402 Commits

Author SHA1 Message Date
Tin Lam
6d35251cf1 fix(rally): update cleanup
The cleanup script used for router, network, server, and flavor does not
account for the first column being the resource ID. Matching via
^[sc]_rally will always result in an empty return. This fix now correctly
matches the the name of the second column. This also fixes an issue where
rally creates flavor as "private", adding --all so it cleans up the
private flavors as well.

Change-Id: Id1a0e31e56b51fd92a95e8588d259ce21fa839d6
Signed-off-by: Tin Lam <tin@irrational.io>
2020-05-10 22:07:52 +00:00
diwakar thyagaraj
71200c3fa6 Enable Apparmor to init container for Nova
Change-Id: Id0e2b5ae7d1b8361542408ebf634ebf9d3241f9e
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-05-08 18:35:54 +00:00
Gage Hugo
db79e79788 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
2020-04-03 20:53:32 +00:00
Sangeet Gupta
214feefd13 Nova: Update compute start script for console
[0] added route command to identify multiple default routes.
In some deployments, route command is not available which set the
client_interface value incorrectly. In this case VNC clinet tries
to connect to default host 127.0.0.1 and fails.

[0] https://review.opendev.org/#/c/696187

Change-Id: I4a936af053114988e0b70048e276a71833c5638e
2020-03-26 11:44:14 -05:00
Zuul
c833a8da7e Merge "Move common nova Train overrides from distro overrides" 2020-03-19 22:24:48 +00:00
Andrii Ostapenko
5964ca18a5 Move common nova Train overrides from distro overrides
Change-Id: I7392ae36f116c52eb4e1929721ffa19e61cf8d94
2020-03-18 19:10:41 -05:00
rajesh.kudaka
280da52425 Disable seperate placement deployment in stein
This commit is to deploy placement service as a part
of nova chart for stein release. This also enables
seperate placement chart deployment for train release.

Change-Id: Ie22dbf85a3ed42bc0cd13579218e03d5912e67ea
2020-03-18 09:43:31 +00:00
Zuul
000485bf97 Merge "Fix network policy job" 2020-03-17 15:34:09 +00:00
Tin Lam
f1bdcc3251 Fix network policy job
This patch set addresses an issue with the placement component of nova
breaking the network policy job.

Also, make the network policy jobs voting to ensure things do not break.

Change-Id: I41dfa6a335a915dbaf08114c2e14e906c76e85ba
Signed-off-by: Tin Lam <tin@irrational.io>
2020-03-16 16:05:06 +00:00
Huang, Sophie (sh879n)
8a7b7ba086 Enable Cinder backends to use iSCSI for data traffic
In this patchset, the iSCSI protocol support is added
to enable Cinder to use iSCSI based storage backends.

Bootable volumes are not supported, only VM attached
volumes are supported for this initial patchset.

Change-Id: I1b35290b62d2cebae4bd8be62126a53f230ac6c0
2020-03-16 14:23:23 +00:00
Zuul
3c093d2dea Merge "Revert "Modify files related to overrides."" 2020-03-13 22:41:15 +00:00
Pete Birley
728b3739cf Revert "Modify files related to overrides."
This reverts commit 0389b54578dc9efb670fcacb1097daf008d7cdcc.

Change-Id: I91f2c87f51978fe0a35143757c19fe789f7e0669
see: https://review.opendev.org/#/c/712959/1
2020-03-13 14:08:31 +00:00
dt241s@att.com
ef1f5ec153 Enable Apparmor to Nova components
Change-Id: Icefa9c91899110d7560dae7e73f9dd932e88e3fa
2020-03-10 02:24:58 +00:00
KAVVA, JAGAN MOHAN REDDY (jk330k)
394fdb3b9f Enable Docker default AppArmor profile to nova-placement-api
This adds default Apparmor profile to nova-placement-api.

Change-Id: I075c4639c692eafbc4cdd692420e9cbfac0285fd
2020-03-07 00:16:25 +00:00
songgongjun
0389b54578 Modify files related to overrides.
As the functions of overrides are upgraded,the
files that depend on the functions of overrides
need to be modified synchronously.This patch and
https://review.opendev.org/#/c/707788/ depend on
each other.

Story: 2007291
Task: 38753
Depends-on: https://review.opendev.org/#/c/707788/
Change-Id: I048c8fe73f8f85df465f2c829812b75be1e4f130
Signed-off-by: songgongjun <gongjun.song@intel.com>
2020-03-03 20:06:45 +08:00
Tin Lam
2aa32665b4 Add train release support
This patch set adds in job to test the OpenStack train releases.

Depends-On: https://review.opendev.org/#/c/706456/
Change-Id: I89fef1264f68dab7e921a9e5503c29d6a051f342
Signed-off-by: Tin Lam <tin@irrational.io>
2020-02-28 20:19:58 +00:00
Zuul
a5ffce4327 Merge "Add placement chart" 2020-02-28 20:14:30 +00:00
Gage Hugo
f9dbba7043 Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set""
This reverts commit 90d070390db08abf9da42a2bac54397112bbcd48.

Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f
2020-02-21 11:16:55 -06:00
zhipengl
4925e1c47e Add placement chart
This commit adds a helm chart to deploy placement.

Related test pass on simplex and multi-node setup

Story: 2005799
Task: 33532

Depends-On: https://review.opendev.org/#/c/672678/

Change-Id: Ife908628c6379d2d39d15f72073da3018cc26950
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Co-Authored-By: Jean-Philippe Evrard <jean-philippe@evrard.me>
2020-02-20 08:27:51 +00:00
Sangeet Gupta
414b10fab0 Fix health-probe concurrency and timings
Changed Nova and Neutron health-probe script to exit if previous
probe process is still running.
The health-probe has RPC call timeout of 60 seconds and has 2
retries. In worst case scenario the probe process can run a little
over 180 seconds. Changing the periodSeconds so that probe starts
after previous one is complete. Also changing timeoutSeconds value
a little to give little more extra time for the probe to finish.
Increasing the liveness probe periods as they are not do critical
which will reduce the resource usage for the probes.

Co-authored-by: Randeep Jalli <rj2083@att.com>

Change-Id: Ife1c381d663c1e271a5099bdc6d0dfefb00d8d73
2020-02-18 17:24:23 +00:00
Vasyl Saienko
90d070390d Revert "Keystone Authtoken Cache: allow universal secret key to be set"
This reverts commit 1c85fdc390e05eb578874e77fad9d4ec942da791.

Do not use randomly generated strings in configmaps as this leads to
whole helm release redeployment even no values are changed. The random
items have to be generated outside of helm chart and provided via
values.
Also previous behaviour didn't allow to use cache during rolling upgrade
as new pods were spawned with new key.

Change-Id: I423611b18fca0d65e2e721a9c6a0c3d8df0813d2
2020-02-12 11:18:06 +00:00
Zuul
a7fcc03112 Merge "Move apparmor to use feature gates" 2020-02-04 17:31:04 +00:00
Zuul
ca89cc4237 Merge "Fix health probe for several conductor workers" 2020-02-01 00:48:05 +00:00
Gage Hugo
a1fc694ae9 Move apparmor to use feature gates
This change refactors the apparmor job to utilize the feature
gates system instead of relying on separate scripts.

Also disabled barbican running in the apparmor job temporarily
until the correct profile gets used and it can deploy
succesfully.

Change-Id: Iadacd214de3fdb06e4acde4433c5fa86973371d5
2020-01-31 22:24:55 +00:00
Tin Lam
b17b378390 Add rally clean up script
This patch set adds in a script that cleans up orphaned or
lingering rally helm test pods.

Depends-On: https://review.opendev.org/#/c/683759/

Change-Id: I94fc8d067b421248cf74fe40b2e8520f63d4417c
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-31 19:18:01 +00:00
Oleksii Grudev
d467d685a3 Fix health probe for several conductor workers
It was observed that when increasing amount of
conductor workers from default "1" to higher value
the readiness probe fails to check rabbitmq connections
for conductor processes - it happens since the script is trying
to obtain rabbitmq connections for parent conductor process
which in case of workers>1 doesn`t open rabbit connections
but spawns child processes which handle rabbitmq
connections instead.
This patch removes the "check-all-pids" option, keeps the logic
but simplifies and fastens he code - instead of checking all
processes when "check-all-pids" option was set (however
regardless of "sock_count value" if only one process opens connection
the check returns positive result) processes will be checked one-by-one
until the first one with open rabbitmq connection(s) is
found.

Change-Id: I72be0bbdefcba77a55b6ceed6e192c9621c069eb
2020-01-31 10:43:06 +00:00
Tin Lam
8e72ff7630 Fix compute-kit netpol job
This patch set addresses a failure in the compute-kit network
policy failing as some application:nova to application:nova
pods communication is blocked.

Change-Id: I29cc044e0d4f10198c23c7c3e132ab0093f91e21
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-28 12:24:22 +00:00
Tin Lam
12bee1bb97 Migrate default release to Stein
This patch set updates the default job to use OpenStack Stein release.
The previously default Ocata release will be place in separate job.

Change-Id: I489324f762a179a2cab5499a6d8e57e97c81297f
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-09 10:00:31 -06:00
Tin Lam
bf434ffd67 Add capability for using FQDN in nova compute
This patch set adds in a capability for the user to defaultly use a
FQDN for the nova compute hostname and the hypervisor hostname when
the host is not explicitly specified in the .Values.conf override.

Change-Id: I3243068dfe91ebb97b3885002296a0f454822ec5
Co-authored-by: Drew Walters <andrew.walters@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2020-01-01 20:01:25 +00:00
sungil
620286117b Improve accuracy for version detection on nova
Because it's almost time for expiring on some python version, OpenStack client
running on that version generates some messages for warning. Two scripts on
nova Fixed by this PS get version information using the OpenStack client
without any protection for this kinds of messages. This PS gives a little
more sophisticated way of it.

Change-Id: I2896c76e012b9acbf1e725276ba9c0b74789fa54
2020-01-01 01:11:05 +00:00
Zuul
bea2073200 Merge "Add capability to wait on compute nodes" 2019-12-17 17:32:42 +00:00
Tin Lam
5057052c70 Fix feature gate envvar overriding
Currently using envsubst to perform substitution of value overrides in
the feature gate caused conflicts as gotpl gets templated into those
overrides. This adds in '%%%REPLACE_${var}%%%' and uses sed to perform
the substitution instead to address the issue.

This is to achieve parity with OSH-infra patch in [0].

[0] https://review.opendev.org/#/c/697749/

Depends-On: https://review.opendev.org/#/c/697749

Change-Id: I3ed504c65900e7b84728019f3acdf706a40c0427
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
2019-12-17 09:49:38 +00:00
Cliff Parsons
58291db1a6 Add capability to wait on compute nodes
This patchset adds the capability to the Nova chart to be able to wait
for a percentage of the compute nodes/hypervisors to become ready/available
before continuing on with the deployment. It will be disabled by default,
because this is a feature that may or may not be needed in production
deployments.

Change-Id: I971151a663afc87e7d62efa4ab3723c5472a3736
2019-12-17 02:48:49 +00:00
Zuul
f09e805abf Merge "Implement Security Context for Nova" 2019-12-02 23:40:13 +00:00
Prateek Dodda
4fdbf3c07a Implement Security Context for Nova
Implement container security context for the following Nova resources:
 - Nova server deployment

Change-Id: Ide4f413d4b27bfbffd4e941ff4f87aefe5a319a8
2019-11-27 15:30:32 -06:00
Pete Birley
b4248a51b6 Nova: Update compute start script to accomodate multiple default routes
This PS udpates the nova compute start script to account for cases where
there may be multiple default routes to the outside world.

Change-Id: Ibd051c2577a0ab67aa2a5284fc9ccab799c28953
Signed-off-by: Pete Birley <pete@port.direct>
2019-11-26 15:09:16 -06:00
Tin Lam
a25eccb7cb Implements egress network policy
This patch set adds in the egress policy for core OpenStack Services.

Depends-On: https://review.opendev.org/#/c/679853/

Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
2019-11-22 01:16:49 +00:00
Steve Wilkerson
9736f5f544 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy

Depends-On: https://review.opendev.org/688435

Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-21 13:58:22 +00:00
Steve Wilkerson
6e4ab4aa0c Update ceph-config-helper image
This updates the ceph-config-helper image for the ubuntu distro
based jobs to use an image that includes kubernetes 1.16.2

Change-Id: If063db5e6f0abfab10cd0195b3633c41d8ed560f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-18 08:36:26 -05:00
zhipengl
20deb70c75 [Nova] Fix a bug introduced in implementing security context for nova
In daemonset-compute.yaml, it uses a wrong application name
Bug introduced in commit-id:9b42e8a1c0e68404bf13487dbfb699b1bd0e4c01

Change-Id: I614dc9d52d6dd7b346aa0b3f5e0012686de93ced
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2019-10-12 01:11:36 +00:00
Hemachandra Reddy
3ba23f7ab0 Fix psutil inconsistencies
Python psutil library has not been consistent in behavior
a. gives trucated process names at times
b. the truncated names sometimes contain path to Python instead
of the program name Python runs

Change-Id: I99b77a4c28761a2187e59be4e562d5893ef3caa9
2019-10-07 21:43:15 +00:00
Zuul
24f9b2322a Merge "Add network policy nonvoting checks" 2019-09-27 14:06:26 +00:00
Gage Hugo
c3e085b800 Add network policy nonvoting checks
This change adds two network policy zuul checks, one for the compute-kit,
and one for cinder/ceph, to test network policy for each OpenStack
service. These checks will be non-voting initially.

The network policy rules for each service will initially allow all
traffic. These ingress/egress rules will be defined in future changes
to only explicitly allow traffic between services that are explicitly
allowed to communicate, other traffic will be denied.

Depends-On: https://review.opendev.org/#/c/685130/

Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
2019-09-26 11:57:15 -05:00
Tin Lam
4817d1de28 Remove explicit call to py2
Python 2 is sunsetting in Jan 2020. We should not be finding python 2
explicitly. This patch removes those calls.

Change-Id: Ie6c9ad77097e662393c5fdd26490ebef25bdc3de
Signed-off-by: Tin Lam <tin@irrational.io>
2019-09-20 13:46:23 +00:00
zhipengl
494212423a Add a config item for novncproxy
In deployment-novncproxy.yaml, it set hostNetwork = true.
In some cases, we may want to let it use cluster network instead of
hostNetwork.
We'd better add a config item, so that client can override it to use
cluster network based on an operators preferences.

Story: 2006490
Task: 36439

Change-Id: Ia235d4e9542bd9242f9d2713ad1e67870f3016e2
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2019-09-12 11:57:30 +00:00
Pete Birley
59a017d834 RabbitMQ: Dont mirror reply queues
This PS updates the default RMQ policy to not mirror reply queues
as they cause signifigant blocking when resorting a rabbit node to
a cluster, with no advantage.

Change-Id: I6f8d4eaa482fcdf3e877bd38caa9b24358ea5be0
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-30 09:54:16 -05:00
Pete Birley
09616b4f3f Nova: Update Cell management to allow db updates and improve rabbit
This PS allows the db connection string for the singular cell that OSH
currently supports to be updated, and also uses the full connection
string for the transport url.

Change-Id: I700133263273e04dad5b3e69d5e1f8255323e560
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-25 12:30:06 +00:00
Pete Birley
467b81a3e4 Nova: Update DB sync job to update transport url
If the transport url changes, cell needs to be updated to use new
transport.

Change-Id: I1a931b5ce272a731be710c43f3fea08abc79af71
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-24 20:49:12 +00:00
Gerry Kopec
34cc0104c8 Nova: add service token
Add capability for nova to send service token.  Default to disabled.
Config setup is similar to keystone_authtoken.

Change-Id: I666f8f52fed50c61f67397b3da58133a2f9b49d3
Signed-off-by: Gerry Kopec <Gerry.Kopec@windriver.com>
2019-07-04 14:10:26 +00:00
Pete Birley
74e4474ec6 OpenStack: Check Stein release on Ubuntu Bionic
This PS adds checks for the Stein Release of OpenStack in Ubuntu Bionic
containers.

Depends-On: https://review.opendev.org/667726

Change-Id: Icfad3434ca496a841993b95adaf5d853728d920f
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-03 00:26:30 +00:00