Add support for using unsquashfs to uncompress the microstack snap
followed by 'snap try ./squashfs-root/'. This enables installation
of the snap as an rw mount, and local files can be modified in
./squashfs-root/ and will go live instantly. See 'snap try --help'
for more details.
New tox targets are added for snap-try, snap-try-basic, and
snap-try-cluster.
Change-Id: I54fb8dc864fd4f346f20ae986155ad36bb7c1fac
There have been frequent 404 errors attempting to access the
artifacts.elastic.co archive for 5.x.
This also adds a tenacity retry to instance ping.
Change-Id: I04529e8d5584e006c090e790e9903592609343ee
* Remove the dead code;
* Rework the test types;
* Restore the instance connectivity check;
* Rework the clustering test to support the new node addition workflow;
* Check whether a machine where MicroStack is installed has hardware
virtualization capabilities for different architectures. If not, use
software emulation;
* the host model is used with KVM since the default QEMU CPU models on
x86_64 are subject to vulnerabilities without certain CPU-specific
features. This conflicts with being able to use live migration
reliably across hosts with different CPUs.
* Add a default-source-ip init argument to allow controlling the source
IP of the installation host that will be used as a control ip or
compute ip locally.
* used in the clustering test so that the local host IP on the
multipass network is used as a control IP instead of the IP
through which the default gateway is available;
* the IP through which the default gateway is accessible is
used as a fallback for default-source-ip;
* Given upstream CI has a low amount of resources allocated per machine
use LXD to set up a dummy compute node;
* Set RLIMIT_MEMLOCK to 'unlimited' in the LXD container profile
(see the discussion in LP: #1906280);
* set remember_owner to 0 in qemu.conf for libvirt to avoid the
uses of XATTRS (the root user is used anyway so there is no
need to remember a file owner), otherwise libvirt errors out
in an unprivileged LXD container.
* Use numeric versions of OpenStack packages in the python-packages
section of the openstack-projects part since the resolver change in
recent versions of pip disallows for constraints dependencies of
packages that come from a URL or a path.
https://github.com/pypa/pip/issues/8210
* The newest released version of pip is always used during builds
since snapcraft uses venv to set up virtual environments and the
ensurepip package is invoked such that a pip version shipped with
the distro version of python is upgraded:
https://github.com/python/cpython/blob/3.8/Lib/venv/__init__.py#L282-L289
cmd = [context.env_exe, '-Im', 'ensurepip', '--upgrade',
'--default-pip']
* Environment variables are ignored when pip is installed in the venv:
https://docs.python.org/3/using/cmdline.html#id2 (-I option)
So there is no way to use the old pip version resolver.
Minor clustering client and add-compute changes:
* use stderr for diagnostic messages;
* use stdout to output the connection string so that it can be easily
picked up by CLI tools without parsing.
Change-Id: I5cb3872c5d142c34da2c8b073652c67021d9ef55
* Add a connection-string based workflow to MicroStack;
* microstack add-compute command can be run at the Control node in
order to generate a connection string (an ASCII blob for the user);
* the connection string contains:
* an address of the control node;
* a sha256 fingerprint of the TLS certificate used by the clustering
service at the control node (which is used during verification
similar to the Certificate Pinning approach);
* an application credential id;
* an application credential secret (short expiration time, reader
role on the service project, restricted to listing the service
catalog);
* a MicroStack admin is expected to have ssh access to all nodes that
will participate in a cluster - prior trust establishment is on
them to figure out which is normal since they provision the nodes;
* a MicroStack admin is expected to securely copy a connection string
to a compute node via ssh. Since it is short-lived and does not
carry service secrets, there is no risk of a replay at a later time;
* If the compute role is specified during microstack.init, a
connection string is requested and used to perform a request to the
clustering service and validate the certificate fingerprint. The
credential ID and secret are POSTed for verification to the
clustering service which responds with the necessary config data
for the compute node upon successful authorization.
* Set up TLS termination for the clustering service;
* run the flask app as a UWSGI daemon behind nginx;
* configure nginx to use a TLS certificate;
* generate a self-signed TLS certificate.
This setup does not require PKI to be present for its own purposes of
joining compute nodes to the cluster. However, this does not mean that
PKI will not be used for TLS termination of the OpenStack endpoints.
Control node init workflow (non-interactive):
sudo microstack init --auto --control
microstack add-compute
<the connection string to be used at the compute node>
Compute node init workflow (non-interactive):
sudo microstack init --auto --compute --join <connection-string>
Change-Id: I9596fe1e6e5c1a325cc71fd3bf0c78b660b9a83e
* The prototype stage hard-coding of passwords is replaced by random
generation of passwords for:
* all API services;
* RabbitMQ;
* MySQL;
* OpenStack admin user;
* OpenStack service users;
* Passwords are not replaced upon successive microstack.init calls to
preserve idempotency.
Change-Id: Ic3d6108a81d09bdd09e986f80b3040b030605178
Major changes:
* Plumbing necessary for strict confinement with
the microstack-support interface
https://github.com/snapcore/snapd/pull/8926
* Until the interface is merged, devmode will be used and kernel
modules will be loaded via an auxiliary service.
* upgraded OpenStack components to Focal (20.04) and OpenStack Ussuri;
* reworked the old patches;
* added the Placement service since it is now separate;
* addressed various build issues due to changes in snapcraft and
built dependencies:
* e.g. libvirt requires the build directory to be separate from the
source directory) and LP: #1882255;
* LP: #1882535 and https://github.com/pypa/pip/issues/8414
* LP: #1882839
* LP: #1885294
* https://storyboard.openstack.org/#!/story/2007806
* LP: #1864589
* LP: #1777121
* LP: #1881590
* ML2/OVS replated with ML2/OVN;
* dnsmasq is not used anymore;
* neutron l3 and DHCP agents are not used anymore;
* Linux network namespaces are only used for
neutron-ovn-metadata-agent.
* ML2 DNS support is done via native OVN mechanisms;
* OVN-related database services (southbound and northbound dbs);
* OVN-related control plane services (ovn-controller, ovn-northd);
* core20 base support (bionic hosts are supported);
* the removal procedure now relies on the "remove" hook since `snap
remove` cannot be used from the confined environment anymore;
* prerequisites to enabling AppArmor confinement for QEMU processes
created by the confined libvirtd.
* Added the Spice html5 console proxy service to enable clients to
retrieve and use it via
`microstack.openstack console url show --spice <servername>`.
* Added missing Cinder templates and DB migrations for the Cinder DB.
* Added experimental support for a loop device-based LVM backend for
Cinder. Due to LP: #1892895 this is not recommended to be used in
production except for tempest testing with an applied workaround;
* includes iscsid and iscsi-tcp kernel module loading;
* includes LIO and loading of relevant kernel modules;
* An LVM PV is created on top of a loop device with a backing file
present in $SNAP_COMMON/cinder-lvm.img;
* A VG is created on top of the PV;
* LVs are created by Cinder and exported via LIO over iscsi to iscsid
which hot-plugs new SCSI devices. Those SCSI devices are then
propagated by Nova to libvirt and QEMU during volume attachment;
* Added post-deployment testing via rally and tempest (via the
microstack-test snap). A set of tests included into Refstack 2018.02
is executed (except for object storage tests due to the lack of object
storage support).
Change-Id: Ic70770095860a57d5e0a55a8a9451f9db6be7448
As PhantomJS is no longer maintained and there are packaging problems,
let's switch to using Firefox in a headless configuration which is a
scenario supported by Selenium.
Change-Id: Ic98c5b71202f033b9013c126f6bacdb49980acfa
Fixed issue where tests/framework.py was ignorning DISTRO env
variable.
Added SNAP_FILE env variable, which allows tests to be run on an
abitrary .snap file. For example, one fetch with `snap download`.
Change-Id: Ie6cce841e00d6d56d0525d0a81c4faad3c54e8e8
(Not complete strict confinement, but these don't break anything
devmode related, and get us closer to having strict confinement
working.)
Added more needed interfaces to snapcraft.yaml.
Created a wrapper around dnsmasq so that we can run as the snap_daemon
user. Added snap_daemon user to snapcraft.yaml.
Added a utility script for connecting interfaces that don't auto
connect (tools/connect.sh). Not useful for production, but saves a lot
of time when testing.
libvirt no longer uses unix sock group "sudo" (can't run setguid in
strict confinement).
Got rid of "find_missing_plugins" in init script. By the time we
release strict confinement to production, all those plugins will auto
connect.
Change-Id: I8324ac7bd0332c41cac17703eb15d7301e7babf3
Make MicroStack strictly confined, albeit in devmode for now.
Addresses unpredictable breakages with apt package upgrades in eoan
and focal, and sets the stage for a better isolated, less fragile snap
going forward.
We now use layouts to handle libvirt and qemu setting paths at compile
time. This is cleaner than the organize hack.
Moved away from calls to systemctl in init, as a strictly confined
snap cannot call systemctl on a non snappy system.
Disabled call to sysctl to set ipv4_fowarding, as we don't have access
to sysctl in a strictly confined snap. This may break some users, and
we need to figure out a way to address the breakage.
Got rid of questions.shell.shell routine, moving rabbitmq setup into a
bash script instead (it's just cleaner).
Moved keypair creation into launch script, as it's difficult to do
sensible things with keypair creation in the init script, which is
running using sudo, and therefore doesn't have access to
/home/<someuser>/snap
Added (but commented out) code that will check to verify that plugs
are connected before running microstack.init or ovs-vsctl. This code
may go away entirely, as we plan on auto connecting all of our
interfaces, and don't technically need to guard against not having
them connected.
Added temporary local upper-constraints file, to fix an issue where
upstream upper-constraints was breaking pip install by setting a
neutron version. This needs a better long term fix, but works for now.
Closes-bug: 1860660
Change-Id: Iaf1f1482609f05285ed9061317b32e90bffd2da0
Added build-environment to qemu (works around issue where patchelf was
not finding libs).
Added hack to force wrapping of all non bash apps, to work around
snapd issue with multiple instances of PATH in the snap environment.
Also snuck in fix for horizon build. Horizon is specified in upstream
constraints now, which means that our build fails if we try to build
it from source in the same part that looks at the constriants file.
Misc fixes to make the tests nicer.
Change-Id: I50c88878c4f9dbb07006cab899a717e334be07d0
Running microstack.remove will remove the br-ex virtual bridge device,
then uninstall MicroStack.
We do this because we can't use ovs-ctl to remove the bridge as part
of a remove hook, as the Open vSwitch daemons are not running at that
point. The microstack.remove command gives operators a way to cleanly
uninstall the snap, without needing to reboot to get rid of br-ex.
Added test exercising the code to test_basic.py.
Rerranged entry points a bit (moved some things into main.py) to make
code sharing easier, and to prevent a proliferation of entry point
scripts in our root dir.
Change-Id: I9ff25864cd96ada3a9b3da8992c2b33955eff0b4
Closes-Bug: #1852147
Addresses requests to make it easier to avoid conflicts between the
Horizon dashboard and http services that might already be running on
the machine.
Configurable via snap config. Exposing via arguments to .init and
testing post init configuration is left for a separate PR.
Eventually, these may move to non standard ports by default. This PR
sets the stage for that, but further discussion is needed before we
decide whether to implement.
(This commit also contains a sneaky fix for the username display at the
end of the launch script.)
Closes-Bug: 1814829
Change-Id: If728d6ec8024bca4d3e809637fbdcc03ed4e6934
Refactored test framework so that we have more flexibility in terms of
installing various versions of microstack before and after running
some tests. Moved in class "globals" into per instance variables,
to avoid broken cases with incomplete cleanup.
Added test_refresh.py, plus matching env in tox.
Refresh tests will fail currently, because we have some pending issues
that break refreshes. Fixing those is a subject for a different
commit.
Refactored cluster_test.py and control_test.py to use new framework.
Should (and do) pass.
Framework now cleans up multipass hosts regardless of whether or not
the tests passed. Leaning on the .tar.gz for local troubleshooting
helps us make it better for in gate troubleshooting.
Change-Id: I6a45b39132f5959c2944fe1ebbe10f71408ee777
Added a question which allows off host access to horizon
dashboard. Activated it by default, as that's probably what people are
going to actually want.
Change-Id: I0d5bccb3b2eb2b409072d8ae5f8b923942386119
Moved to pure Python where clib conflicts arose in using command line
tools.
Fixed erroneous assumptions about the presence and reliability of a
$HOME variable while running init.
Added tests specific to eoan, disco and xenial. They are not yet part
of the gate.
Change-Id: I2fc74fcc2ae9876442bb87a3446aef48d0428f2f
This enables basic clustering functionality. We add:
tools/cluster/cluster/daemon.py: A server that handles validation of
cluster passwords.
tools/cluster/cluster/client.py: A client for this server.
Important Note: This prototype does not support TLS, and the
functionality in the client and server is basic. Before we roll
clustering out to production, we need to have those two chat over TLS,
and be much more careful about verifying credentials.
Also included ...
Various fixes and changes to the init script and config templates to
support cluster configuration, and allow for the fact that we may have
endpoint references for two network ips.
Updates to snapcraft.yaml, adding the new tooling.
A more formalized config infrastructure. It's still a TODO to move the
specification out of the implicit definition in the install hook, and
into a nice, explicit, well documented yaml file.
Added nesting to the Question classes in the init script, as well as
strings pointing at config keys, rather than having the config be
implicitly indicated by the Question subclass' name. (This allows us
to put together a config spec that doesn't require the person reading
the spec to understand what Questions are, and how they are
implemented.)
Renamed and unified the "unit" and "lint" tox environments, to allow
for the multiple Python tools that we want to lint and test.
Added hooks in the init script to make it possible to do automated
testing, and added an automated test for a cluster. Run with "tox -e
cluster".
Added cirros image to snap, to work around sporadic issues downloading
it from download.cirros.net.
Removed ping logic from snap, to workaround failures in gate. Need to
add it back in once we fix them.
Change-Id: I44ccd16168a7ed41486464df8c9e22a14d71ccfd
Moved security rules and keypair creation into init first.
Launch script now takes image name as positional argument, and name of
instance as a named argument. This makes it work more like launch in
other Canonical tools.
Written in Python, for ease of maintenance.
--retry and --wait args allow it to behave like tests expect it to,
while humans will get a much more intuitive (and much less noisy)
experience.
Also increased time we wait for a ping on the host, to allow for
slower, pure qemu, emulation times, and bring it in line with what
Tempest does in similar situations.
Change-Id: I11dcc098012468e9c88dcc7af78cde6920f31ecd
Ported basic-test.sh to test_basic.py, and folded in
test_horizonlogin.py.
Made a testing framework for shared components.
Added test_control.py
Got rid of default .stestr.conf, as we're going to have multiple tests
running, and one conf is confusing.
Manually ordering functional tests for now, as stestr noms too much
output, and runs things in parallel, which doesn't work for our
functional tests.
Skipping compute node test for now, as it won't work until we can
connect to a control node with databases and such.
Moved very-basic-test.sh to tools/make-a-microstack.sh. It's really
more of a tool for manual testing than an automated test.
Added test-requirements and updated gitignore.
Moved auto-detection of kvm extensions to init, rather than test, as
it makes more sense there.
Change-Id: Iba7f7fe07cbb066790f802cf2a7c87c68994062c
This lays the groundwork for interactive init, as well as being able
to specify control and compute nodes.
Added preliminary config lists for control and compute nodes. Added
appropriate default snapctl config settings in install script.
Also changed "binary" questions to "boolean" questions, as that's
better wording, and it means that my docstrings are not a confusing
mix of "boolean" and "binary" when I forget which term I used.
Snuck in a fix for the "basic" testing environment -- it was missing
the Python requirements, and was therefore failing!
Change-Id: I7f95ab68f924fa4d4280703c372b807cc7c77758
We want to allow operators to override Horizon's default
settings. This involves moving local_settings.d out of the read only
snap filesystem, and into $SNAP_COMMON. This is a little bit tricky.
First, we patch settings.py and local_settings.py as we're building the
snap, to include a LOCAL_PATH in $SNAP_COMMON.
Then, we add a template with the rest of our default overrides,
and write it out to $SNAP_COMMON/horizon/local_settings.d
Finally we tweak our tests so that we can give our overrides a
spin. As a bonus, this makes test_horizonglogin.py a lot easier to run
in our multipass testing scenario!
`tox -e basic` now also runs selenium tests, as well.
Change-Id: Ic0ce18cfa1b97a93191da749095d8aa2270d5aeb
Port the python2.7 local settings overrides to the python3.6 directory
structure.
Move all local_settings.py overrides into _05_snap_tweaks.py as part
of troubleshooting some remaining problems. Everything is more
organized and functional now :-)
Added selenium tests.
Change-Id: I54923e1dc9c7ffa47c2ef6fb90ea9d224b0d2eee
Move openstack-projects part from python2 to python3.
Add cloud archive.
Update qemu and libvirt versions to those from cloud archive (they
work with python3, while the distro packages versions don't).
Switch from rocky to stein.
Fetch libvirt and qemu sources via "apt source". Gets rid of sub
version hard coding in snapcraft.
Update hard coded references in tests to rocky from stein.
Change-Id: Idb38717998a13feaaf0782e880e540f28bc452a8
Renamed the old and outdated "configure-openstack" script to "init.sh"
Updated init.sh and folded most of the configure hook into it.
Removed database installation step from install hook.
We can now install microstack without a database dump, which helps
immensely in updating. And we have a logical place to put additional
configuraiton, including some of the manual steps in DEMO.md, which
could be scripted if we gave users a chance to skip the system changes
that they wanted to skip.
Also updated README and DEMO file to match new flow. Updated test
files.
Future cleanup and features documented in Trello, but not included in
this PR, which is big enough already :-)
Change-Id: I8d926a8b463124494ddb7a4696adbe86f89db7d5
Tweaked tests/basic_test.sh functional test so that it no longer
requires multpass, and can run without kvm cpu extensions being
enabled (not all machines in the game have cpu extensions.)
Added tox.ini, wrapper script for building and installation, etc.
Change-Id: I968116dd7bec412a55813c896d60cfc86c7070db
Refactor snap to work with core18.
Giving the snapcraft.yaml a base property helps tremendously with the
efficiency of the build process, and I believe that it puts us in a
better position to reliably support non Ubuntu distros going forward.
This also bases us on long supported bionic libraries, and gives us a
nice place to work from as we add Python 3 and Stein support, as well
as general polish and fixes.
Dropped a command to change the endpoints from localhost to 10.20.20.1
in the configure hook.
This is a temporary solution, pending automation of the database
update. (I was burning too much time getting a manual dump to work for
now.)
Updated the mysql tarball, which has the localhost -> 10.20.20.1
update.
Test for pinging Internet was failing due to not waiting long enough,
so added a proper retry strategy.
Addresses the issue where services such as a juju controller cannot
access endpoints from within an instance.
Updated all references to localhost to 10.20.20.1, and added the
address to ALLOWED_HOSTS.
Also updated version of qemu lib.
This is a little messy -- it's a bash script with some outside
dependencies, and it makes assumptions about the capabilities of the
environment that it's being run in. But it does basically work, and
provides contributors with some basic reassurance that they have built
a working snap.
* Added install hooks for keystone.
* Fixed merge conflicts related to mysql reorg.
* Resolved more mysql merge conflicts.
* Resolved merge conflicts related to rabbitmq refactor.
* Added configure-the-things script to tests
* Turned off horizon for now.
* Disabled a bunch of daemons -- can reenable one by one as we verify them to be working.
* Added configure script, but exit 0 before configuring mysql -- there's something broken about the pathing.
* Fixed stray 'sudo' in configure hook, which was causing problems.
* Split uwsgi daemons into service specific directories
Enable all daemons again.
* Add .d configuration for nova, keystone and glance
* Misc updates
* Drop nova-consoleauth as its deprecated at rocky
* Rename neutron-manage -> neutron-db-manage
* Add neutron and nova hypervisor agents and configuration
* Add configuration files for new agents
* Update worker configuration
* Add libvirt support to nova parts
* Add fake sudo command to unconfuse things
Billy Olsen
Corey Bryant
Dmitrii Shcherbakov
Pete Vander Giessen
Pete Vander Giessen
James Page