There are cases where policy file is re-generated freshly
and end up having the new defaults only but expectation is that
old deprecated rule keep working.
If a rule is present in policy file then, that has priority over
its defaults so either rules should not be present in policy file
or users need to update their token to match the overridden rule
permission.
This issue was always present when any policy defaults were changed
with old defaults being supported as deprecated. This is we have
changed all the policy for new defaults so it came up as broken case.
Adding nova-status upgrade check also to detect such policy file.
Related-Bug: #1875418
Change-Id: Id9cd65877e53577bff22e408ca07bbeec4407f6e
This commit adds the documents to explain the new defaults,
migration plan and releases notes for policies changes in
BP policy-defaults-refresh
Partial implement blueprint policy-defaults-refresh
Change-Id: I00e678858a8e46786f3b69fbba3f5353932de49b
Now that allocations are passed to the methods, we can ask whether we
need to use mediated devices for the instance.
Adding a large functional test for verifying it works.
Change-Id: I018762335b19c98045ad42147080203092b51c27
Closes-Bug: #1778563
The term role has became case sensitive since sphinx 3.0.1.
It causes the following warnings and makes a check job fail.
WARNING: term not in glossary: availability zone
This patch fixes the issue.
Change-Id: I1f993b503ef769da0950afa206d6ac4a54f903b4
Closes-Bug: #1872260
It's now possible to have a different vGPU type for each pGPU. By modifying
the config, you can say which PCI device (ie. a pGPU) should use a specific
vGPU type.
For upgrades, the behaviour from Train won't be changed since we only use
the first type if we don't have the dynamic options (so operators don't
need to change nova.conf before upgrading).
Implements: blueprint vgpu-multiple-types
Change-Id: I46f0a76811142888db2bbc66cc3fde04ff890c01
Now that we have a registry of all extra specs known by stock nova, we
can start documenting these. We choose the configuration guide to do
this since configuration of flavor extra specs is traditionally an
admin-only operation.
Part of blueprint flavor-extra-spec-validators
Change-Id: I5ad6576e0d31a29822d1c7b47751ea81828630cf
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Add the validation framework necessary to verify extra specs along with
the definitions for every extra spec we currently recognize in-tree.
None of this is currently used since we don't have the API microversions
wired up, but that will come in a future patch.
Note that we must add the H238 hacking check to the ignore list here,
since this includes our first use of Python 3-type classes without the
explicit 'object' subclass. This can be removed when that check is
removed from hacking.
Part of blueprint flavor-extra-spec-validators
Change-Id: Ib64a1348cce1dca995746214616c4f33d9d664bd
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
We had recent bug report about a possible regression related to
affinity policy enforcement with parallel server create requests.
It turned out not to be a regression but because of the complexity
around affinity enforcement, it might help to add a section to the
compute troubleshooting doc about it which we could refer to in the
future.
Related-Bug: #1863190
Change-Id: I508c48183a7205d46e13154d4e92d31dfa7f7d78
Since I537ed74503d208957f0a97af3ab754a6750dac20 had some clean-up comments,
we can just provide a follow-up change.
Change-Id: Ie8b5147322e13ad7df966b5c3c41ef0418e4f64c
Related-Bug: #1793569
Microversion bump to allow non-admin user to use more filters key
when listing instances.
In order to stay coherent, all existing instance filters who are
related to a field readable by default to non admin users when showing
instance details, should be allowed by default without policy
modification.
Implements: blueprint non-admin-filter-instance-by-az
Change-Id: Ia66d3a1ceb74ed521cf44922929b2a502f3ee935
This change documents certain hyper-v driver features that are not
included in the driver support matrix.
Change-Id: I29f6d816138bd31ad6bc8d327636b202d718bdff
Operators can deploy their own scheduler filters. We currently provide
some minimal instructions for how to do this but it omits things like
the need to package these filters so they can be picked up correctly.
Change-Id: I725801c9c049455a0196e4664d767b81a8d4edf2
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Added JSON schema defining `network_data.json` contents and
beefed up the MetadataTest functional test cases to use a
real instance instead of a database shell. This way the
tests see real data in the metadata service like a real
network_data.json.
Besides internal Nova consumption, this schema might be
helpful to other tools (such as ironic or Glean) to
validate human-generated `network_data.json` prior to
using it.
Co-Authored-By: Balazs Gibizer <balazs.gibizer@est.tech>
Change-Id: Ie5a5a1fc81c7c2d3f61b72d19de464cfc9dab5ec
The console proxies (VNC, SPICE, etc) currently don't allow the
allowed TLS ciphers and protocol versions to be configurable. This
results in the defaults being used from the underlying system,
which may not be secure enough for many deployments. This patch
allows for the ciphers and minimum SSL/TLS protocol version for
each console proxy to be configured in nova's config.
We utilize websockify underneath our console proxies, which added
support for allowed ciphers and the SSL/TLS version to be
configurable as of version 0.9.0. This change updates the lower
constraint for this dependency.
Closes-Bug: #1842149
Related-Bug: #1771773
Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5
There are different situations when allocations can be orphaned.
Adding a new nova-manage command to lookup at all resource providers
and check against the related compute nodes whether they have
orphaned allocations.
Change-Id: I537ed74503d208957f0a97af3ab754a6750dac20
Closes-Bug: #1793569
Fixing a couple of typos that wrongly refers to
update_available_resources()
insted of update_available_resource()
Change-Id: Iaf7828e9cfb73ac87018d78180d16aae91d838f3
The document which contains the steps to test different NUMA
setups was using legacy instructions. This change pretends to update
those instructions to improve the readability.
Change-Id: Id8bf96f035528b15a51c802f06e07422b9f36736
Placement microversion 1.35 gives us the root_required queryparam to GET
/allocation_candidates, allowing us to filter out candidates where the
*root* provider has/lacks certain traits, independent of traits
specified in any of the individual request groups.
Use it.
And add affordance for specifying such traits to the RequestSpec.
Which allows us to fix up the couple of request filters that were
hacking traits into the RequestSpec.flavor.
Change-Id: I44f02044ce178e84c23d178e5a23a3aa1208e502
