Browse Source
Major changes: * Plumbing necessary for strict confinement with the microstack-support interface https://github.com/snapcore/snapd/pull/8926 * Until the interface is merged, devmode will be used and kernel modules will be loaded via an auxiliary service. * upgraded OpenStack components to Focal (20.04) and OpenStack Ussuri; * reworked the old patches; * added the Placement service since it is now separate; * addressed various build issues due to changes in snapcraft and built dependencies: * e.g. libvirt requires the build directory to be separate from the source directory) and LP: #1882255; * LP: #1882535 and https://github.com/pypa/pip/issues/8414 * LP: #1882839 * LP: #1885294 * https://storyboard.openstack.org/#!/story/2007806 * LP: #1864589 * LP: #1777121 * LP: #1881590 * ML2/OVS replated with ML2/OVN; * dnsmasq is not used anymore; * neutron l3 and DHCP agents are not used anymore; * Linux network namespaces are only used for neutron-ovn-metadata-agent. * ML2 DNS support is done via native OVN mechanisms; * OVN-related database services (southbound and northbound dbs); * OVN-related control plane services (ovn-controller, ovn-northd); * core20 base support (bionic hosts are supported); * the removal procedure now relies on the "remove" hook since `snap remove` cannot be used from the confined environment anymore; * prerequisites to enabling AppArmor confinement for QEMU processes created by the confined libvirtd. * Added the Spice html5 console proxy service to enable clients to retrieve and use it via `microstack.openstack console url show --spice <servername>`. * Added missing Cinder templates and DB migrations for the Cinder DB. * Added experimental support for a loop device-based LVM backend for Cinder. Due to LP: #1892895 this is not recommended to be used in production except for tempest testing with an applied workaround; * includes iscsid and iscsi-tcp kernel module loading; * includes LIO and loading of relevant kernel modules; * An LVM PV is created on top of a loop device with a backing file present in $SNAP_COMMON/cinder-lvm.img; * A VG is created on top of the PV; * LVs are created by Cinder and exported via LIO over iscsi to iscsid which hot-plugs new SCSI devices. Those SCSI devices are then propagated by Nova to libvirt and QEMU during volume attachment; * Added post-deployment testing via rally and tempest (via the microstack-test snap). A set of tests included into Refstack 2018.02 is executed (except for object storage tests due to the lack of object storage support). Change-Id: Ic70770095860a57d5e0a55a8a9451f9db6be7448changes/42/738242/17
78 changed files with 1922 additions and 536 deletions
@ -1,4 +0,0 @@
|
||||
#!/bin/bash |
||||
# Wrapper for dnsmasq |
||||
|
||||
exec $SNAP/usr/sbin/dnsmasq-orig -u snap_daemon -g snap_daemon $@ |
@ -0,0 +1,77 @@
|
||||
From a8df30a8a837c223945a13fe4cd9418084d8ed21 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||
Date: Wed, 10 Jun 2020 20:14:32 +0000
|
||||
Subject: [PATCH] drop setuid/setgid/initgroups
|
||||
|
||||
---
|
||||
src/os/unix/ngx_process_cycle.c | 54 ---------------------------------
|
||||
1 file changed, 54 deletions(-)
|
||||
|
||||
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
|
||||
index 5817a2c2..305c6823 100644
|
||||
--- a/src/os/unix/ngx_process_cycle.c
|
||||
+++ b/src/os/unix/ngx_process_cycle.c
|
||||
@@ -825,60 +825,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
|
||||
}
|
||||
}
|
||||
|
||||
- if (geteuid() == 0) {
|
||||
- if (setgid(ccf->group) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "setgid(%d) failed", ccf->group);
|
||||
- /* fatal */
|
||||
- exit(2);
|
||||
- }
|
||||
-
|
||||
- if (initgroups(ccf->username, ccf->group) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "initgroups(%s, %d) failed",
|
||||
- ccf->username, ccf->group);
|
||||
- }
|
||||
-
|
||||
-#if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES)
|
||||
- if (ccf->transparent && ccf->user) {
|
||||
- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "prctl(PR_SET_KEEPCAPS, 1) failed");
|
||||
- /* fatal */
|
||||
- exit(2);
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- if (setuid(ccf->user) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "setuid(%d) failed", ccf->user);
|
||||
- /* fatal */
|
||||
- exit(2);
|
||||
- }
|
||||
-
|
||||
-#if (NGX_HAVE_CAPABILITIES)
|
||||
- if (ccf->transparent && ccf->user) {
|
||||
- struct __user_cap_data_struct data;
|
||||
- struct __user_cap_header_struct header;
|
||||
-
|
||||
- ngx_memzero(&header, sizeof(struct __user_cap_header_struct));
|
||||
- ngx_memzero(&data, sizeof(struct __user_cap_data_struct));
|
||||
-
|
||||
- header.version = _LINUX_CAPABILITY_VERSION_1;
|
||||
- data.effective = CAP_TO_MASK(CAP_NET_RAW);
|
||||
- data.permitted = data.effective;
|
||||
-
|
||||
- if (syscall(SYS_capset, &header, &data) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "capset() failed");
|
||||
- /* fatal */
|
||||
- exit(2);
|
||||
- }
|
||||
- }
|
||||
-#endif
|
||||
- }
|
||||
-
|
||||
if (worker >= 0) {
|
||||
cpu_affinity = ngx_get_cpu_affinity(worker);
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,57 +0,0 @@
|
||||
Description: Drop code where nginx drops privileges for worker
|
||||
processes. While setuid is covered by the browser-support plug,
|
||||
setgroups isn't covered by any plugs. This code isn't required
|
||||
because in strict mode we run worker processes as root:root.
|
||||
The seccomp violation follows:
|
||||
= Seccomp =
|
||||
Time: Jun 16 01:13:15
|
||||
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=6087 comm="nginx"
|
||||
exe="/snap/keystone/x1/usr/sbin/nginx" sig=31 arch=c000003e
|
||||
116(setgroups) compat=0 ip=0x7f40e288af09 code=0x0
|
||||
Syscall: setgroups
|
||||
Suggestion:
|
||||
* adjust program to not use 'setgroups' until per-snap user/groups
|
||||
are supported (https://launchpad.net/bugs/1446748)
|
||||
Author: Corey Bryant <corey.bryant@canonical.com>
|
||||
Forwarded: no
|
||||
|
||||
---
|
||||
src/os/unix/ngx_process_cycle.c | 22 ----------------------
|
||||
1 file changed, 22 deletions(-)
|
||||
|
||||
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
|
||||
index 1710ea8..c428673 100644
|
||||
--- a/src/os/unix/ngx_process_cycle.c
|
||||
+++ b/src/os/unix/ngx_process_cycle.c
|
||||
@@ -824,28 +824,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
|
||||
}
|
||||
}
|
||||
|
||||
- if (geteuid() == 0) {
|
||||
- if (setgid(ccf->group) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "setgid(%d) failed", ccf->group);
|
||||
- /* fatal */
|
||||
- exit(2);
|
||||
- }
|
||||
-
|
||||
- if (initgroups(ccf->username, ccf->group) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "initgroups(%s, %d) failed",
|
||||
- ccf->username, ccf->group);
|
||||
- }
|
||||
-
|
||||
- if (setuid(ccf->user) == -1) {
|
||||
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
|
||||
- "setuid(%d) failed", ccf->user);
|
||||
- /* fatal */
|
||||
- exit(2);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (worker >= 0) {
|
||||
cpu_affinity = ngx_get_cpu_affinity(worker);
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 84e8c808d146ef7d4a716bf951875f85fd7020c9 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
||||
Date: Tue, 18 Aug 2020 19:07:37 +0000
|
||||
Subject: [PATCH] Use a snap-specific abstract socket address
|
||||
|
||||
* open-iscsi is included into Ubuntu cloud images and, as a result,
|
||||
sockets with names hard-coded in the source get created and owned by
|
||||
systemd at the host level;
|
||||
* iscsid checks for the LISTEN_FDS environment variable to determine
|
||||
whether systemd passes the necessary socket file descriptors to it -
|
||||
this does not happen since iscsid.socket service name differs from the
|
||||
actual service name: snap.microstack.iscsid.service;
|
||||
* snapd's support for the systemd socket activation feature is present
|
||||
but abstract socket names are restricted to be prefixed with
|
||||
snap.<snap-name>.<your-socket-name> - this means that open-scsi needs to
|
||||
be patched since the abstract domain socket name isn't configurable and
|
||||
is hard-coded at the compile time.
|
||||
|
||||
This patch alters the hard-coded abstract socket names in order to use
|
||||
systemd socket activation via the means supported by snapd and to avoid
|
||||
conflicts with an iscsid instance that might be used at the host where
|
||||
this snap is installed.
|
||||
---
|
||||
usr/mgmt_ipc.h | 2 +-
|
||||
usr/uip_mgmt_ipc.h | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/usr/mgmt_ipc.h b/usr/mgmt_ipc.h
|
||||
index 55972ed..aa66419 100644
|
||||
--- a/usr/mgmt_ipc.h
|
||||
+++ b/usr/mgmt_ipc.h
|
||||
@@ -23,7 +23,7 @@
|
||||
#include "iscsi_if.h"
|
||||
#include "config.h"
|
||||
|
||||
-#define ISCSIADM_NAMESPACE "ISCSIADM_ABSTRACT_NAMESPACE"
|
||||
+#define ISCSIADM_NAMESPACE "snap.microstack.ISCSIADM_ABSTRACT_NAMESPACE"
|
||||
#define PEERUSER_MAX 64
|
||||
|
||||
typedef enum iscsiadm_cmd {
|
||||
diff --git a/usr/uip_mgmt_ipc.h b/usr/uip_mgmt_ipc.h
|
||||
index 916113d..484e9f5 100644
|
||||
--- a/usr/uip_mgmt_ipc.h
|
||||
+++ b/usr/uip_mgmt_ipc.h
|
||||
@@ -24,7 +24,7 @@
|
||||
#include "initiator.h"
|
||||
#include "transport.h"
|
||||
|
||||
-#define ISCSID_UIP_NAMESPACE "ISCSID_UIP_ABSTRACT_NAMESPACE"
|
||||
+#define ISCSID_UIP_NAMESPACE "snap.microstack.ISCSID_UIP_ABSTRACT_NAMESPACE"
|
||||
|
||||
typedef enum iscsid_uip_cmd {
|
||||
ISCSID_UIP_IPC_UNKNOWN = 0,
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,19 @@
|
||||
#!/bin/sh |
||||
|
||||
mkdir -p $SNAP_COMMON/etc/iscsi/ |
||||
|
||||
INAME_FILE=$SNAP_COMMON/etc/iscsi/initiatorname.iscsi |
||||
|
||||
if ! [ -f $INAME_FILE ]; then |
||||
# Generate a unique InitiatorName and save it |
||||
INAME=`iscsi-iname -p iqn.1993-08.org.debian:01` |
||||
echo "## DO NOT EDIT OR REMOVE THIS FILE!" > $INAME_FILE |
||||
echo "## If you remove this file, the iSCSI daemon will not start." >> $INAME_FILE |
||||
echo "## If you change the InitiatorName, existing access control lists" >> $INAME_FILE |
||||
echo "## may reject this initiator. The InitiatorName must be unique">> $INAME_FILE |
||||
echo "## for each iSCSI initiator. Do NOT duplicate iSCSI InitiatorNames." >> $INAME_FILE |
||||
printf "InitiatorName=$INAME\n" >> $INAME_FILE |
||||
chmod 600 $INAME_FILE |
||||
fi |
||||
|
||||
exec $SNAP/sbin/iscsid -p $SNAP_COMMON/var/run/iscsid.pid --initiatorname=$INAME_FILE --config=$SNAP_COMMON/etc/iscsi/iscsid.conf |
@ -0,0 +1,5 @@
|
||||
#!/bin/bash |
||||
|
||||
set -ex |
||||
|
||||
modprobe -a vhost vhost-net vhost-scsi vhost-vsock pci-stub vfio nbd dm-mod dm-thin-pool dm-snapshot iscsi-tcp target-core-mod |
@ -0,0 +1,4 @@
|
||||
#!/bin/sh |
||||
|
||||
# This wrapper is needed due to https://bugs.launchpad.net/snapd/+bug/1882839 |
||||
$SNAP/usr/bin/targetcli restoreconfig clear_existing=True |
@ -0,0 +1,5 @@
|
||||
#!/bin/sh |
||||
|
||||
$SNAP/usr/bin/targetcli saveconfig |
||||
# This wrapper is needed due to https://bugs.launchpad.net/snapd/+bug/1882839 |
||||
$SNAP/usr/bin/targetcli clearconfig confirm=True |
@ -1,5 +0,0 @@
|
||||
[DEFAULT] |
||||
interface_driver = openvswitch |
||||
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq |
||||
enable_isolated_metadata = True |
||||
dnsmasq_dns_servers = 1.1.1.1 |
@ -1,2 +0,0 @@
|
||||
[DEFAULT] |
||||
interface_driver = openvswitch |
@ -1,3 +0,0 @@
|
||||
[DEFAULT] |
||||
nova_metadata_ip = 10.20.20.1 |
||||
metadata_proxy_shared_secret = supersecret |
@ -1,4 +1,10 @@
|
||||
[DEFAULT] |
||||
core_plugin = ml2 |
||||
service_plugins = router |
||||
service_plugins = ovn-router |
||||
allow_overlapping_ips = True |
||||
|
||||
# Disable auto-scheduling of networks to DHCP agents since they are not used with OVN. |
||||
network_auto_schedule = False |
||||
|
||||
[ovn] |
||||
ovn_metadata_enabled = True |
||||
|
@ -1,13 +1,18 @@
|
||||
[ml2] |
||||
mechanism_drivers = openvswitch |
||||
extension_drivers = port_security,trunk,qos |
||||
tenant_network_types = geneve,gre,vxlan |
||||
mechanism_drivers = ovn |
||||
extension_drivers = port_security,qos |
||||
tenant_network_types = geneve |
||||
overlay_ip_version = 4 |
||||
external_network_type = flat |
||||
|
||||
[ml2_type_geneve] |
||||
vni_ranges = 1:65535 |
||||
max_header_size = 40 |
||||
|
||||
[ml2_type_gre] |
||||
tunnel_id_ranges = 1:65535 |
||||
[ml2_type_flat] |
||||
flat_networks = * |
||||
|
||||
[ml2_type_vxlan] |
||||
vni_ranges = 1:65535 |
||||
[ovn] |
||||
# TODO(dmitriis): replace the common path with a template. |
||||
ovn_nb_connection = unix:/var/snap/microstack/common/run/ovn/ovnnb_db.sock |
||||
ovn_sb_connection = unix:/var/snap/microstack/common/run/ovn/ovnsb_db.sock |
||||
|
@ -1,11 +0,0 @@
|
||||
# Snap provided defaults for neutron-openvswitch-agent |
||||
[securitygroup] |
||||
enable_security_group = True |
||||
firewall_driver = openvswitch |
||||
|
||||
[AGENT] |
||||
tunnel_types = geneve,vxlan,gre |
||||
|
||||
[ovs] |
||||
local_ip = 127.0.0.1 |
||||
bridge_mappings = physnet1:br-ex |
@ -0,0 +1,3 @@
|
||||
# Snap distribution defaults - do not change, override in $SNAP_COMMON/etc/cinder.conf.d |
||||
[database] |
||||
max_retries = -1 |
Before Width: | Height: | Size: 90 KiB After Width: | Height: | Size: 90 KiB |
Before Width: | Height: | Size: 5.1 KiB After Width: | Height: | Size: 5.1 KiB |
Before Width: | Height: | Size: 5.1 KiB After Width: | Height: | Size: 5.1 KiB |
@ -0,0 +1,6 @@
|
||||
[DEFAULT] |
||||
filters_path={{ snap }}/etc/cinder/rootwrap.d |
||||
|
||||
use_syslog=False |
||||
syslog_log_facility=syslog |
||||
syslog_log_level=ERROR |
@ -0,0 +1,2 @@
|
||||
[database] |
||||
connection = mysql+pymysql://cinder:cinder@{{ control_ip }}:{{ mysql_port }}/cinder |
@ -0,0 +1,13 @@
|
||||
[DEFAULT] |
||||
auth_strategy = keystone |
||||
|
||||
[keystone_authtoken] |
||||
auth_uri = http://{{ control_ip }}:5000 |
||||
auth_url = http://{{ control_ip }}:5000 |
||||
memcached_servers = {{ control_ip }}:11211 |
||||
auth_type = password |
||||
project_domain_name = default |
||||
user_domain_name = default |
||||
project_name = service |
||||
username = cinder |
||||
password = {{ cinder_password }} |
@ -0,0 +1,2 @@
|
||||
[DEFAULT] |
||||
transport_url = rabbit://openstack:rabbitmq@{{ control_ip }}:{{ rabbit_port }} |
@ -0,0 +1,22 @@
|
||||
iscsid.startup = {{ snap }}/sbin/iscsid |
||||
node.startup = manual |
||||
node.leading_login = No |
||||
node.session.timeo.replacement_timeout = 120 |
||||
node.conn[0].timeo.login_timeout = 15 |
||||
node.conn[0].timeo.logout_timeout = 15 |
||||
node.conn[0].timeo.noop_out_interval = 5 |
||||
node.conn[0].timeo.noop_out_timeout = 5 |
||||
node.session.err_timeo.abort_timeout = 15 |
||||
node.session.err_timeo.lu_reset_timeout = 30 |
||||
node.session.err_timeo.tgt_reset_timeout = 30 |
||||
node.session.cmds_max = 128 |
||||
node.session.queue_depth = 32 |
||||
node.session.xmit_thread_priority = -20 |
||||
node.session.iscsi.InitialR2T = No |
||||
node.session.iscsi.ImmediateData = Yes |
||||
node.session.iscsi.FirstBurstLength = 262144 |
||||
node.session.iscsi.MaxBurstLength = 16776192 |
||||
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144 |
||||
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0 |
||||
discovery.sendtargets.iscsi.MaxRecvDataSegmentLength = 32768 |
||||
node.session.nr_sessions = 1 |
@ -0,0 +1,26 @@
|
||||
{ |
||||
"openstack": { |
||||
"admin": { |
||||
"password": "{{ ospassword }}", |
||||
"project_domain_name": "default", |
||||
"project_name": "admin", |
||||
"user_domain_name": "default", |
||||
"username": "admin" |
||||
}, |
||||
"api_info": { |
||||
"keystone": { |
||||
"service_type": "identityv3", |
||||
"version": 3 |
||||
} |
||||
}, |
||||
"auth_url": "http://{{ control_ip }}:5000", |
||||
"endpoint_type": null, |
||||
"https_cacert": "", |
||||
"https_cert": "", |
||||
"https_insecure": false, |
||||
"https_key": "", |
||||
"profiler_conn_str": null, |
||||
"profiler_hmac_key": null, |
||||
"region_name": "" |
||||
} |
||||
} |
@ -0,0 +1,13 @@
|
||||
[DEFAULT] |
||||
metadata_proxy_shared_secret = supersecret |
||||
|
||||
[ovs] |
||||
ovsdb_connection = unix:{{ snap_common }}/run/openvswitch/db.sock |
||||
|
||||
[ovn] |
||||
{% if ovn_nb_connection %} |
||||
ovn_nb_connection = {{ ovn_nb_connection }} |
||||
{% endif %} |
||||
{% if ovn_sb_connection %} |
||||
ovn_sb_connection = {{ ovn_sb_connection }} |
||||
{% endif %} |
@ -0,0 +1,18 @@
|
||||
[DEFAULT] |
||||
web = {{ snap }}/usr/share/spice-html5 |
||||
|
||||
[vnc] |
||||
enabled = False |
||||
|
||||
[spice] |
||||
# Proxy configuration (controller only). |
||||
html5proxy_host = 0.0.0.0 |
||||
html5proxy_port = 6082 |
||||
|
||||
enabled = True |
||||
agent_enabled = True |
||||
html5proxy_base_url = http://{{ control_ip }}:6082/spice_auto.html |
||||
server_listen = {{ compute_ip }} |
||||
server_proxyclient_address = {{ compute_ip }} |
||||
keymap = en-us |
||||
|
@ -0,0 +1,11 @@
|
||||
[placement] |
||||
auth_uri = http://{{ control_ip }}:5000 |
||||
auth_url = http://{{ control_ip }}:5000 |
||||
memcached_servers = {{ control_ip }}:11211 |
||||
auth_type = password |
||||
project_domain_name = default |
||||
user_domain_name = default |
||||
project_name = service |
||||
username = nova |
||||
password = {{ nova_password }} |
||||
os_region_name = RegionOne |
@ -0,0 +1,10 @@
|
||||
server { |
||||
listen 8778; |
||||
error_log syslog:server=unix:/dev/log; |
||||
access_log syslog:server=unix:/dev/log; |
||||
location / { |
||||
include {{ snap }}/usr/conf/uwsgi_params; |
||||
uwsgi_param SCRIPT_NAME ''; |
||||
uwsgi_pass unix://{{ snap_common }}/run/placement-api.sock; |
||||
} |
||||
} |
@ -0,0 +1,9 @@
|
||||
[DEFAULT] |
||||
# Set state path to writable directory |
||||
state_path = {{ snap_common }}/lib |
||||
# Log to systemd journal |
||||
use_journal = True |
||||
|
||||
[oslo_concurrency] |
||||
# Oslo Concurrency lock path |
||||
lock_path = {{ snap_common }}/lock |
@ -0,0 +1,2 @@
|
||||
[placement_database] |
||||
connection = mysql+pymysql://placement:placement@{{ control_ip }}:{{ mysql_port }}/placement |
@ -1,9 +1,13 @@
|
||||
[placement] |
||||
os_region_name = microstack |
||||
project_domain_name = default |
||||
project_name = service |
||||
[keystone_authtoken] |
||||
auth_uri = http://{{ control_ip }}:5000 |
||||
auth_url = http://{{ control_ip }}:5000 |
||||
memcached_servers = {{ control_ip }}:11211 |
||||
auth_type = password |
||||
project_domain_name = default |
||||
user_domain_name = default |
||||
auth_url = http://{{ control_ip }}:5000 |
||||
project_name = service |
||||
username = placement |
||||
password = {{ placement_password }} |
||||
|
||||
[paste_deploy] |
||||
flavor = keystone |
@ -0,0 +1,2 @@
|
||||
[placement] |
||||
randomize_allocation_candidates = true |
@ -0,0 +1,2 @@
|
||||
include {{ snap_common }}/lib/volumes/* |
||||
default-driver iscsi |
@ -0,0 +1,25 @@
|
||||
#!/bin/bash |
||||
|
||||
set -e |
||||
|
||||
export OVN_LOGDIR=${SNAP_COMMON}/log/ovn |
||||
export OVN_RUNDIR=${SNAP_COMMON}/run/ovn |
||||
export OVN_SYSCONFDIR=${SNAP_COMMON}/etc |
||||
export OVN_PKGDATADIR=${SNAP}/usr/local/share/ovn |
||||
export OVN_BINDIR=${SNAP}/bin |
||||
export OVN_SBINDIR=${SNAP}/sbin |
||||
|
||||
|
||||
mkdir -p ${OVN_LOGDIR} |
||||
mkdir -p ${OVN_RUNDIR} |
||||
mkdir -p ${OVN_SYSCONFDIR}/ovn |
||||
|
||||
if [ `basename $1` = 'ovn-ctl' -a `snapctl get config.clustered` == 'true' ] |
||||
then |
||||
# TODO: replace this with a secure alternative once TLS is supported. |
||||
# Create an SB TCP socket to be used by remote ovn-controller and neutron-ovn-metadata |
||||
# agents. |
||||
exec $@ --db-sb-create-insecure-remote=yes |
||||
else |
||||
exec $@ |
||||
fi |
@ -0,0 +1,79 @@
|
||||
#!/usr/bin/env python3 |
||||
|
||||
import os |
||||
import sys |
||||
import logging |
||||
from subprocess import check_call, check_output, call, run |
||||
from pyroute2 import netns |
||||
|
||||
logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) |
||||
|
||||
|
||||
if __name__ == '__main__': |
||||
# Work around the lack of modified LD_LIBRARY_PATH and PATH variables with |
||||
# snap-specific content. |
||||
snap_dir = os.environ['SNAP'] |
||||
snap_libs = (f'{snap_dir}/lib:{snap_dir}/usr/lib:' |
||||
f'{snap_dir}/lib/x86_64-linux-gnu:' |
||||
f'{snap_dir}/usr/lib/x86_64-linux-gnu') |
||||
os.environ['LD_LIBRARY_PATH'] = snap_libs |
||||
|
||||
check_call(['snapctl', 'start', 'microstack.ovsdb-server']) |
||||
check_call(['snapctl', 'start', 'microstack.ovs-vswitchd']) |
||||
|
||||
logging.info('Attempting to remove br-ex.') |
||||
check_call(['ovs-vsctl', '--if-exists', 'del-br', 'br-ex']) |
||||
|
||||
check_call(['snapctl', 'stop', 'microstack.ovsdb-server']) |
||||
check_call(['snapctl', 'stop', 'microstack.ovs-vswitchd']) |
||||
|
||||
for ns in netns.listnetns(): |
||||
if ns.startswith('ovnmeta-'): |
||||
logging.info(f'Removing the {ns} network namespace.') |
||||
netns.remove(ns) |
||||
|
||||
# Need to expose targets prior to starting iscsid in order to properly log out |
||||
# of iSCSI sessions. |
||||
check_call(['snapctl', 'start', 'microstack.target']) |
||||
check_call(['snapctl', 'start', 'microstack.iscsid']) |
||||
check_call(['sync']) |
||||
|
||||
# Assuming the QEMU processes have already been killed by snapd, |
||||
# log out of all targets prior to removing the snap to clean up |
||||
# the kernel state. |
||||
# TODO: be more selective about logging out since there may be sessions |
||||
# unrelated to MicroStack in the kernel. |
||||
# TODO: also clean up block devices by writing to |
||||
# /sys/class/block/<dev>/device/delete since those do not get deleted on |
||||
# session logout. |
||||
logging.info('Attempting to remove iscsi sessions from the kernel.') |
||||
res = run(['iscsiadm', '-m', 'node', '-u']) |
||||
# ISCSI_ERR_NO_OBJS_FOUND |
||||
if res.returncode == 21: |
||||
logging.debug('No iscsi sessions were found.') |
||||
elif res.returncode == 0: |
||||
logging.debug('Successfully logged the existing iscsi sessions out.') |
||||
else: |
||||
# Albeit this is an error condition we cannot do much in the remove |
||||
# hook to fix this besides logging since snapd does not stop the |
||||
# snap removal on error in the remove hook. |
||||
logging.error('Unexpected error code received from iscsiadm: ' |
||||
f'{res.returncode}') |
||||
check_call(['snapctl', 'stop', 'microstack.iscsid']) |
||||
check_call(['snapctl', 'stop', 'microstack.target']) |
||||
|
||||
# File-backed LVM resource cleanup (if present). |
||||
loop_file = f'{os.environ["SNAP_COMMON"]}/cinder-lvm.img' |
||||
allocated_loop_dev = check_output( |
||||
f'losetup -j {loop_file} | cut -d ":" -f 1', shell=True |
||||
).decode('utf-8').strip() |
||||
|
||||
if allocated_loop_dev: |
||||
cinder_lvm_vg = check_output([ |
||||
'snapctl', 'get', 'config.cinder.lvm-backend-volume-group'] |
||||
).strip() |
||||
if not call(['vgdisplay', cinder_lvm_vg]): |
||||
check_call(['vgremove', '-f', cinder_lvm_vg]) |
||||
if not call(['pvdisplay', allocated_loop_dev]): |
||||
check_call(['pvremove', '-f', allocated_loop_dev]) |
||||
check_call(['losetup', '-d', allocated_loop_dev]) |