672 Commits

Author SHA1 Message Date
Jenkins
afd1f9d382 Merge "Change os-server-tags default policy" 2017-03-29 11:31:32 +00:00
Jenkins
c69b868051 Merge "Remove unused policy rule in admin_actions.py" 2017-03-27 14:32:51 +00:00
Sujitha
353fb80d4d Remove unused policy rule in admin_actions.py
This patch removes the policy rule with name os_compute_api:os-admin-actions
as it is not used by any API.

blueprint policy-docs

Change-Id: I387e80dcedd4f1500f87fc36765c42d72717ded9
2017-03-27 11:04:16 +00:00
Thomas Stewart
af8d93fa9d Add lan9118 as valid nic for hw_vif_model property for qemu
DocImpact
This introduces an additional VNI so the hw_vif_model doc needs updating
to reflect this at:
https://docs.openstack.org/cli-reference/glance-property-keys.html

Change-Id: Ifc1636bff53cf74f889e1f4b632fa62c52d07b8e
Closes-Bug: 1638059
Signed-off-by: Thomas Stewart <thomas@stewarts.org.uk>
2017-03-22 17:06:29 +00:00
Jenkins
3ee4b0cf0e Merge "conf: Deprecate 'use_ipv6'" 2017-03-22 14:54:04 +00:00
Jenkins
a4ee3ea563 Merge "netutils: Ignore 'use_ipv6' for network templates" 2017-03-22 14:53:29 +00:00
Jenkins
df6fa11185 Merge "Handle conflicts for os-assisted-volume-snapshots" 2017-03-22 14:30:55 +00:00
Stephen Finucane
0b550db05f conf: Deprecate 'use_ipv6'
Since Idcfdaf3b removed the use of this flag in the libvirt port filter
and I188fc2c removed the use in injected network templates, the only
remaining use of this option is in nova-network. As a result, we can
deprecate this like nova-network itself.

Change-Id: Ibbcd1fd11c3563b4ddef7c128b714402beac7e3d
Implements: blueprint centralize-config-options-pike
2017-03-22 12:03:06 +00:00
Stephen Finucane
c0aef97c49 netutils: Ignore 'use_ipv6' for network templates
Nova supports file injection of network templates. Putting these in a
config drive is the only way to configure networking without DHCP.

At present, setting the 'use_ipv6' config option to False prevents the
generation of IPv6 network info, even if there are IPv6 networks
available. This was fine when using nova-network, where the same config
option is used to control generation of these subnets. However, a
mismatch between this nova option and equivalent IPv6 options in neutron
would result in IPv6 packets being dropped.

Seeing as there is apparent reason for not including IPv6 network info
when IPv6 capable networks are present, we can ignore this option.
Instead, we include info for all available networks in the template, be
they IPv4 or IPv6.

Change-Id: I188fc2cd1b26fe7a71804f7e7d66b111d6f15e30
Implements: blueprint centralize-config-options-pike
2017-03-22 12:02:30 +00:00
Jenkins
5c0cb33d75 Merge "libvirt: Ignore 'use_ipv6' for port filters" 2017-03-22 00:09:13 +00:00
Matt Riedemann
3f985f1eda Add release note for CVE-2017-7214
Change-Id: I1f5b772bff8fa2dc508c4bdd3dd1f32838594786
Related-Bug: #1673569
2017-03-21 17:54:43 -04:00
Sujitha
f0c0621aa0 Change os-server-tags default policy
os-server-tags operations should be limited only to admin or owner
of the server. This patch changes the default policy to
from ANY to ADMIN_OR_OWNER.

This patch doesn't address the actual policy check at the API level.
This would be fixed as part of a wider effort. For now, we maintain
consistency with other similar APIs.

Change-Id: If5f48fad9f040dd08060b4a86858a3b223550956
Closes-Bug: #1581203
2017-03-21 14:45:55 +00:00
Jenkins
1e0e4080fb Merge "DELETE all inventory for a resource provider" 2017-03-21 02:44:58 +00:00
Jenkins
67418e5ce1 Merge "fix os-volume_attachments policy checks" 2017-03-21 02:14:56 +00:00
Matthew Edmonds
4aa55f3edf fix os-volume_attachments policy checks
The os-volume_attachments APIs have their own policy settings defined,
yet were also checking the policy settings defined for the os-volumes
APIs. This should never have been the case, but especially not now
that the os-volumes APIs are deprecated and don't even work anymore
with newer microversions. This change removes the os-volumes policy
checks for os-volume_attachment API requests. The code will continue
to make os-volumes policy checks for os-volumes APIs, and
os-volume_attachment policy checks for os-volume_attachment APIs.

Removed the _items method, which was only being called from one place,
to resolve comments that policy checks should always happen immediately
upon entering the API methods.

Change-Id: I35aaedf5c4c49cb568fa06c2974f9a35aa2ffcc5
Closes-Bug: #1635358
UpgradeImpact
2017-03-20 18:08:27 +00:00
Stephen Finucane
e5080c7330 libvirt: Ignore 'use_ipv6' for port filters
The libvirt driver provides port filtering capability. This capability
is enabled when the following is true:

- The IPTables firewall driver is enabled
- Security groups are disabled
- Neutron port filtering is disabled
- An IPTables-compatible interface is used, e.g. hybrid mode, where the
  VIF is a tap device

When enabled, libvirt applies IPTables rules that provide MAC, IP, and
ARP spoofing protection.

At present, setting the 'use_ipv6' config option to False prevents the
generation of IPv6 rules even when there are IPv6 subnets available.
This is fine when using nova-network, where the same config option is
used to control generation of these subnets. However, a mismatch between
this nova option and equivalent IPv6 options in neutron would result in
IPv6 packets being dropped.

Seeing as there is no apparent reason for not allowing IPv6 traffic when
the network is IPv6-capable, we can ignore this option. Instead, we use
the availability of IPv6-capable subnets as an indicator that IPv6 rules
should be added.

This paves the way for deprecating the 'use_ipv6' option, which is now
only used for two deprecated features: nova-network and file injection.

Change-Id: Idcfdaf3b163ba852c9a2c45d5e0c6c35e643c7f5
Implements: blueprint centralize-config-options-pike
2017-03-20 16:52:14 +00:00
Rafael Folco
f903a6c56b DELETE all inventory for a resource provider
This patch adds a new method for deleting all inventories for a
resource provider: DELETE /resource-providers/{uuid}/inventories

Return codes:
204 NoContent on success
404 NotFound if the resource provider does not exist
405 MethodNotAllowed if a microversion is specified that is before
    this change (1.5)
409 Conflict if inventory in use or if some other request concurrently
    updates this resource provider

Change-Id: I1ecb12c888f873e8330367c8411d5a2ef0458495
Implements: bp delete-inventories-placement-api
2017-03-20 14:00:33 +00:00
Jenkins
cb506ec2e5 Merge "nova-status: require placement >= 1.4" 2017-03-20 13:14:28 +00:00
Juan Antonio Osorio Robles
5bc5e8440e Make versioned notifications topics configurable
Some services (such as telemetry) actually consume the notifications. So
if one deploys a service that listens on the same queue as telemetry,
there will be race-conditions with these services and one will not get
the notifications that are expected at points.

To address this, one sets a different topic and consumes from there.
This is not possible with versioned notifications at the moment. And, as
services move to using that, the same need will arise.

So, this adds a configuration option to nova for enabling the
configuration of topics for this notifier.

Change-Id: I817ce4bae0dd37e0d06bd44f21ba81b3cb800548
2017-03-14 22:18:15 +02:00
Roman Podoliaka
a17851ab0a nova-status: require placement >= 1.4
Since Ia1a0066dc30025c02553584a077365b28d8ff80e FilterScheduler will
no longer fall back to not using placement API. We need to require
version 1.4 to prevent NoValidHost errors.

Closes-Bug: #1669433

Change-Id: I6666cb2f558ed1f4e83f21e0317a206b07c25134
2017-03-14 12:26:37 +02:00
ghanshyam
e9b193dc61 Typo fix in releasenotes: deprecate network options
This patch updates network options deprecation releasenotes
for left out comment in I3f1dbddebea846b19c0a1647595c447fefc435e2

Change-Id: I3563cd6789bef411d0713b866d68a84dc28db097
2017-03-13 09:22:42 +00:00
Jenkins
b00badc4a9 Merge "conf: Deprecate most 'network' option" 2017-03-10 22:47:10 +00:00
Jenkins
54629ff944 Merge "Use Cinder API v3 as default" 2017-03-09 21:14:58 +00:00
Jenkins
0c5d734fa6 Merge "libvirt: pass log_path to _create_pty_device for non-kvm/qemu" 2017-03-07 16:16:38 +00:00
Stephen Finucane
792385fc46 conf: Deprecate most 'network' option
These are nova-network options and affect different aspects of nova
itself. We deprecate them all with an eye of removing them when nova-net
finally embraces Seppuku or otherwise excuses itself.

- 'metadata_host', 'metadata_port'

  These options are only used by the LinuxNetL3 L3 nova-network driver.
  The help text for one of these options is clarified.

- 'iptables_*' options

  These options are only used by the LinuxBridgeInterfaceDriver, which
  is in turn only used by nova-network's liuxnet bridge.

- 'dns_*' options

  These options are only used for the LdapDNS floating IP DNS driver,
  which is in turn only used by nova-network's NetworkManager. There are
  a number of TODOs associated with these opts which are also removed as
  there's no point in "fixing" deprecated config options.

- 'dhcp_*' options

  These options are only used by the LinuxNetL3 L3 nova-network driver
  and/or the nova-dhcpbridge.

- 'ebtables_*' options

  These options are only used by the LinuxNetL3 L3 nova-network driver.

- 'fake_network'

  This option is only used in tests for nova-network. We could rework
  those tests to remove this option entirely, but it's easier to just
  deprecate it.

- 'send_arp_for_ha', 'send_arp_for_ha_count'

  These options are only used by the LinuxNetL3 L3 nova-network driver.

- Various other options

  I can't group these but they're not used outside of the feature.

Some options must be retained as they are currently in use by other,
non-nova network features. These will be cleaned up in future changes.

Change-Id: I3f1dbddebea846b19c0a1647595c447fefc435e2
Implements: blueprint centralize-config-options-pike
2017-03-07 14:40:28 +00:00
Ildiko Vancsa
6dc3d7beaf Use Cinder API v3 as default
This patch sets Nova to use the Cinder v3 API as the default option.
This change uses the base '3.0' version, which is identical to v2.

Leveraging microversions that were introduced in v3 and switching to
a newer microversion will be added in a follow up patch.

Change-Id: Ibcc8eefcc5011ad5002d608a3c253f1e9b68416f
2017-03-07 14:18:26 +01:00
Jenkins
d3cb8bbc18 Merge "Default firewall_driver to nova.virt.firewall.NoopFirewallDriver" 2017-03-07 12:54:49 +00:00
Matt Riedemann
ac61abb7c7 libvirt: pass log_path to _create_pty_device for non-kvm/qemu
log_path is required in _create_pty_device if:

1. serial consoles are disabled
2. libvirt/qemu are new enough that they support virtlogd

This was working fine for kvm and qemu since _create_consoles_s390x
and _create_consoles_qemu_kvm pass in the log_path, but for the
non-kvm/qemu cases, like xen, the log_path wasn't provided.

This wasn't caught by the XenProject CI since it's using libvirt
1.3.1 which does not have virtlogd support so this path was
not exercised and apparently not unit tested either.

A release note is provided since this is a pretty severe bug if
you're running new enough libvirt/qemu and not using kvm/qemu as
the virt type because CONF.serial_console.enabled is False by
default so you're going to have failed server creates immediately
upon upgrading to Ocata.

Change-Id: I7f60db1d243a75b90e3c0e53201cb6000ee95778
Closes-Bug: #1670522
2017-03-06 19:00:31 -05:00
Jenkins
c3bfbcf5cc Merge "Add rudimentary CORS support to placement API" 2017-03-06 23:39:30 +00:00
Jenkins
8776862d48 Merge "conf: Deprecate 'firewall_driver'" 2017-03-03 23:05:34 +00:00
Jenkins
ded8170d0e Merge "Reno for additional-notification-fields-for-searchlight" 2017-03-03 17:58:57 +00:00
Jenkins
b0857afc54 Merge "conf: Deprecate 'ipv6_backend'" 2017-03-03 16:20:57 +00:00
Anusha Unnam
862d9d4327 Reno for additional-notification-fields-for-searchlight
Locked and display_description fields are added in this patch
https://review.openstack.org/#/c/407128/

Change-Id: I7c3cb994635459822f468bbdd90b274be80447a6
2017-03-03 02:37:57 +00:00
Matt Riedemann
064da08538 Default firewall_driver to nova.virt.firewall.NoopFirewallDriver
In Ocata we changed use_neutron=True as the default. When configuring
Nova to use Neutron, one is supposed to set the firewall_driver
config option to nova.virt.firewall.NoopFirewallDriver, but that was
not the default. This change makes it the default to match the default
for use_neutron.

Change-Id: If012acdd0ef2a66948ae45288cccb766262efb68
2017-03-02 15:46:38 -05:00
Matt Riedemann
70afc0d540 Handle conflicts for os-assisted-volume-snapshots
Since a guest-assisted disk snapshot is performed on the compute
that the instance is running on, there are only certain states
that the instance can be in to perform this operation. For example,
if the instance is shelved_offloaded then the instance does not
have a host and we can't cast to a compute to perform the snapshot.

Given how unrestrictive this API was before, the only restriction
we place on the state is that the instance does not have a task_state
set. We allow any vm_state for performing the operation as long as
there is a host and no task_state.

As noted in the code, we'd normally return a 409 in this case but
according to our microversion docs [1] that would be a new error
code and require a version bump, so this change just uses 400 and
leaves a TODO to make this 409 in a later mass return code update
microversion.

[1] https://docs.openstack.org/developer/nova/api_microversion_dev.html#f1

Change-Id: I1dc54a38f02bb48921bcbc4c2fdcc2c946e783c1
Closes-Bug: #1657585
2017-03-02 15:10:26 -05:00
Ildiko Vancsa
63805735c2 Remove check_attach
This patch finishes to remove the 'check_attach' call from Nova
completely. As Cinder already performs the required checks as part
of the 'reserve_volume' (os-reserve) call it is unnecessary to check the
statemachine in Nova also and it can lead to race conditions.

The missing 'reserve_volume' call is added to the BFV flow. In case of
build failure the volume will be locked in 'attaching' state until the
instance in ERROR state is cleaned up.

We also check AZ for each volume attach operation which we haven't
done for unshelve. A release note is added to enable 'cross_az_attach'
in case the user does not care about AZ.

The compute service version had to be bumped as the old computes still
perform 'check_attach', which will fail when the API reserves the
volume and the volume state moves to 'attaching'. If the computes
are not new enough the old check will be called as opposed to
'reserve_volume'.

Closes-Bug: #1581230
Change-Id: I3a3caa4c566ecc132aa2699f8c7e5987bbcc863a
2017-02-26 20:34:05 -05:00
Jenkins
082885fb72 Merge "Bump minimum required libvirt/qemu versions for Pike" 2017-02-24 02:50:33 +00:00
Jenkins
c5899fe705 Merge "Verify project_id when quotas are checked" 2017-02-23 02:20:16 +00:00
Sean Dague
f6fbfc7ff0 Verify project_id when quotas are checked
Implements bp:validate-project-with-keystone

Change-Id: I240f3395590bdccae03690f1c8a519dcc58d51e9
2017-02-22 16:43:05 +00:00
Jenkins
6a3b436b09 Merge "Remove service version check for Ocata/Newton placement decisions" 2017-02-21 21:18:26 +00:00
Dan Smith
c604a6cf16 Remove service version check for Ocata/Newton placement decisions
In Ocata, the filter scheduler would not consult placement until all of
the computes had been upgraded. That check no longer makes sense in Pike
and isn't multi-cell-aware anyway. This removes that check.

Change-Id: Ia1a0066dc30025c02553584a077365b28d8ff80e
2017-02-20 13:21:58 -08:00
Jenkins
25e52e1ee8 Merge "Deprecate xenserver.vif_driver config option and change default" 2017-02-16 20:32:11 +00:00
Matt Riedemann
7bc9b81699 Deprecate xenserver.vif_driver config option and change default
There are two in-tree options for the xenserver.vif_driver,
the bridge driver and the ovs driver. The XenAPI subteam has
confirmed that the bridge driver is for nova-network (which is
deprecated) and the ovs driver is for Neutron, and that's how
things are tested in CI.

Since we changed the default on use_neutron to be True for Ocata
we need to change the default on the vif_driver to be the ovs
driver so it works with the default config, which is Neutron.

We're deprecating the option though since we can use the use_neutron
option to decide which vif driver to load - which will make
deploying and configuring nova with xen as the backend simpler.

Change-Id: I599f3449f18d2821403961fb9d52e9a14dd3366b
2017-02-16 12:15:12 -05:00
Jenkins
a5f677f93a Merge "Update reno for stable/ocata" 2017-02-16 04:43:14 +00:00
Matt Riedemann
2c1e134121 Cleanup some issues with CONF.placement.os_interface
This change fixes a few things with the recently added
"os_interface" option in the [placement] config group.

1. It adds tests for the scheduler report client that
   were missing in the original change that added the
   config option.

2. It uses the option in the "nova-status upgrade check"
   command so it is consistent with how the scheduler
   report client uses it.

3. It removes the restrictive choices list from the
   config option definition. keystoneauth1 allows an
   "auth" value for the endpoint interface which means
   don't use the service catalog to find the endpoint
   but instead just read it from the "auth_url" config
   option. Also, the Keystone v3 API performs strict
   validation of the endpoint interface when creating
   an endpoint record. The list of supported interfaces
   may change over time, so we shouldn't encode that
   list within Nova.

4. As part of removing the choices, the release note
   associated with the new option is updated and changed
   from a 'feature' release note to simply 'other' since
   it's not really a feature as much as it is a bug fix.

Change-Id: Ia5af05cc4d8155349bab942280c83e7318749959
Closes-Bug: #1664334
2017-02-13 17:13:14 -05:00
Jenkins
8de0c648c2 Merge "Allow placement endpoint interface to be set" 2017-02-13 07:31:01 +00:00
Matt Riedemann
b980df0d54 Bump minimum required libvirt/qemu versions for Pike
Based on the libvirt distro support matrix wiki [1] this change
bumps the minimum required version of libvirt to 1.2.9 and
QEMU to 2.1.0. These were both advertised as the next minimums
since Newton, we just never made the change in Ocata.

The next minimum libvirt version is set to 1.3.1 and the next
minimum QEMU version is set to 2.5.0, which is what we gate
on with Ubuntu 16.04 but also falls within the distro support
matrix for a representative set of other supported distros.

[1] https://wiki.openstack.org/wiki/LibvirtDistroSupportMatrix

Change-Id: I9a972e3fde2e4e552f6fc98350820c07873c3de3
2017-02-11 20:30:25 -05:00
ChangBo Guo(gcb)
03711d2648 Use min parameter to restrict live-migration config options
UpgradeImpact: IntOpt type provides min parameter to restrict integer's
minimum value in oslo.config, and will generate description about this
in the format like '# Minimum value: XXX', then we don't need round up
the minimum value quietly in code.

Change-Id: I54592ba4f46c2d6260f1513e5e29dd466c89724d
2017-02-10 11:48:26 +00:00
Jenkins
6af04d9c13 Merge "Default live_migration_progress_timeout to off" 2017-02-09 17:36:22 +00:00
Stephen Finucane
c79c37d259 conf: Deprecate 'firewall_driver'
This is a nova-network option that can be removed.

Change-Id: Ifcb8b4755416280cd13c5ccfbc47d79ae7845e28
Implements: blueprint centralize-config-options-pike
2017-02-09 14:35:06 +00:00