365 Commits

Author SHA1 Message Date
Steve Wilkerson
9736f5f544 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy

Depends-On: https://review.opendev.org/688435

Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-21 13:58:22 +00:00
Steve Wilkerson
6e4ab4aa0c Update ceph-config-helper image
This updates the ceph-config-helper image for the ubuntu distro
based jobs to use an image that includes kubernetes 1.16.2

Change-Id: If063db5e6f0abfab10cd0195b3633c41d8ed560f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-18 08:36:26 -05:00
zhipengl
20deb70c75 [Nova] Fix a bug introduced in implementing security context for nova
In daemonset-compute.yaml, it uses a wrong application name
Bug introduced in commit-id:9b42e8a1c0e68404bf13487dbfb699b1bd0e4c01

Change-Id: I614dc9d52d6dd7b346aa0b3f5e0012686de93ced
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2019-10-12 01:11:36 +00:00
Hemachandra Reddy
3ba23f7ab0 Fix psutil inconsistencies
Python psutil library has not been consistent in behavior
a. gives trucated process names at times
b. the truncated names sometimes contain path to Python instead
of the program name Python runs

Change-Id: I99b77a4c28761a2187e59be4e562d5893ef3caa9
2019-10-07 21:43:15 +00:00
Zuul
24f9b2322a Merge "Add network policy nonvoting checks" 2019-09-27 14:06:26 +00:00
Gage Hugo
c3e085b800 Add network policy nonvoting checks
This change adds two network policy zuul checks, one for the compute-kit,
and one for cinder/ceph, to test network policy for each OpenStack
service. These checks will be non-voting initially.

The network policy rules for each service will initially allow all
traffic. These ingress/egress rules will be defined in future changes
to only explicitly allow traffic between services that are explicitly
allowed to communicate, other traffic will be denied.

Depends-On: https://review.opendev.org/#/c/685130/

Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
2019-09-26 11:57:15 -05:00
Tin Lam
4817d1de28 Remove explicit call to py2
Python 2 is sunsetting in Jan 2020. We should not be finding python 2
explicitly. This patch removes those calls.

Change-Id: Ie6c9ad77097e662393c5fdd26490ebef25bdc3de
Signed-off-by: Tin Lam <tin@irrational.io>
2019-09-20 13:46:23 +00:00
zhipengl
494212423a Add a config item for novncproxy
In deployment-novncproxy.yaml, it set hostNetwork = true.
In some cases, we may want to let it use cluster network instead of
hostNetwork.
We'd better add a config item, so that client can override it to use
cluster network based on an operators preferences.

Story: 2006490
Task: 36439

Change-Id: Ia235d4e9542bd9242f9d2713ad1e67870f3016e2
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2019-09-12 11:57:30 +00:00
Pete Birley
59a017d834 RabbitMQ: Dont mirror reply queues
This PS updates the default RMQ policy to not mirror reply queues
as they cause signifigant blocking when resorting a rabbit node to
a cluster, with no advantage.

Change-Id: I6f8d4eaa482fcdf3e877bd38caa9b24358ea5be0
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-30 09:54:16 -05:00
Pete Birley
09616b4f3f Nova: Update Cell management to allow db updates and improve rabbit
This PS allows the db connection string for the singular cell that OSH
currently supports to be updated, and also uses the full connection
string for the transport url.

Change-Id: I700133263273e04dad5b3e69d5e1f8255323e560
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-25 12:30:06 +00:00
Pete Birley
467b81a3e4 Nova: Update DB sync job to update transport url
If the transport url changes, cell needs to be updated to use new
transport.

Change-Id: I1a931b5ce272a731be710c43f3fea08abc79af71
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-24 20:49:12 +00:00
Gerry Kopec
34cc0104c8 Nova: add service token
Add capability for nova to send service token.  Default to disabled.
Config setup is similar to keystone_authtoken.

Change-Id: I666f8f52fed50c61f67397b3da58133a2f9b49d3
Signed-off-by: Gerry Kopec <Gerry.Kopec@windriver.com>
2019-07-04 14:10:26 +00:00
Pete Birley
74e4474ec6 OpenStack: Check Stein release on Ubuntu Bionic
This PS adds checks for the Stein Release of OpenStack in Ubuntu Bionic
containers.

Depends-On: https://review.opendev.org/667726

Change-Id: Icfad3434ca496a841993b95adaf5d853728d920f
Signed-off-by: Pete Birley <pete@port.direct>
2019-07-03 00:26:30 +00:00
Hemachandra Reddy
287602fe20 Support for RabbitMQ HA
There can be more than one RabbitMQ node in
transport_url in conf file when RabbitMQ is
configured in HA mode.

Change-Id: I9721e2e33212918d402bce295c02b1869dce67f7
2019-07-02 16:10:44 +00:00
Pete Birley
fd37d61b12 Nova: Provide method for removing sections from nova compute conf
This PS provides a method to redact sectionf from the nova compute
configuration file. By default this is configured to redact the
db connection strings, and sections.

Change-Id: Ifb50b932155c166634bb8a88363f6c02fbde8389
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-28 16:55:29 -05:00
Zuul
fcca95f3a4 Merge "Set threads=1 for wsgi applications" 2019-06-27 12:56:31 +00:00
Vasyl Saienko
3d6557279f Set threads=1 for wsgi applications
Due to Python's GIL [1], we can't use multiple threads for running
OpenStack services without a performance penalty, since the execution
ends up serialized, which defeats the purpose.

Instead, we should use several processes, since this approach doesn't
have this limitation.

[1] https://wiki.python.org/moin/GlobalInterpreterLock

This patch updates processes and threads accordingly for:
  aodh
  panko
  nova
  
Related issue was fixed in different deployment tools like puppet
https://bugs.launchpad.net/puppet-keystone/+bug/1602530

Change-Id: Ia8eb4a1f3ed826e206edb94c680f40bcec44e9d7
2019-06-27 09:33:10 +00:00
Pete Birley
e5f8fcf728 Container Distro: Add checks for OS (rocky) in Ubuntu Bionic
This PS adds checks for running the Rocky release of Openstack under
Python3 in Ubuntu Bionic containers.

Change-Id: I269cef9f8f157e22f6b857822df9a8960dac6ea8
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-26 10:36:26 -05:00
Zuul
ab74ec67bd Merge "Change to use mkisofs for SUSE Nova image" 2019-06-26 13:37:25 +00:00
Pete Birley
6606c8bc2e OpenStack: Check Rocky release on Ubuntu Xenial
This PS adds checks for the Rocky Release of OpenStack in Ubuntu Xenial
containers.

Change-Id: Ieed4a6a3afa6e3ebd9b2f72ba227aac891d65214
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-25 21:14:28 +00:00
Pete Birley
ffb24e337c OpenStack: Check Queens release on Ubuntu Xenial
This PS adds checks for the Queens Release of OpenStack in Ubuntu Xenial
containers.

Change-Id: I0d4d427e43f06fa955dfd275859939d0adca113c
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-25 21:10:26 +00:00
Pete Birley
184b3e4326 OpenStack: Check Pike release on Ubuntu Xenial
This PS adds checks for the Pike Release of OpenStack in Ubuntu Xenial
containers.

Change-Id: I402584bbcdd53a4a6bc21f370586b3498142bf81
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-22 11:20:55 +00:00
Pete Birley
9bcf0df94c Messaging: use htk function to directly hit RabbitMQ servers
This PS updates the charts to use the htk function recently introduced
to allow oslo.messaging clients ans servers to directly hit their
backends rather than using either DNS or K8S svc based routing.

Depends-On: I5150a64bd29fa062e30496c1f2127de138322863

Change-Id: I458b4313c57fc50c8181cedeca9919670487926a
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-18 21:47:45 +00:00
Zuul
cd460f12c2 Merge "Rafactoring volume mount variables in db sync job" 2019-06-18 18:24:18 +00:00
Oleh Hryhorov
89f5bfe3ac Creating directory from ${APACHE_RUN_DIR} variable
If an image is built with python3 therefore libapache2-mod-wsgi-py3
module have to be installed accordingly but the module doesn't create
/var/run/apache2 directory which is APACHE_RUN_DIR in apache configuration
file so apache can't start without it due to the fact that the directory
is used to make there pid, run, etc files.

Change-Id: Ic92b095e9d7636c3ed833241bd3badbb4bb6e552
2019-06-18 06:02:47 +00:00
Pete Birley
31bd9c832d Logs: Make it optional to use log_config_append option
This PS enables the use of simple logging options if desired.

Change-Id: If6ea420c6ed595b3b6b6eedf99a0bf26a20b6abf
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-17 13:51:21 -05:00
Pete Birley
5ccd3a9e95 Nova: Fix metadata deps
This PS fixes the nova metadata deps to permit operation without
and ingress controller and prevent a circular dep chain.

Change-Id: I265d488e8024967685c5587d7a7cd24281011f3b
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-17 17:07:50 +00:00
Pete Birley
d0b135cd77 AMPQ: update ha policy regex
Change-Id: I2f023c2e41a52b5753cdb77e93c9e876bc60a87d
Signed-off-by: Pete Birley <pete@port.direct>
2019-06-11 12:17:22 -05:00
Zuul
0ee6063173 Merge "Implement Security Context for Nova" 2019-06-04 21:16:34 +00:00
pd2839
9b42e8a1c0 Implement Security Context for Nova
Implement container security context for the following Nova resources:
 - Nova server deployment

Change-Id: I02743cff46d9a043ccb029547c819fafd9da3611
2019-06-03 12:31:18 -05:00
Gage Hugo
976cab856c Create separate users for helm test
Currently each service uses the same name for their helm test user,
"test". While this works when services are ran sequentially, when
multiple services are deployed and tested at the same time, it can
lead to a race condition where one service deletes the user before
the other is done testing, causing a failure.

This change makes it so that each service defines its own test user
in the form of [service]-test.

Change-Id: Idd7ad3bef78a039f23fb0dd79391e3588e94b73c
2019-06-03 11:26:18 -05:00
James Gu
249bfd1227 Change to use mkisofs for SUSE Nova image
SUSE Nova image installs mkisofs instead of genisoimage. Set the
mkisofs_cmd property in nova.conf to mkisofs.

Change-Id: I4a5b53da6684e006c661df0bf1f1a7c17d8058b4
2019-05-30 23:06:47 -07:00
Zuul
c8a012c477 Merge "fix wrong mount key for scheduler and consoleauth" 2019-05-30 13:28:41 +00:00
John Haan
0ea9be7ade Rafactoring volume mount variables in db sync job
This patch make the db sync job template follows the same pattern
that other templates utilize the variables to make in a predictable
pattern.

Change-Id: Idbedd046c6b4fd001cf63004ffac792173a5778b
Story: 2005754
Task: 33457
2019-05-22 17:47:03 +09:00
Zuul
f8adab245b Merge "Point to OSH-images images" 2019-05-18 19:12:58 +00:00
JohnHaan
8157acc618 fix wrong mount key for scheduler and consoleauth
nova-scheduler and consoleauth define wrong
name for value of volume mount.

Change-Id: I398596fa65b15cae35e5df5a23bafd8e8db077a2
2019-05-17 16:35:05 +09:00
Jean-Philippe Evrard
1d335146fa Point to OSH-images images
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.

Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.

This should fix it.

Change-Id: I672b8755bf9e182b15eff067479b662529a13477
2019-05-13 10:58:02 +02:00
Roy Tang (rt7380)
5df6fa3789 Expose Anti-Affinity Weight Setting.
Add weight default setting to anti-affinity.

Depends-on: Id8eb303674764ef8b0664f62040723aaf77e0a54
Change-Id: I09f96522cddf3a77dae73daca4557877eda5df50
2019-05-10 22:05:24 -05:00
Zuul
02af9df330 Merge "Use nova's ping method to find out if the service is alive" 2019-05-08 00:37:34 +00:00
Jiří Suchomel
baf5356a4f Use nova's ping method to find out if the service is alive
Currently there is fake rpc call "pod_health_probe_method_ignore_errors"
that is passed to the service, just to find out if it is responding. Because
such method does not exist, it is needed to catch and handle the exception
that is inevitably thrown by the service.

While this is technically working correctly, the exceptions pollute the
log files and make it harder for user to see possible real errors.

This is how the error looks like:

ERROR oslo_messaging.rpc.server [-] Exception during message handling: oslo_messaging.rpc.dispatcher.UnsupportedVersion: Endpoint does not support RPC version 1.0. Attempted method: pod_health_probe_method_ignore_errors
ERROR oslo_messaging.rpc.server Traceback (most recent call last):
ERROR oslo_messaging.rpc.server   File "/var/lib/openstack/lib/python3.6/site-packages/oslo_messaging/rpc/server.py", line 163, in _process_incoming
ERROR oslo_messaging.rpc.server     res = self.dispatcher.dispatch(message)
ERROR oslo_messaging.rpc.server   File "/var/lib/openstack/lib/python3.6/site-packages/oslo_messaging/rpc/dispatcher.py", line 276, in dispatch
ERROR oslo_messaging.rpc.server     raise UnsupportedVersion(version, method=method)
ERROR oslo_messaging.rpc.server oslo_messaging.rpc.dispatcher.UnsupportedVersion: Endpoint does not support RPC version 1.0. Attempted method: pod_health_probe_method_ignore_errors

This situation is new since https://review.openstack.org/#/c/639711/
which (correctly) increased the default level of logging. Before 639711
error messages from oslo (both real and ones that could be ignored) were not
present in nova logs at all.

Fortunatelly, nova's BaseAPI class provides 'ping' method that is can
be used for this basic purpose by all nova components.

Change-Id: I0062e74bed399206becb8d9e00f9ec805da864a3
2019-05-02 10:26:47 +02:00
Zuul
7f95467e3d Merge "Replace git.openstack.org URLs with opendev.org URLs" 2019-05-01 16:11:28 +00:00
Zuul
778f13f568 Merge "Start nova sshd container only if enabled" 2019-05-01 15:09:37 +00:00
Zuul
5361c3282a Merge "Add OpenSUSE Leap15 testing" 2019-04-26 16:44:16 +00:00
caoyuan
cb77d3adff Replace git.openstack.org URLs with opendev.org URLs
Change-Id: I9a7bcee8727cb127d57ccb4dce1183895a4130cd
2019-04-25 00:37:57 +08:00
Zuul
22289a945c Merge "OSH: Add emptydirs for tmp" 2019-04-20 15:27:24 +00:00
Pete Birley
623c131292 OSH: Add emptydirs for tmp
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.

Additionally some yaml indent issues are resolved.

Change-Id: I9df8f70e913b911ff755600fa2f669d9c5dcb928
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-20 08:55:44 -05:00
hagun.kim
360ee8255e Fix novnc init asset copy options
When novnc pod is re-run because of host reboot and so on,

novnc pod has existing volume /tmp/usr/share, which has 0444 permissions.

So init container occurs an error while it tries to copy asset files.

cp: cannot create regular file '/tmp/usr/share/novnc/index.html': Permission denied

With -f option, the init container can copy without errors.

Change-Id: I56d928b7f4a30a6be29b47560357a3b4f5eec764
Signed-off-by: hagun.kim <hagun.kim@samsung.com>
2019-04-19 16:48:50 +09:00
Zuul
3dfb927c2b Merge "Add an option to the health probe to test all pids" 2019-04-18 06:17:03 +00:00
Zuul
9928f5c819 Merge "Allow more generic overrides for nova placement-api" 2019-04-17 05:48:43 +00:00
Jean-Philippe Evrard
a828d38316 Add OpenSUSE Leap15 testing
There is currently no testing of the Leap 15 images in OSH.

This addresses it by:
- Using the values_overrides folder according to the multi-os
  spec, creating value override files there for changes that
  needs to happen on Leap 15 images.
- Point to the right images using the previously created folder,
  to allow using those in CI easily.
- Change CI to use previously created overrides.

Depends-On: https://review.openstack.org/#/c/651501
Change-Id: I520d3676195c62b253a19397c86b0d0fbabee710
2019-04-15 11:15:35 +02:00