In newton we are setting both nova::host and neutron::host values
explicitly to the fqdn.
This can cause problem during upgrade from Mitaka. The previous host
value (defaulting to python socket.gethostname) could return only the
hostname. It means that during upgrade we are changing this
identifier. At restart nova/neutron creates *new* agents. Those
agents are then unaware of existing workload.
For neutron, the problem is that due to  and the fact the L3 agents
are in HA mode, the previous defined workloads on those agent get lost
and FIPs become unreachable.
For nova it's no longer possible to send commands to (before upgrade)
existing vm anymore.
This patch checks the current live value of the host parameter through
a fact and set the nova::host and neutron::host value to it if we are
not in a deployment (upgrade/update)
For nova, we directly use nova-manage to get the current live value.
Using the mysql parameter directly has the advantage that it's defined
on all types of node (controller *and* compute). As a matter of fact
the required auth parameters are usually not defined on compute node.
For neutron, when auth is available in the configuration (on
Controller) we use that. There is no neutron-manage equivalent here
so we use the nova value when auth is unavailable. When host is unset
they both use python.gethostname, so it should be the same value.
Using auth on controller add another level of confidence though. And
the controller are where the l3 agents are, so better be safe than
This patch is newton only as it's where we are setting for the first
time this parameter. After that (ocata on) we use to make sure
that those parameters are never rewritten.
 need to be backported to ocata https://review.openstack.org/#/q/I8f075a5ad869ef0dc72a700dcb7be0b6efca787a
In order to support vhostuser client mode, a vhostuser_socket_dir
needs to be created with qemu:qemu g+w permissions.
Co-Authored-By: Sanjay Upadhyay <firstname.lastname@example.org>
Signed-off-by: Karthik S <email@example.com>
(cherry picked from commit 2556c56b5b)
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
Requires the openstack-nova-migration package from
(cherry picked from commit f8ca94a5b7)
(cherry picked from commit fd20b306b0)
This patch configures SSH tunneling for nova cold-migration and reuses the
tunnel for libvirt live-migration unless TLS has been enabled.
(cherry picked from commit ccbcd11276)
(cherry picked from commit 4e398a76de)
We configure apache in step 3 so horizon should be configured at the
same time or else updates will cause horizon to be unvailable during the
(cherry picked from commit e292871741)
The lookup_hiera_hash function is meant to lookup for the value
of a given key from a given Hiera hash. In the manifests this is
possible by saving the value of the hash in a variable first but
when driving lookups from the Heat templates we can't do it.