This change enforces usage of system scope credentials to manage
flavors, aggregates, and services, following the new policy rules for
SRBAC support in nova.
The logic to look up credential for the nova service user from
[keystone_authtoken] is left to keep backward compatibility but is
deprecated and will be removed.
Depends-on: https://review.opendev.org/806474
Depends-on: https://review.opendev.org/828025
Depends-on: https://review.opendev.org/828874
Change-Id: I71779f0f1459d64914589a94a440336386266306
The nova_flavor resource has been providing the project property which
accepts both project name and id. However this implementation results
in broken idempotency with project name used.
This change introduces a separate project_name property, so that users
can use project name with proper idempotency.
Closes-Bug: #1790795
Change-Id: Idee4af6931b8cf4a21d88f4cd38fe83468ec8efa
When a resource is created, the :ensure parameter should be set to
'present' so that exists returns true. In addition, the whole hash
should be cleared when a resource is deleted, otherwise subsequent
access might look up stale values. This change ensures property_hash is
updated in create/destroy accordingly.
This change also fixes the incorrect handling of "project" property
in nova_flavor which is causing unexpected update.
Finally, the ignored unit tests are fixed, to test the above fixes.
Change-Id: I611e3d0428674e7438fe15b276667f7b379d136e
Currently the project field shows a list of projects like;
project=['ec085e18-22bb-403b-8ba5-0f9c6d67dffa']
The commit 86764de9cd90b9b09898da6061aaa786906620df added the logic to
handle this format but it missed surrounding quote(') which should be
also removed.
Change-Id: If65221db5a9e60e797b834a305d385d3fea4db16
This change removes inefficient usage of autorequire, with the wrong
resource name(The resource name should include section name) in
some resource types. The necessary dependency is already enforced by
another autorequire which depends on service::end anchor.
Change-Id: I0993e2c9ed80d476ca984edf9d6167818a1cb1bb
The api-paste.ini accepts not only "=" but also ":" and some services
like Barbican have been using ":" for their default api-paste.ini
files.
[composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
This change allows users to use ":" so that they can update the ini
files with keeping it consistent with the default fules
Depends-on: https://review.opendev.org/813614
Change-Id: I8ebe0c65b0e71380ba5a58a81b57e595e8dd29f8
This change enables support for modular libvirt
daemon configurations.
NOTE: As of now, this change doesn't handle any modular daemons
socket configuration.
Change-Id: I90c3dd7bd63f9f54e43eee7bc2f58d165ca80e57
The nova_security_group resource type and the nova_security_rule
resource type are dependent on subcommands of nova cli which were
already removed during Pike cycle[1][2]. This change removes these
invalid resource types.
Deprecation process is skipped because these resource types have not
worked as intended for a long period and we don't expect any user is
still using these invalid implementations.
[1] security group : a298b29cc7e6b7330945b1890f0a4bd4c9f3fde6
[2] security groip rules: 0896bdc52a307c0b9598da0b6b837a95f0c00b9a
Closes-Bug: #1941947
Change-Id: Ic72911bab169b0ab171a1701b6871a3d03f7951b
Some openstack installations use characters that are not in \w, the
old regex, now moved to string2hash was more permissible, and
there's probably no reason the regex in pythondict2hash can't be
just as permissible.
Change-Id: I35b964d96e6a558f1a10daa2391a398db60ea800
This change implements the quote parameter in libvirtd_config and
virtlogd_config, so that we can quote the value by that simple
parameter instead of implementing a logic in each manifests.
Also, with this change libvirtd_config and virtlogd_config supports
$::os_service_default, so that we can define absence of parameters more
easily.
Depends-on: https://review.opendev.org/792735
Change-Id: I3030ca34088019be932a9cc33344f7fb473a9aea
... because it was deprecated during the previous cycle and has been
useless since nova-network was removed.
Change-Id: If637debcd25b17183311e16e1bf5b76c453c634f
On each puppet run, I'm seeing:
value changed ['12'] to '12' (corrective)
Therefore, this patch switches from :openstackconfig to :ini_setting
to make runs indenpotant.
Change-Id: I2bd2a61263db8d7e54397ab85b4c51b79644adf2
The latest openstackclient doesn't show none but empty array([]) when
no access_project_ids is set for an flavor.
This change ensure that array format is properly handled to avoid
error during updating nova flavor using the nova_flavor resource.
Closes-Bug: #1924222
Change-Id: I976f70f1f4015536201c6c3acac3f1e4dbca4ccb
This patch is adding the configuration of the number of workers,
threads, and the size of the listen queue in Debian, which uses
uwsgi to run Nova API and api-metadata. Therefore, this patch adds
two new nova_api_uwsgi_config and nova_api_metadata_uwsgi_config
providers as well as two new nova::wsgi::uwsgi_api and
nova::wsgi::uwsgi_api_metadata classes.
Change-Id: Idd141edc5cddcfd79cf23e2041dbd1ce6a8252a8
nova-api service should be stopped before httpd service is started,
thus nova-api should notify httpd.
Change-Id: Ibffb65269daaeca62554cfbecb536361ab70611a
... so that correct packages are required according without re-defining
them in resource implementations.
Change-Id: If3ae4736d655975d83f49676b8128d4e9f8b0cf4
... because we generally use parameters under keystone_authtoken
to find credentials.
This patch also removes useless and incorrect handling about keystone
version, so that domain parameters are correctly set.
Change-Id: Ibfd489e977e8f8f52defecacc00cb8afcd1596a1
Add a new class nova::compute::libvirt::virtlogd to manage virtlogd
configuration, which is located in /etc/libvirt/virtlogd.conf.
Change-Id: Iddfec9557ac93935744aa96b813eb54bda876deb
Similar to I6a68505d15473b140c85a199a09d2fee45864800
Openstackclient 4.0.0 changed the way some properties are displayed
on screen.
Old:
...,"Properties"
...,"foo='bar'"
New:
...,"Properties"
...,"{u'foo': u'bar'}"
or
...,"{'foo': 'bar'}"
This is breaking idempotency on the nova_aggregate provider, since it
does not detect them correctly. This patch aims at fixing this, by
trying to detect the new format, and using JSON parsing in that case.
Closes-Bug: #1845616
Depends-On: https://review.opendev.org/#/c/685537/
Change-Id: I7e8fef9fdb913e53fa459ce09577f574fd059a13
--src-ip and --src-group were deprecated in 2016, change
to use --remote-ip and --remote-group, respectively.
Related to https://review.opendev.org/#/c/659400/
Change-Id: Ie609380b130410e3548eeacffd72871c6b5722ea
These was deprecated last cycle and can now be removed.
Depends-On: https://review.opendev.org/#/c/658557/
Change-Id: I6f7fde1f475acec82bafc66183211f317b4c7795
In Nova cells v1 has been deprecated since Ocata but we
have no notices about it. This adds warnings about it
being deprecated and will be removed.
The functionality in nova::cells when passing create_cells
parameter is broken and has therefore been removed and
instead outputs a warning and is deprecated.
A known issue has been added to the release notes to inform
about this. It's probably safe to say that nobody is using it
since it has been broken since we switched over to transport_url
for rabbit, it's also safe to probably assume that no deployments
that run cell v1 right now will be running a later version of Nova.
Closes-Bug: 1687395
Change-Id: I564fc4f43a752b051280dce095a52ca4d477fb09
Recent changes to Puppet (5.5.7+) has broken some of the legacy function
items we were doing in puppet-nova. We'll likely need to update all the
functions to the new syntax but for now this change is to address
current issues.
Change-Id: If1d675cec6fe64e8a812fb638078b0ab1c66b5de
Closes-Bug: #1799757
When reading credentials from the configuration's keystone_authtoken
section www_authenticate_uri was used as URL for Keystone.
As www_authenticate_uri is a public endpoint that is not necessarily
reachable for the Puppet agent, this change uses the more appropriate
auth_url as Keystone URL.
Change-Id: I52fdeaaf773e0fc7e111e58ffb02ef9485eed260
Parses the nova cell_v2 transport_uri/database_connection and rebuilds with
the password hidden in is_to_s and should_to_s (used for logging the changes).
Change-Id: I6523ed70536e438d38d9165e31d5d4d214bbc62c
Feature was waiting for python-openstackclient to add support
for the "openstack aggregate unset" command. This is now available in 2.4.0.
Closes-bug: #1776772
Change-Id: Id6ddd9d0a193819c9f69ea138554a2647bcd8ae3
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: I0dd36ef1f1f5dcdc57413736ecb8f2555712c36d
Depends-On: I4c82a63baabd6b9304b302c97cd751a0103d8316
Closes-Bug: #1759098
This enables the puppet module to optionally create a minimal kerberos
configuration. This is specially useful when running novajoin inside a
container, since when running with SELinux enabled, we sometimes cannot
load the the kerberos configuration from the host due to some includes
pointing to /var/lib.
Change-Id: I554125fd6b48e620370f9e3a6061bbdc1d55b0ae
