diff --git a/etc/openstack_deploy/openstack_user_config.yml b/etc/openstack_deploy/openstack_user_config.yml index dcab4e36ed..b02369cf0e 100644 --- a/etc/openstack_deploy/openstack_user_config.yml +++ b/etc/openstack_deploy/openstack_user_config.yml @@ -115,7 +115,7 @@ storage_hosts: limit_container_types: cinder_volume lvm: volume_group: cinder-volumes - volume_driver: cinder.volume.drivers.lvm.LVMISCSIDriver + volume_driver: cinder.volume.drivers.lvm.LVMVolumeDriver volume_backend_name: LVM_iSCSI log_hosts: diff --git a/etc/openstack_deploy/openstack_user_config.yml.example b/etc/openstack_deploy/openstack_user_config.yml.example index 0fc5080890..4e549a8ee5 100644 --- a/etc/openstack_deploy/openstack_user_config.yml.example +++ b/etc/openstack_deploy/openstack_user_config.yml.example @@ -190,7 +190,7 @@ storage_hosts: limit_container_types: cinder_volume lvm: volume_group: cinder-volumes - volume_driver: cinder.volume.drivers.lvm.LVMISCSIDriver + volume_driver: cinder.volume.drivers.lvm.LVMVolumeDriver volume_backend_name: LVM_iSCSI # The ``cinder_nfs_client`` values is an optional component available # when configuring cinder. @@ -208,7 +208,7 @@ storage_hosts: limit_container_types: cinder_volume lvm_ssd: volume_group: cinder-volumes - volume_driver: cinder.volume.drivers.lvm.LVMISCSIDriver + volume_driver: cinder.volume.drivers.lvm.LVMVolumeDriver volume_backend_name: LVM_iSCSI_SSD # User defined Logging Hosts, this should be a required group diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml index 38ceb37541..951b0951fa 100644 --- a/etc/openstack_deploy/user_secrets.yml +++ b/etc/openstack_deploy/user_secrets.yml @@ -37,6 +37,7 @@ keystone_service_password: cinder_container_mysql_password: cinder_service_password: cinder_v2_service_password: +cinder_profiler_hmac_key: ## Glance Options glance_container_mysql_password: diff --git a/playbooks/roles/os_cinder/defaults/main.yml b/playbooks/roles/os_cinder/defaults/main.yml index 438af092b4..bdb718a592 100644 --- a/playbooks/roles/os_cinder/defaults/main.yml +++ b/playbooks/roles/os_cinder/defaults/main.yml @@ -41,6 +41,10 @@ cinder_system_home_folder: "/var/lib/{{ cinder_system_user_name }}" cinder_service_admin_tenant_name: "service" cinder_service_admin_username: "cinder" +## Cinder API's enabled +cinder_enable_v1_api: true +cinder_enable_v2_api: true + ## Cinder api service type and data cinder_service_name: cinder cinder_service_user_name: cinder @@ -89,6 +93,7 @@ cinder_service_backup_swift_object_size: 52428800 cinder_service_backup_swift_retry_attempts: 3 cinder_service_backup_swift_retry_backoff: 2 cinder_service_backup_compression_algorithm: zlib +cinder_service_backup_metadata_version: 2 cinder_service_volume_program_name: cinder-volume @@ -120,13 +125,20 @@ cinder_volume_clear_size: 0 cinder_volume_name_template: volume-%s +# osprofiler +cinder_profiler_enabled: false +# cinder_profiler_hmac_key is set in user_secrets.yml +cinder_profiler_trace_sqlalchemy: false + +cinder_client_socket_timeout: 900 + ## General configuration ## Set this in rpc_user_config.yml UNLESS you want all hosts to use the same ## Cinder backends. See the rpc_user_config example for more on how this is done. # cinder_backends: # lvm: # volume_group: cinder-volumes -# volume_driver: cinder.volume.drivers.lvm.LVMISCSIDriver +# volume_driver: cinder.volume.drivers.lvm.LVMVolumeDriver # volume_backend_name: LVM_iSCSI ## Define nfs information for cinder. When the cinder_nfs_client dictionary is defined, diff --git a/playbooks/roles/os_cinder/files/policy.json b/playbooks/roles/os_cinder/files/policy.json index 202efe1d7c..a552c01221 100644 --- a/playbooks/roles/os_cinder/files/policy.json +++ b/playbooks/roles/os_cinder/files/policy.json @@ -1,59 +1,86 @@ { - "context_is_admin": [["role:admin"]], - "admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]], - "default": [["rule:admin_or_owner"]], + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", - "admin_api": [["is_admin:True"]], + "admin_api": "is_admin:True", - "volume:create": [], - "volume:get_all": [], - "volume:get_volume_metadata": [], - "volume:get_volume_admin_metadata": [["rule:admin_api"]], - "volume:delete_volume_admin_metadata": [["rule:admin_api"]], - "volume:update_volume_admin_metadata": [["rule:admin_api"]], - "volume:get_snapshot": [], - "volume:get_all_snapshots": [], - "volume:extend": [], - "volume:update_readonly_flag": [], - "volume:retype": [], + "volume:create": "", + "volume:delete": "", + "volume:get": "", + "volume:get_all": "", + "volume:get_volume_metadata": "", + "volume:get_volume_admin_metadata": "rule:admin_api", + "volume:delete_volume_admin_metadata": "rule:admin_api", + "volume:update_volume_admin_metadata": "rule:admin_api", + "volume:get_snapshot": "", + "volume:get_all_snapshots": "", + "volume:extend": "", + "volume:update_readonly_flag": "", + "volume:retype": "", - "volume_extension:types_manage": [["rule:admin_api"]], - "volume_extension:types_extra_specs": [["rule:admin_api"]], - "volume_extension:volume_type_encryption": [["rule:admin_api"]], - "volume_extension:volume_encryption_metadata": [["rule:admin_or_owner"]], - "volume_extension:extended_snapshot_attributes": [], - "volume_extension:volume_image_metadata": [], + "volume_extension:types_manage": "rule:admin_api", + "volume_extension:types_extra_specs": "rule:admin_api", + "volume_extension:volume_type_access": "", + "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", + "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", + "volume_extension:volume_type_encryption": "rule:admin_api", + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", + "volume_extension:extended_snapshot_attributes": "", + "volume_extension:volume_image_metadata": "", - "volume_extension:quotas:show": [], - "volume_extension:quotas:update": [["rule:admin_api"]], - "volume_extension:quota_classes": [], + "volume_extension:quotas:show": "", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quota_classes": "", - "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]], - "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]], - "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]], - "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]], - "volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]], - "volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]], + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - "volume_extension:volume_host_attribute": [["rule:admin_api"]], - "volume_extension:volume_tenant_attribute": [["rule:admin_or_owner"]], - "volume_extension:volume_mig_status_attribute": [["rule:admin_api"]], - "volume_extension:hosts": [["rule:admin_api"]], - "volume_extension:services": [["rule:admin_api"]], - "volume:services": [["rule:admin_api"]], + "volume_extension:volume_host_attribute": "rule:admin_api", + "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", + "volume_extension:volume_mig_status_attribute": "rule:admin_api", + "volume_extension:hosts": "rule:admin_api", + "volume_extension:services": "rule:admin_api", - "volume:create_transfer": [], - "volume:accept_transfer": [], - "volume:delete_transfer": [], - "volume:get_all_transfers": [], + "volume_extension:volume_manage": "rule:admin_api", + "volume_extension:volume_unmanage": "rule:admin_api", - "backup:create" : [], - "backup:delete": [], - "backup:get": [], - "backup:get_all": [], - "backup:restore": [], - "backup:backup-import": [["rule:admin_api"]], - "backup:backup-export": [["rule:admin_api"]], + "volume:services": "rule:admin_api", - "snapshot_extension:snapshot_actions:update_snapshot_status": [] + "volume:create_transfer": "", + "volume:accept_transfer": "", + "volume:delete_transfer": "", + "volume:get_all_transfers": "", + + "volume_extension:replication:promote": "rule:admin_api", + "volume_extension:replication:reenable": "rule:admin_api", + + "backup:create" : "", + "backup:delete": "", + "backup:get": "", + "backup:get_all": "", + "backup:restore": "", + "backup:backup-import": "rule:admin_api", + "backup:backup-export": "rule:admin_api", + + "snapshot_extension:snapshot_actions:update_snapshot_status": "", + + "consistencygroup:create" : "group:nobody", + "consistencygroup:delete": "group:nobody", + "consistencygroup:update": "group:nobody", + "consistencygroup:get": "group:nobody", + "consistencygroup:get_all": "group:nobody", + + "consistencygroup:create_cgsnapshot" : "group:nobody", + "consistencygroup:delete_cgsnapshot": "group:nobody", + "consistencygroup:get_cgsnapshot": "group:nobody", + "consistencygroup:get_all_cgsnapshots": "group:nobody", + + "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api" } diff --git a/playbooks/roles/os_cinder/files/rootwrap.conf b/playbooks/roles/os_cinder/files/rootwrap.conf index 001b90af5d..4d280eae5c 100644 --- a/playbooks/roles/os_cinder/files/rootwrap.conf +++ b/playbooks/roles/os_cinder/files/rootwrap.conf @@ -10,7 +10,7 @@ filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin # Enable logging to syslog # Default value is False diff --git a/playbooks/roles/os_cinder/files/volume.filters b/playbooks/roles/os_cinder/files/volume.filters index 2d23743f3a..36a037bb97 100644 --- a/playbooks/roles/os_cinder/files/volume.filters +++ b/playbooks/roles/os_cinder/files/volume.filters @@ -5,8 +5,10 @@ # cinder/volume/iscsi.py: iscsi_helper '--op' ... ietadm: CommandFilter, ietadm, root tgtadm: CommandFilter, tgtadm, root +iscsictl: CommandFilter, iscsictl, root tgt-admin: CommandFilter, tgt-admin, root cinder-rtstool: CommandFilter, cinder-rtstool, root +scstadmin: CommandFilter, scstadmin, root # LVM related show commands pvs: EnvFilter, env, root, LC_ALL=C, pvs @@ -14,6 +16,25 @@ vgs: EnvFilter, env, root, LC_ALL=C, vgs lvs: EnvFilter, env, root, LC_ALL=C, lvs lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay +# LVM conf var +pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs +vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs +lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs +lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay + +# cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname +pvresize: CommandFilter, pvresize, root + +# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list +vgcreate: CommandFilter, vgcreate, root + +# cinder/volumes/drivers/srb.py: 'vgremove', '-f', vgname +vgremove: CommandFilter, vgremove, root + +# cinder/volumes/drivers/srb.py: 'vgchange', '-an', vgname +# cinder/volumes/drivers/srb.py: 'vgchange', '-ay', vgname +vgchange: CommandFilter, vgchange, root + # cinder/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. # cinder/volume/driver.py: 'lvcreate', '-L', ... lvcreate: CommandFilter, lvcreate, root @@ -28,6 +49,7 @@ lvremove: CommandFilter, lvremove, root lvrename: CommandFilter, lvrename, root # cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... +# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... lvextend: CommandFilter, lvextend, root # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' @@ -93,12 +115,14 @@ ssc: CommandFilter, ssc, root ls: CommandFilter, ls, root tee: CommandFilter, tee, root multipath: CommandFilter, multipath, root +multipathd: CommandFilter, multipathd, root systool: CommandFilter, systool, root # cinder/volume/drivers/block_device.py blockdev: CommandFilter, blockdev, root # cinder/volume/drivers/ibm/gpfs.py +cp: CommandFilter, cp, root mv: CommandFilter, mv, root mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root @@ -108,6 +132,12 @@ mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root mkfs: CommandFilter, mkfs, root +mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root +mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root +mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root +mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root +mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root +mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root # cinder/volume/drivers/ibm/gpfs.py # cinder/volume/drivers/ibm/ibmnas.py diff --git a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml index b67e52868b..1c5dfe077c 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Generate cinder Config +- name: Generate cinder configs template: src: "{{ item.src }}" dest: "{{ item.dest }}" @@ -21,19 +21,19 @@ group: "{{ cinder_system_group_name }}" with_items: - { src: "cinder.conf.j2", dest: "/etc/cinder/cinder.conf" } + - { src: "api-paste.ini.j2", dest: "/etc/cinder/api-paste.ini" } notify: - Restart cinder services tags: - cinder-config -- name: Drop cinder Configs +- name: Drop cinder configs copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ cinder_system_user_name }}" group: "{{ cinder_system_group_name }}" with_items: - - { src: "api-paste.ini", dest: "/etc/cinder/api-paste.ini" } - { src: "policy.json", dest: "/etc/cinder/policy.json" } - { src: "volume.filters", dest: "/etc/cinder/rootwrap.d/volume.filters" } - { src: "rootwrap.conf", dest: "/etc/cinder/rootwrap.conf" } diff --git a/playbooks/roles/os_cinder/tasks/cinder_pre_install.yml b/playbooks/roles/os_cinder/tasks/cinder_pre_install.yml index d494118909..b8d1083341 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_pre_install.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_pre_install.yml @@ -40,7 +40,7 @@ owner: "{{ item.owner|default(cinder_system_user_name) }}" group: "{{ item.group|default(cinder_system_group_name) }}" with_items: - - { path: "/var/cache/cinder" } + - { path: "/var/cache/cinder", mode: "0700" } - { path: "/etc/cinder" } - { path: "/etc/cinder/rootwrap.d" } - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } diff --git a/playbooks/roles/os_cinder/files/api-paste.ini b/playbooks/roles/os_cinder/templates/api-paste.ini.j2 similarity index 59% rename from playbooks/roles/os_cinder/files/api-paste.ini rename to playbooks/roles/os_cinder/templates/api-paste.ini.j2 index ff7f11975c..0d79c81395 100644 --- a/playbooks/roles/os_cinder/files/api-paste.ini +++ b/playbooks/roles/os_cinder/templates/api-paste.ini.j2 @@ -10,27 +10,32 @@ use = call:cinder.api:root_app_factory [composite:openstack_volume_api_v1] use = call:cinder.api.middleware.auth:pipeline_factory -noauth = request_id faultwrap sizelimit noauth apiv1 -keystone = request_id faultwrap sizelimit authtoken keystonecontext apiv1 -keystone_nolimit = request_id faultwrap sizelimit authtoken keystonecontext apiv1 +noauth = request_id faultwrap sizelimit osprofiler noauth apiv1 +keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 +keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 [composite:openstack_volume_api_v2] use = call:cinder.api.middleware.auth:pipeline_factory -noauth = request_id faultwrap sizelimit noauth apiv2 -keystone = request_id faultwrap sizelimit authtoken keystonecontext apiv2 -keystone_nolimit = request_id faultwrap sizelimit authtoken keystonecontext apiv2 +noauth = request_id faultwrap sizelimit osprofiler noauth apiv2 +keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 +keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 [filter:request_id] -paste.filter_factory = cinder.openstack.common.middleware.request_id:RequestIdMiddleware.factory +paste.filter_factory = oslo_middleware.request_id:RequestId.factory [filter:faultwrap] paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = {{ cinder_profiler_hmac_key }} +enabled = yes + [filter:noauth] paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory [filter:sizelimit] -paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory +paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory [app:apiv1] paste.app_factory = cinder.api.v1.router:APIRouter.factory diff --git a/playbooks/roles/os_cinder/templates/cinder.conf.j2 b/playbooks/roles/os_cinder/templates/cinder.conf.j2 index 7179860494..51e8b1834b 100644 --- a/playbooks/roles/os_cinder/templates/cinder.conf.j2 +++ b/playbooks/roles/os_cinder/templates/cinder.conf.j2 @@ -11,11 +11,14 @@ my_ip = {{ cinder_storage_address }} osapi_volume_workers = {{ cinder_osapi_volume_workers | default(api_threads) }} -lock_path = /var/lock/cinder rootwrap_config = /etc/cinder/rootwrap.conf api_paste_config = /etc/cinder/api-paste.ini auth_strategy = keystone +## Cinder API's enabled +enable_v1_api = {{ cinder_enable_v1_api }} +enable_v2_api = {{ cinder_enable_v2_api }} + {% if inventory_hostname not in groups['cinder_volume'] %} {% if cinder_service_backup_program_enabled == true %} {% if cinder_service_backup_swift_url is defined and cinder_service_backup_swift_user is defined and cinder_service_backup_swift_key is defined %} @@ -30,16 +33,13 @@ backup_swift_object_size = {{ cinder_service_backup_swift_object_size }} backup_swift_retry_attempts = {{ cinder_service_backup_swift_retry_attempts }} backup_swift_retry_backoff = {{ cinder_service_backup_swift_retry_backoff }} backup_compression_algorithm = {{ cinder_service_backup_compression_algorithm }} +backup_metadata_version = {{ cinder_service_backup_metadata_version }} {% endif %} {% endif %} {% endif %} ## RabbitMQ rpc_backend = {{ cinder_rpc_backend }} -rabbit_port = {{ rabbitmq_port }} -rabbit_userid = {{ rabbitmq_userid }} -rabbit_password = {{ rabbitmq_password }} -rabbit_hosts = {{ rabbitmq_servers }} ## Nova nova_catalog_info = {{ cinder_nova_catalog_info }} @@ -65,6 +65,8 @@ iscsi_ip_address = $my_ip iscsi_num_targets = {{ cinder_iscsi_num_targets }} iscsi_port = {{ cinder_iscsi_port }} +client_socket_timeout = {{ cinder_client_socket_timeout }} + {% if cinder_default_volume_type is defined %} default_volume_type = {{ cinder_default_volume_type }} {% endif %} @@ -88,6 +90,18 @@ nfs_shares_config={{ cinder_nfs_client.nfs_shares_config }} [database] connection = mysql://{{ cinder_galera_user }}:{{ cinder_container_mysql_password }}@{{ galera_address }}/{{ cinder_galera_database }}?charset=utf8 +[oslo_messaging_rabbit] +rabbit_port = {{ rabbitmq_port }} +rabbit_userid = {{ rabbitmq_userid }} +rabbit_password = {{ rabbitmq_password }} +rabbit_hosts = {{ rabbitmq_servers }} + +[oslo_concurrency] +lock_path = /var/lock/cinder + +[profiler] +profiler_enabled = {{ cinder_profiler_enabled }} +trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }} [keystone_authtoken] signing_dir = /var/cache/cinder