2f4e23143559735f2bff8943
2017-11-21 17:37:03 -05:00
Chris Dent
808323e0c5 [placement] Symmetric GET and PUT /allocations/{consumer_uuid}
In a new microversion, 1.12, include project_id and user_id in the
output of GET /allocations/{consumer_uuid} and add JSON schema
to enable PUT to /allocations/{consumer_uuid} using the same dict-based
format for request body that is used in the GET response. In later
commits a similar format will be used in POST /allocations. This
symmetry is general good form and also will make client code a little
easier.

Since GET /allocation_candiates includes objects which are capable
of being PUT to /allocations/{consumer_uuid}, its response body has
been updated as well, to change the 'allocation_requests' object
to use the dict-based format.

Internally to handlers/allocation.py the same method (_set_allocations)
is used for every microversion. Any previous data structure is
transformed into the dict-ish form. This means that pre-existing tests
(like allocation-bad-class.yaml) continue to exercise the problems it
was made for, but needs to be pinned to an older microversion, rather than
being latest.

Info about these changes is added to placement-api-ref,
rest_api_version_history and a reno.

Change-Id: I49f5680c15413bce27f2abba68b699f3ea95dcdc
Implements: bp symmetric-allocations
Closes-Bug: #1708204
2017-11-21 19:39:59 +00:00
Eric Fried
6cde77ebba Use ksa adapter for neutron client
nova.network.neutronv2.api.get_client now uses the common
get_ksa_adapter utility to create an Adapter from common keystoneauth1
configuration options if the legacy [neutron] config option ``url`` is
not specified.

As part of blueprint use-ksa-adapter-for-endpoints, this provides a
consistent mechanism for endpoint communication from Nova.

Change-Id: I41724a612a5f3eabd504f3eaa9d2f9d141ca3f69
Partial-Implements: bp use-ksa-adapter-for-endpoints
2017-11-21 16:31:38 +00:00
Eric Fried
9519601401 Get auth from context for glance endpoint
Change the Adapter loading for glance to use the auth from the user
context instead of exposing and requiring it in the conf.  With this
change, it is possible to leave the [glance] conf section empty and
still be able to discover the image API endpoint from the service
catalog.

Note that, when we do this, we often end up with the user auth being a
_ContextAuthPlugin, which doesn't conform to the characteristics of
keystoneauth1.identity.base.BaseIdentityPlugin as augmented in
keystoneauth1 3.1.0.  This requires a series of workarounds until bug
1709118 is fixed.  These, along with workarounds for bugs 1707993 and
1707995, are subsumed with this change set in a (hopefully temporary)
helper method nova.utils.get_endpoint.

This lays the foundation for other services that should use user
context for authentication - those via which Nova is acting on behalf
of the user, i.e. cinder, keystone, and (sometimes) neutron[1].
(Services such as placement and ironic (and sometimes neutron) should
continue to use admin auth context loaded from the conf.)

[1] bb4faf40df/nova/network/neutronv2/api.py (L149-L160)

Co-Authored-By: Eric Fried <efried@us.ibm.com>
Partial-Implements: bp use-ksa-adapter-for-endpoints
Change-Id: I4e755b9c66ec8bc3af0393e81cffd91c56064717
2017-11-21 10:26:42 -06:00
Zuul
9633ebdf37 Merge "VMware: serial console log (completed)" 2017-11-21 10:57:15 +00:00
Kevin_Zheng
762380e0ee Add instance action record for attach/detach interface
We currently don't record attach/detach interface instance
actions. This is useful for auditing and debuging.

This patch adds attach/detach interface actions.

Change-Id: I0874f52ca7c5e29d9cd619679e1e121b25b6b41e
partial-implements: blueprint fill-the-gap-for-instance-action-records
2017-11-20 12:37:10 -05:00
Radoslav Gerganov
d9c03b1ecb VMware: serial console log (completed)
Commit ace11d3 adds a serial port device to instances, so the serial
console output can be sent to a virtual serial port concentrator (VSPC).
This patch finishes the implementation by returning the output saved by
VSPC to the end user. The config option 'serial_log_dir' should have the
same value as in the VSPC configuration (i.e. it must point to the same
directory).

The VSPC implementation is available at
https://github.com/openstack/vmware-vspc

blueprint vmware-console-log-complete

Change-Id: I7e40dc41b0354d414bc8eae331f8257959e1d123
2017-11-17 16:10:26 +02:00
Andreas Jaeger
026825c7c2 Remove setting of version/release from releasenotes
Releasenotes are version independent, so remove version/release display.
This also allows to build the document without nova installed.

Change-Id: Iadb57089a866ef4b334670456a4116c245dbd968
2017-11-16 19:35:53 +00:00
Matt Riedemann
034d7f3795 Add microversion to allow setting flavor description
This adds the new microversion to allow providing
a description when creating a flavor, returning a
flavor description when showing flavor details, and
updating the description on an existing flavor.

Implements blueprint flavor-description

Change-Id: Ib16b0de82f9f9492f5cacf646dc3165a0849d75e
2017-11-15 22:10:39 +00:00
Matt Riedemann
31d28eef95 Add security release note for OSSA-2017-005
Change-Id: I053f1bbc56481bddce8792aa4b5460a55cc0db2d
Related-Bug: #1664931
2017-11-14 15:32:20 -05:00
LIU Yulong
751f5dec11 Enable reset keypair while rebuilding instance
This patch adds `key_name` param to instance rebuild
API. Then the user could reset the instance keypair
when rebuilding. If set key_name to None, the API
will unset the keypair of the instance.

APIImpact

Implements blueprint: rebuild-keypair-reset

Change-Id: I23886a89c25f811cfbe7e2500ce7ff52f9162966
2017-11-13 10:49:02 +08:00