The same pattern as the others, but with an added security concern.
Co-Authored-By: Evgeny Antyshev <eantyshev@virtuozzo.com>
Closes-Bug: #1717533
Change-Id: I1ac3a0ea4756ec68884866435c3da69171bbeb13
blueprint: hurrah-for-privsep
As discussed at the PTG, we're going to use one big context for
ease of management.
Change-Id: I951abd402736735730e0868f31b85b1817055b2f
blueprint: hurrah-for-privsep
As discussed at the PTG, squash the dac_admin privsep context into
the sysadmin context.
Change-Id: I10142be4baa404835fabebd50f7f976ca6ec402e
blueprint: hurrah-for-privsep
A nice simple example of how to move things to privsep (and the new set
of helpers). In a few of these cases I think a more complicated re-write
is actually required, but I've put TODOs there are will do those in a
followup patch.
Change-Id: Ibb6ef001e3f2add459b0e37dfbd9f51c9eff2eb7
I don't particularly care about this use case (although the localfs
code should perhaps go away), but it was a nice contained example
of a privsep user which wasn't just calling a command line.
This patch also starts to layout what an API to the privsep'd code
might look like. For now its modelled on python's os module, because
that's where all the operations we perform are coming from.
The rootwrap configuration is cleaned up as we remove users.
Co-Authored-By: Tony Breeds <tony@bakeyournoodle.com>
Change-Id: I911cc51a226d6af29d63a7a2c69253de870073e9
The form for rootwrap.d files is to include a comment before the filter
with the filename (and preferably) the command the filter matches.
This change ensures that these file comments refer to a valid file in the
tree. They can be checked with something like:
for i in `awk '/^#.*py *:/ {print $2}' etc/nova/rootwrap.d/compute.filters \
| sort -u` ; do
ls ${i/:}
done
* I13c701c390784fa1f7809705741abb46e40973be renamed
.../libvirt/connection.py to .../libvirt/drver.py
* I400db60fcc29c2d5e2d3b9dabc055649138468eb switched to os-brick and
removed nova/storage/linuxscsi.py
* I5fc2425d2c25076ea87686b2e41be35f66ebb923 moved .../libvirt/volume.py
into .../libvirt/volume/
* Update one comment to make the awk script above work.
* Add comments as 'chown' and 'tee' are used in nova/virt/libvirt/
Change-Id: I3d89830e4770a7cf88389fac5a2a684554a29bc5
If someone chooses to run under uwsgi/apache instead of eventlet, the
basic logging of requests goes away (as that was an eventlet.wsgi
function). This is a critical piece of information for understanding
how services are working, and we need to retain it under uwsgi/apache.
This creates a new request_log middleware, inspired by the one in
placement, to provide that functionality. This includes all the same
information as before: http method, uri, status, content length, time
for the request. It also includes the microversion the request was
processed as, "-" if no microversion.
The middleware does not emit anything if it detects that it's running
under eventlet, to prevent duplicate log messages.
Release notes provided as this will be a manual transition for folks
as it's an api-paste.ini change.
Change-Id: I3a597b06d3501c765e2d7805c6c1375d6f4e40db
The Scality volume driver was removed from Cinder in Ocata:
a931f9db79554630d8d71fcff1334bb4e37cb398
It's unmaintained and therefore no longer supported, and won't
even work with recent Cinder, so let's remove it.
Change-Id: I0cfa0c4b3d7138f989225a44bdedfa716a035a14
This change restores the rootwrap filter for cryptsetup that was
recently removed by I37ffc90c0bd57029fced251b5cfd7cd4318a0292 from
compute.filters, as it is still needed by dmcrypt. Without the rootwrap
filter, `cryptsetup` is not authorized to run with root permissions.
Change-Id: I5fe3e5d5e5a9694d0dbe5b59248e5eaf89858c62
Closes-Bug: #1688166
This change drops the encryptor classes and supporting code from the
codebase in favor of the classes provided by os-brick. This is made
possible by the following os-brick change that introduced new encryption
provider constants during Ocata :
Ic155bd29d46059832cce970bf60375e7e472eca6
Thanks to the following bugfix also released as part of 1.11.0 for Ocata
the constants present in os-brick also support the use of the deprecated
legacy class paths from Nova, for example
nova.volume.encryptors.luks.LuksEncryptor, while using the os-brick
provided classes :
I3ec6e3fe919bc03d158da04a18fb8b651002ed52
Implements: blueprint switch-to-os-brick-encryptor-classes
Change-Id: I37ffc90c0bd57029fced251b5cfd7cd4318a0292
Depends-On: Iae12605dc7d0607e78020a24b5b8801606c2f169
Fix the following warnings.
- A warning in config sample generation
- Warnings about nova-status.rst
Change-Id: Ifcc3b4a89eeea9d0dd62e2a8b560c5e6a9ff3d1a
Closes-Bug: #1659485
For virtuozzo containers we create ephemeral disk based on ploop format.
After we create ploop disk, we should add 'read 'permission for all users.
It's necessary because openstack user query info of this disk by qemu-img.
Change-Id: I2d6dd043340322d4c4ac1efd38f993f08932a483
Implements: blueprint ephemeral-disk-ploop
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
1) It checks that person who want to trace is trusted and knows
secret HMAC key.
2) It starts tracing in case of proper trace headers
and adds the first wsgi trace point with info about the HTTP request
* Add initialization of osprofiler on start of a service
Currently that includes oslo.messaging notifier instance creation
to send Ceilometer backend notifications.
oslo-spec: https://review.openstack.org/#/c/103825/
python-novaclient change: https://review.openstack.org/#/c/254699/
based on: https://review.openstack.org/#/c/105096/
Co-Authored-By: Boris Pavlovic <boris@pavlovic.me>
Co-Authored-By: Munoz, Obed N <obed.n.munoz@intel.com>
Co-Authored-By: Roman Podoliaka <rpodolyaka@mirantis.com>
Co-Authored-By: Tovin Seven <vinhnt@vn.fujitsu.com>
Implements: blueprint osprofiler-support-in-nova
Change-Id: I82d2badc8c1fcec27c3fce7c3c20e0f3b76414f1
This patch exposes the root (version) resource to CORS-enabled
browser clients that wish to perform API version discovery.
This feature is required for js-openstack-lib, and its devstack
tests. https://review.openstack.org/#/c/370389/
Change-Id: I4052186bffa3bddb4d28e378e6a135694a71e05b
Needed-By: Ia19afa530ae8c2df60db740cec9267fe240978c0
The sample file has been empty for a little while now since default
policies are registered in code. Shipping an empty file may be
confusing, so let's remove it. A README has been added explaining how to
generate an actual sample policy file.
Change-Id: I23c934d2b610a451d6ebbd4276721c455365cedc
Depends-On: I85a251376dfe38caa4b100861bf764014a98bc37
'ivs-ctl' is called from the libvirt vif driver. While the filter exists
in network.filters, as the command is still used by nova compute it is
consistent to include it in compute.filters.
Change-Id: Icf61dba632fee26461ac18246ecf6a93f6bde346
UpgradeImpact: Config option volume_api_class was deprecated in 13.0.0,
We can remove it in 14.0.0.
This commit also removes namespace 'nova' in file
nova-config-generator.conf.
Change-Id: I7841b016703a9cb5c0e783fe81a5cdcd7f4af9c5
Registers in-code the last remaining policy rules.
Adds missing 'discoverable' rules. Without them,
the extension_info API can fail, as it tries to check the
os_compute_api:os_server_tags:discoverable rule. As it wasn't
previously registered, when listing the available extensions,
an exception of type PolicyNotRegistered is encountered.
In order to validate this, functional/api_sample_tests/test_extension_info.py
now runs without mocking policy.authorize.
Switches extension_info to context.can.
Switches nova.cells.filters to context.can.
Switches network.neutronv2.api to context.can.
Removes the rest of the entries in etc/policy.json.
Removes DefaultPolicyTestCase, as it tests the default
policy rule, which is not registered.
Removes rules from fake_policy.py that brings no value,
that are the same as the default values.
Removes extensions authorizer factories.
Removes nova.policy.enforce.
Change-Id: Ie7771768f4f3efe0edc787c12f297aa93d533d7e
Partially-Implements: bp policy-in-code
This adds the entry point and config file necessary for using the
oslo.policy sample generation script. It also adds a tox target to
simplify the usage of it.
The command is also run in the docs tox target since the sample file
can be considered documentation.
Change-Id: I18a1fa567fc04b0e0a37c02f20024b2ce483f060
Partially-Implements: bp policy-in-code
Adapt "nova resize" code to support Virtuozzo ploop disks.
As far as ploop disks are in fact directories we add '-r' argument
to all utilities that deal with instance' disks such as cp, rsync and scp.
Thus we copy disks universally whether they are folders or files.
Also using "prl_disk_tool" instead of "qemu-img" is better for ploop images
because it resizes guest filesystem as well.
We can't resize disks from guest OS in containers,
because they are not allowed to write directly to block device.
ploop tool can resize partition table and internal filesystem,
but only for container's disks. Such disks must have only one partition
with ext filesystem.
prl_disk_tool can resize disks with internal filesystems
and doesn't require any special layout so it can resize disks
for virtual machines. So it's better to use this tool instead of ploop.
Also we make compute.filters more strict
We call "ploop" only with "restore-descriptor" argument
And we set disk size in megabytes for prl_disk_tool
Co-Authored-By: Dmitry Guryanov <dguryanov@parallels.com>
Depends-On: I04c4379459c2fc1fd4801ec2aad53d0f6053b6d6
Change-Id: I38dbf73beb01fe1939ddca63fbfedbec1dc3c826
Implements: blueprint virtuozzo-instance-resize-support
Adds default values for policy rules in code and removes
them from etc/policy.json file. The change is validated
by the nova.tests.unit.test_policy unit tests.
Adds default policy rules in policy_fixture. The policy_fixture
is currently loading an incomplete set of policy rules (from
policy.json or fake_policy), resulting in unit tests running
with an incomplete set of policy rules.
Co-Authored-By: Andrew Laski <andrew@lascii.com>
Partially-Implements: bp policy-in-code
Change-Id: I7a7dc2a111d536380a763169320a0820b0715a11
There are no test changes as all new code is tested by the
extension_info functional tests, and should we want to eliminate the
extension_info portion of our API later, new tests would just make
this much harder to tear down.
This modifies default policy to drop os-disk-config as well as
modifying extension tests to pass even though we're injecting
additional hardcoded items into the list for compatibility.
Part of bp:api-no-more-extensions
Change-Id: I0192ccef7e858fd0ff15c339f683abaabbdc09b7
This adds the basic framework for registering and using default policy
rules. Rules should be defined and returned from a module in
nova/policies/, and then added to the list in nova/policies/__init__.py.
A new context.can() method has been added for policy enforcement of
registered rules. It has the same parameters as the enforce() method
currently being used.
To establish the full pattern for usage the policy checks in the servers
API module have been registered and converted to the new usage.
Now that some policy checks are registered they're being used properly
by tests. Some tests have been updated so that the instance project_id
matches the context project_id in order to pass the 'admin_or_owner'
check.
Change-Id: I71b3d1233255125cb280a000b990329f5b03fdfd
Partially-Implements: bp policy-in-code
The legacy v2 API code was removed. The policy rules which are used by legacy
v2 API code are useless anymore. This patch cleanup them.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: I64648bf97ec483981426086b81b2056928fa1b3e
pep8 is testing for 80 character lines. By force wrapping at 79 we get
weird edge conditions in our detailed help blocks of very odd wraps
with 80 character lines.
pep8 and conf generator should agree on this value.
Change-Id: I003964dfc46673bed3717862043d76bfb59ce217
Closes-Bug: #1587821
Currently iSCSI volume attachment fails if iscsi_use_multipath is
set to True. This is because the encryptor requests cryptsetup
to create the symlink to the LUKS device with the same name of
the device-mapper multipath device. To avoid the name collision,
this patch adds the 'crypt-' prefix to the symlink.
Change-Id: I01a3104025a9c479e40933ca24024355df9dfb8b
Closes-Bug: #1439869
Recently the http_proxy_to_wsgi middleware was added before the
versions resource; This correctly sets the URL scheme for keystone
version discovery, however, this is missing the URL schemes for
pagination URLs. So for this to work, the middleware needs to be
added to the application pipelines. Note that a similar commit
was done in cinder [1].
[1] If5aab9cc25a2e7c66a0bb13b5f7488a667b30309
Change-Id: I808469f24066d382decf55b9dad5312d6e068da7
Closes-Bug: #1573766
This patch removes the APIRouter because there is not any code
which uses the APIRouter. In addition, this patch update the
corresponding reno for explaining actual way for api-paste.ini.
Partially implements blueprint remove-legacy-v2-api-code
Change-Id: I136eb6ce7478f9ff692ebcbe1b14aa76222826bf
This sets up the HTTPProxyToWSGI middleware in front of Nova-API. The
purpose of thise middleware is to set up the request URL correctly in
case there is a proxy (For instance, a loadbalancer such as HAProxy)
in front of Nova.
So, for instance, when TLS connections are being terminated in the
proxy, and one tries to get the versions from the / resource of
Nova, one will notice that the protocol is incorrect; It will show
'http' instead of 'https'. So this middleware handles such cases.
Thus helping Keystone discovery work correctly.
The HTTPProxyToWSGI is off by default and needs to be enabled via a
configuration value.
Change-Id: Ia78f73e96585ab33a379a0b0be6d9682f7fbd810
Closes-Bug: #1573766
