- Modifying permissions to prevent non-root users from seeing passwords
in the /opt/dc/ansible folder
Change-Id: I90cad757c116b2d4b8b355c3cfe81d0c4e357138
Story: 2004766
Task: 35756
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
- Adding the /opt/dc/ansible folder to store inventory and override
files for configuring subclouds
Change-Id: I8231937e13c2fdb033b0e31879705053aff193ee
Story: 2004766
Task: 35756
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
This update changes pycrypto to cryptography in
keystone-api-proxy image directives file.
In addition, syinv and cgtsclient are added as dependencies
as they are now required by keystone-api-proxy.
Change-Id: Iff2765d371b28e991a6dd127fcec36d44472952d
Story: 2004766
Task: 30454
Depends-On: https://review.opendev.org/#/c/663764/
Signed-off-by: Tao Liu <tao.liu@windriver.com>
This update contains the build instructions for the newly introduced
DB record synchronization service. This new service provides REST
APIs to read/write/update identity database. The REST APIs is
intended to be used internally by DC Orchestrator to synchronize
identity resources between central cloud and subclouds.
(cherry picked from commit e628cc02d0dc8573f5dd59893a5c080a653063b4)
Conflicts:
distributedcloud/centos/distributedcloud.spec
Story: 2002842
Task: 22787
Depends-On: https://review.opendev.org/#/c/655727
Change-Id: Iebb0dc0d26c2b4088889946d48bb15ca94cab252
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Remove nova, cinder and neutron api proxy service files
from the distributedcloud package
Story: 2004766
Task: 30021
Change-Id: I477b35e8b5b5079f54f8ac3686f666dab5694148
Signed-off-by: Tao Liu <tao.liu@windriver.com>
StarlingX specific OCF scripts (ie: OCF scripts that are not from the
OpenStack foundation) should be packaged in the StarlingX repos and
not in the stx-staging repos.
The following 9 Distributed Cloud OCF scripts should be moved into the
distributedcloud-dcorch rpm built from the openstack/stx-distcloud repo:
dcmanager-api
dcmanager-manager
dcorch-cinder-api-proxy
dcorch-engine
dcorch-neutron-api-proxy
dcorch-nova-api-proxy
dcorch-patch-api-proxy
dcorch-snmp
dcorch-sysinv-api-proxy
Depends-On: Ic7b040733e8df66bdd79d45675d63e58abbd85e1
Change-Id: I080b6e893d5f6ccff04951879eed71e8ccbe0b52
Story: 2003715
Task: 26374
Signed-off-by: Scott Little <scott.little@windriver.com>
This is part of Distributed Keystone for Distributed Cloud feature.
Story: 2002842
Task: 22785
Change-Id: Ia8d2e3371e74ce8994a8c23ff926e5b6816b4f51
Signed-off-by: Jack Ding <jack.ding@windriver.com>
To address a requirement change that exposes the 'registry.central'
on the OAM interface, it must add the system controller OAM
subnet to the subcloud override file in the dcmanager.
Depends-On: https://review.opendev.org/#/c/690082/
Change-Id: I9ee6f0f99a940d5d2cc2f245977ffb9f207916c5
Partial-Bug: 1846799
Signed-off-by: Tao Liu <tao.liu@windriver.com>
Need to pass in the application to be the forwarder so when
the version doesn't match the request can continue down the
pipeline. It was 'mostly' working before since the version
matching was registering all get requests as version requests
and just forwarding them, this commit also restricts that
version regex so that is no longer the case.
Change-Id: I887027a043e2a686770d4ece0ae511e00814be61
Closes-Bug: 1849831
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
In distributed cloud, subcloud's user ids, project ids and role ids
are synced with System Controller. But project role assignment
functions still use names to check if master resources and subcloud
resources has the same id, and if user, project and role exist before
POST call to grant project role to user. This will cause an assignment
PUT job created and identity sync status flip from "in-sync" to
"out-of-sync" and back to "in-sync" again for every audit cycle.
A more detailed explanation, at the very first audit, roles are queued
for sync but the job doesn't run and their ids don't changed at the
subcloud yet. At the same audit dcorch finds the project role assignment
actually exist (since it check names in has_same_ids()), so it maps the
the assginment of center cloud to the assignment of the subcloud with
the current ids. Once the roles sync job queued get executed, roles ids
are changed. At this point the assignment mappings becomes invalid. The
next audit can no longer find the mapped assignment from subcloud so the
logic falls into audit_discrepancy() where the has_same_ids() return
TRUE again and a PUT job is queued for the assignment. The sync endpoint
type becomes "out-of-sync" since there is a job for it. Once the PUT
function return, its status returns to "in-sync" again.
This change updated project role assignment functions to use ids
instead of names.
Change-Id: I024f2c2f97aaf9670d7b2c5c70a2dae7d6d08d38
Closes-Bug: 1847661
Signed-off-by: Andy Ning <andy.ning@windriver.com>
- Adding endpoints for the subcloud's platform services to the central
keystone. This was done so horizon can reach all subclouds
- Allowing version requests to bypass the authtoken validator in the
dcorch proxy. version requests do not require authentication and
they are required by horizon to work in the SystemController region
Change-Id: I508e0168e77d1f46b8f5720fd16047177b4920c2
Partial-Bug: 1846239
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
This update enhanced dcmanager to be able to manage containerized
openstack services of subclouds that have openstack application
deployed.
dcmanager audit query subcloud periodically to check whether
stx-openstack application is installed or not. If it's installed from
previous uninstalled, the subcloud's "openstack_installed" field will be
updated from "False" to "True", openstack sync endpoint types will be
added into subcloud sync endpoint type list, and notify dcorch to update
its sync threads. If it's uninstalled from previous installed, the
subcloud's "openstack_installed" field will be updated from "True" back
to "False", openstack sync endpoint types will be removed from subcloud
sync endpoint type list, and notify dcorch to update its sync threads.
The endpoint type sync status of openstack services will be available
to dcmanager commands such as "dcmanager subcloud list".
Change-Id: I651bebbef0f0a4dd39ec2371a7397c066c747622
Story: 2004766
Task: 36261
Signed-off-by: Andy Ning <andy.ning@windriver.com>
In cmd/api.py the eventlet monkey_patch has been moved to be before api
app import. This is because if it's called too late, the api app and
db api module will be loaded without awareness of eventlet, the
threading local context in db api won't be eventlet compatible, causing
DB parallel operation errors.
Change-Id: I294657fc910c6a4696f91308d60697d005dc53b0
Closes-Bug: 1846411
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This update added timeout to dcdbsync REST API calls in dcdbsync
client. If no timeout is specified explicitly, the requests do not
timeout. This will cause dcorch audit (which makes the REST calls)
to hang forever and stop auditing when the REST requests failed
for whatever reasons.
Change-Id: I2d471365565df6cd3b0ae720cd81bc17610a0272
Closes-Bug: 1845701
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This update enhanced keystone-api-proxy to take a sync_endpoint
parameter from its configuration file and enqueue job for dcorch with
that sync_endpoint type. If sync_endpoint doesn't present in its
configuration file, it will use the default endpoint type to enqueue
job.
Change-Id: I85698638cee2598955c4deb41a6b8033b0ace9fd
Story: 2004766
Task: 36156
Depends-On: https://review.opendev.org/#/c/682062/
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This updates dcdbsync service to be able to sync both platform keystone
and containerized openstack keystone database.
Special note: In cmd/api.py the eventlet monkey_patch has been moved to
be before api app import. This is because if it's patched too late, the
api app and db api module will be loaded without awareness of eventlet,
the threading local context in db api won't be eventlet compatible,
causing DB parallel operation errors.
Story: 2004766
Task: 36108
Change-Id: I448af0aae1f39186ca342bd26d8b263b06065312
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit introduces the ability to pass a playbook and playbook
values file to the dcmanager subcloud add command. The deployment
is now split into two phases: bootstrapping, where the bootstrap
ansible playbook is run with the supplied bootstrap values yaml file,
and deploying, where the specified ansible playbook is executed with
the given yaml values file pointing to the subcloud.
Change-Id: I2ff3034b1db88d9da89e634220a394ab9dfce64b
Story: 2004766
Task: 36712
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
OAM firewallrules are now managed by Calico GlobalNetworkPolicy configuration
via k8s API (not by sysinv anymore). This update removed firewallrules
audit from dcorch.
Change-Id: I9fab73c016bb4af760c7d78f0db18dcc8bb77057
Closes-Bug: 1844147
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Some bootstrap overrides were being written to the subcloud yaml file
as unicode strings, including ipv6 dns addresses, which causes ansible to
fail when parsing the yaml during the subcloud bootstrapping
Change-Id: I43f1776a9f2d8a7d45221946e62dc31ac9f6d1d9
Partial-Bug: 1844190
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
In a Distributed Cloud system, when dcorch audit platform, it will
failed at audit_discrepancy() function call. This is because sysinv
audit_discrepancy() missed the 4th parameter. This update fixed this by
adding it in.
Change-Id: I72057b3406b4b362808d241fbc2e43bf07d7b677
Closes-Bug: 1843770
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Formatting of the passwords was incorrect leading to
authentication issues
Change-Id: If181e38f07dc66b6e4b12bf0b5a7fb123d75fbb2
Closes-Bug: 1839377
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
Use templates instead of individual jobs so that these
can be changed in one place.
Depends-On: https://review.opendev.org/677606
Change-Id: Ice80a94fe8c5d3634e729c888672ce698049f87a
- Adding logic to automatically deploy subclouds via ansible when
they are added, as well as a 'deploy' field to subcloud entity to
report status
- Converting subcloud fields to take underscored
parameters instead of dashed to match ansible variable style
- Adding checks to OAM network parameters
- Removing generate subcloud config logic
Depends-On: https://review.opendev.org/#/c/670321/
Depends-On: https://review.opendev.org/#/c/670325/
Change-Id: Ib7fe2f4a42fffb7bd5082e6e851cb9136edf5a00
Story: 2004766
Task: 35756
Signed-off-by: Tyler Smith <tyler.smith@windriver.com>
The sysinv API for retrieving the network interfaces has been
changed. This update makes changes in dcmanager to adapt the
sysinv changes.
Story: 2004766
Task: 35672
Change-Id: Ifaa510726c5029738e6b02f468a3a38f0682a351
Signed-off-by: Tao Liu <tao.liu@windriver.com>
The storyboard and gerrit doc link are error, and git library
redirect to the correct one, this change is to correct all them.
Change-Id: I58fb35cf4bd4edde173c5d7e55bc6ced1ee08d60
Partial-Bug: #1835207
Signed-off-by: junboli <junbo85.li@gmail.com>
This updates the upper-constraints.txt used by tox for
installing python modules to reference the stable/stein
constraints.
Change-Id: I5029186ae1ccee719da17f6a36665f81e207f882
Partial-Bug: 1834216
Signed-off-by: Don Penney <don.penney@windriver.com>
This commit updates dcdbsync service to support Stein. Changes to the
service includes:
- Update system_assignment table when user id or role id is updated
- Update implied_role table when role id is updated
- Removed "password" field from local_user_table synchronization
- Added "description" field to role table synchronization
- Updated VERSION_ALIASES to Stein 1.0 in API controllers
Story: 2002842
Task: 22787
Change-Id: I40e64d4072201635c7b531575ab5df7cd7b5557d
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit enhanced dcorch find_missing algorithm so that the first
audit after subcloud becomes managed won't try to create resources that
have matches in the subcloud (otherwise the creation will fail for DB
duplication error). This is neccessary for resources that are created
at deployment time and existing resources not yet tracked by dcorch.
Story: 2002842
Task: 22787
Change-Id: I60f94057caf71265942f3b37b400eeba4f368fed
Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit updates dcorch to use the newly introduced dbsync service
APIs to synchronize identity resources from central cloud to subclouds.
The following identity resources are synced:
- users (local users only)
- user passwords
- projects
- roles
- project role assignments
- token revocation events
Story: 2002842
Task: 22787
Signed-off-by: Andy Ning <andy.ning@windriver.com>
(cherry picked from commit e9096c7a23abeebc1119b5ba3ed1e7b3a357a2ed)
Depends-On: https://review.opendev.org/#/c/655921
Depends-On: https://review.opendev.org/#/c/655773
Depends-On: https://review.opendev.org/#/c/655776
Depends-On: https://review.opendev.org/#/c/655927
Change-Id: I77c2cc712a1c3dc8a228883c3fea1423e5207dea
This update introduces the DB record synchronization service. This new
service provides REST APIs to read/write/update identity database. The
REST APIs is intended to be used internally by DC Orchestrator to
synchronize identity resources between central cloud and subclouds.
This update also contains python client that wraps up the REST APIs
into functions. The client is to be used by DC Orchestrator.
This service supports the synchronization of the following identity
resources:
- users (local users only)
- user passwords
- projects
- roles
- project role assignments
- token revocation events
Story: 2002842
Task: 22787
Change-Id: Idb4aff5bac006fdd904b58c0c8b3d6a0916fbd4b
Signed-off-by: Andy Ning <andy.ning@windriver.com>
(cherry picked from commit 6cdd47b836b3618d2ec549fe0bab273bd23ce942)
