260 Commits

Author SHA1 Message Date
Billy Olsen
4123da81ef Use default role of member for horizon
Default role configured for horizon is set to _member_ but this
is not a role which is configured in keystone. Change to use the
default role of 'member'.

Closes-Bug: #1861371
Change-Id: I08c171cb58ac669c0425274ebb9ceeb17bb9b3f9
2021-12-03 13:02:56 -07:00
Billy Olsen
2425d7822d Use SNAPCRAFT_ARCH_TRIPLET for GI_TYPELIB_PATH
Instead of using $SNAP_ARCH-linux-gnu, this environment variable should
be set to use the SNAPCRAFT_ARCH_TRIPLET.

Closes-Bug: #1943374
Change-Id: Ia066bfe8c16d41a339519cd3f0965d5d9926be86
2021-11-10 16:48:05 -07:00
Billy Olsen
839a895d4f Configure TLS for OVN
This patch configures TLS for OVN to use the local CA cert on the
controller. The compute nodes request certificates to be provided by the
CA cert and will use those certificates to configure local controller
connections to the OVN SB database via TLS. The client certificates are
validated against the control nodes CA.

Local connections on the control node continue to use the local unix
socket, which should be considered to be secure since it does not egress
the node.

Change-Id: Iacf5d5637c3a093bd80879c2ebb58efb16b52e66
2021-10-21 12:06:29 +00:00
Billy Olsen
19d74ff9ba Add PKI API for compute nodes certificates
Treat the control node as a CA for certificates at compute nodes.
Upon joining a cluster, the compute node will request a certificate to
be created by generating a CSR and asking the control node to sign the
certificate.

This adds new config options for the compute private keys and
certificate locations in use.

Change-Id: I8e8b1a86cf7df752b6cb34cfdf65a87a72934ec5
2021-10-20 11:50:43 -07:00
Billy Olsen
03ad23de71 Build Open vSwitch with OpenSSL support
Open vSwitch does not currently build with OpenSSL support due to the
libcrypto libraries not being able to dynamically load other modules.
Set the LIBS build-environment variable to enable dynamic linking during
the build process.

Change-Id: I5145068b00d3056125a6eb11f3c6621352530fae
2021-10-15 09:33:30 -07:00
Dmitrii Shcherbakov
648a45f3d9 Add template rendering in NovaHypervisor
In order to apply dynamically generated virt-type config to the actual
templates they need to be rendered.

Also improves a KVM presence check since the CPU features may be visible
to a container but KVM API via a character file might not be available
there.

The cpu-mode is now also set to "host-model" instead of "host-passthrough"
when emulation is used as it is done in the default config.

Closes-Bug: #1942761
Change-Id: I689543232a94f4df16445c6e3057c5a329d3f6ae
2021-09-14 16:08:35 +03:00
Zuul
42a50992ed Merge "Fix aarch64/arm64 support for MicroStack" 2021-09-07 08:42:08 +00:00
Zuul
5c91618974 Merge "Add debug logging for various nginx sites" 2021-09-06 12:32:47 +00:00
Dmitrii Shcherbakov
5176490845 Remove legacy post-refresh hook code
The versions in question have been outdated for a long time and nowadays
those code paths cause unnecessary overriding of calculated config
values with the default ones.

Closes-Bug: #1942433
Change-Id: I1393e8c5197cdb8ea83ad2a4c41e0bc5a219c509
2021-09-02 13:54:22 +03:00
Billy Olsen
c74223de0a Fix aarch64/arm64 support for MicroStack
Fix the builds for MicroStack on aarch64/arm64. To resolve the build
issues, the SNAP_ARCH and SNAP_ARCH_TRIPLET variables need to be used
in appropriate places to reference the underlying platform rather than
the x86_64 platform.

Arm64/Aarch64 support requires that EFI support is enabled, which
involves adding the EFI packages for arm64. These are also included for
x86_64 for ensuring consistency in EFI support between the
architectures. The /usr/share/{OVMF,AAVMF} paths need to be bind-mounted
to the appropriate locations to avoid having to custom build the
packages within the snap.

The setup sequence also needs to consider loading the right image into
glance. This is done by using the platform to determine which cirros
image to import into glance. A new cirros image was not included in this
patch for aarch64 platform in order to keep the snap image size lower.
The setup sequence has fallback code to attempt to download the image if
it is unavailable in the filesystem.

Finally, the snapcraft architectures for building microstack are limited
to the x86_64 and arm64 platforms. There's no need to build on s390x or
other architectures at this point.

Closes-Bug: #1821872

Change-Id: I26625621fb9895027139ecb895e882e60f2e6502
2021-07-29 12:52:09 -07:00
Dmitrii Shcherbakov
95fec96677 Remove timeout overrides
They were adjusted elsewhere to a higher value but are overridden here
to a lower value which causes job timeouts:

https: //github.com/openstack-charmers/zosci-config/commit/c1cea9996d45936179ef73c7c03d0db7e1896f91
Change-Id: I3f99254df07d43105875ff44b977e20bd6b60f3f
2021-07-14 10:53:48 +03:00
Corey Bryant
4d4c142b07 Add debug logging for various nginx sites
A previous patch provided debug logging support, including
nginx.conf.j2, but failed to provide support to any nginx
site templates.

Change-Id: I7375fa52f2db847deee5c8181e47e68079714ab9
2021-05-26 16:40:46 -04:00
Corey Bryant
064aae8458 Add TLS OpenStack API endpoints
This patch provides TLS endpoints secured by a self-signed
certificate. Another patch will provide support for trusted CA-signed
certificates.

A new config.tls.generate-cert option is added that defaults to true.
When true, a self-signed certificate will be generated and OpenStack
API endpoints will be configured to use TLS with that self-signed
certificate. The following config options are added:

snap get microstack config.tls.generate-self-signed
snap get microstack config.tls.cacert-path
snap get microstack config.tls.cert-path
snap get microstack config.tls.key-path

Users can provide their own self-signed certificate by setting
generate-self-signed to false and storing their own certificates/key
at the paths specified by cacert-path, cert-path, and key-path.
'snap set' can also be used to change the cert/key file names.

If using clustering, the certificates/key will be copied from the
control node to the compute nodes. The config for cacert-path,
cert-path, and key-path will be set to the same values as on the
control node.

Other notable changes:
* The existing generate_selfsigned() function is modified to change
  the subject alternative name to be made up of the hostname and
  optionally an IP. The controller hostname and IP are used when
  generating the certificate for self-signed TLS endpoints. The
  hostname is now used instead of 'microstack.run' when generating
  the clustering certificate.
* This change also aligns logging for nginx and corresponding sites
  and moves all nginx sites to {snap_common}/etc/nginx/sites-enabled.

Change-Id: Iceea3127822404a3275fcf8a221cbedc4b52c217
2021-05-26 16:39:33 -04:00
Corey Bryant
abf8af66ef Get OpenStack tarballs from opendev.org
Change-Id: I5b716c29929e0cb15c6b442b74d24d5f4cece514
2021-05-07 14:40:13 -04:00
Corey Bryant
8839514e09 Switch DEMO to install with --devmode
Change-Id: I696ee8ecd5255dc0aa94021b1db0707c5cbe631e
2021-05-07 14:40:07 -04:00
Zuul
525b11fd21 Merge "Disable client_max_body_size checks in nginx" 2021-04-29 06:58:28 +00:00
Billy Olsen
727c562f2d Disable client_max_body_size checks in nginx
By default, nginx has a small (1MB) limit on the size of uploads,
which prevents using horizon interface to upload an image. Disabling
the client_max_body_size check allows for the glance configuration
to govern the maximum size image that should be accepted. This change
also disables proxy_buffering and proxy_request_buffering in order
to reduce buffering latency.

Closes-Bug: #1868503
Change-Id: I0a89e0845d6c7d2805556f87685d280b4e72122a
2021-04-28 13:35:04 -07:00
Billy Olsen
6bb7c63cd1 Enable libvirt daemon to listen for remote connections
Enable the libvirt daemon to listen for remote connections. This
enables the live migration of instances between nodes in a microstack
cluster. Note, this is using TCP based connections and not secured
TLS based connections. That work should be done as part of enabling
TLS everywhere.

Closes-Bug: #1925707
Change-Id: If00d825c52c2d0dd12bc652ba26f67160dc7a6c5
2021-04-27 14:47:47 -07:00
Billy Olsen
0d7785f233 Fix snapcraft build issues
The latest version of snapcraft fails to build microstack. Chasing
it down is due to multiple staged parts which have conflicting
information. Fixing that bit causes the uwsgi services not to run
correctly.

This patch fixes the uwsgi services by no longer overriding the python
home directory, since python3 is staged into the snap we can use the
default python home.

This patch also removes the libc6 staging into the package, which should
generally be avoided.

Change-Id: I8c176689083831a0b8b56a192a9fbdfb50edbb66
2021-04-26 22:20:33 -07:00
Zuul
b42d532c45 Merge "Move volume tests to experimental pipeline" 2021-04-12 19:06:30 +00:00
Zuul
b60b06b975 Merge "Switch param values in enable/disable shell commands" 2021-04-09 14:35:18 +00:00
Billy Olsen
3d98e1c437 Move volume tests to experimental pipeline
The volume tests are unreliable and need to be moved to an experimental
pipeline.

Change-Id: I7414fbdee4da57652bcf10840d2d40e35dc5d1d4
2021-04-08 14:28:52 -07:00
Billy Olsen
eb433ed6c1 Switch param values in enable/disable shell commands
The shell commands to enable or disable a service should pass
the --enable or --disable option following the verb and service
name.

Closes-Bug: #1900075
Change-Id: I97d868bbd005bc5bc9c71d6ddd6f2b7746dbf18b
2021-03-29 13:11:01 -07:00
Corey Bryant
0ef39f2865 Add debug logging and individual OpenStack log files
This change introduces config.logging.debug that defaults
to False. Setting to True will enable debug logging for
OpenStack and nginx services.

Change-Id: I2eb428851d795e145c542879faf22b2fd9f8a29f
2021-03-29 14:24:39 +03:00
Nikolay Vinogradov
f91270c692 Remove unneeded custom NRPE PPA
NRPE daemon runs under snap-daemon and not root.
Remove reference to the custom PPA.

Change-Id: I7d929f6ca52f436b8ca765b65367df74a2dc67dc
2021-03-18 16:03:42 +00:00
Corey Bryant
1f30e10b5b Drop glance-registry
Glance-registry has been deprecated since Queens and were removed
from the upstream source in Train.

Change-Id: Ia993bfce039cd46ced3442c9064e4af8547fa54f
2021-03-17 17:07:12 -04:00
Corey Bryant
c853b3e8c8 Enable rw snap mount for test debugging
Add support for using unsquashfs to uncompress the microstack snap
followed by 'snap try ./squashfs-root/'. This enables installation
of the snap as an rw mount, and local files can be modified in
./squashfs-root/ and will go live instantly. See 'snap try --help'
for more details.

New tox targets are added for snap-try, snap-try-basic, and
snap-try-cluster.

Change-Id: I54fb8dc864fd4f346f20ae986155ad36bb7c1fac
2021-03-17 17:04:45 -04:00
Corey Bryant
0ac2f83505 Only include loop devices in LVM global_filter
The following tempest test is failing regularly in the gate:
tempest.api.compute.volumes.test_attach_volume.AttachVolumeTestJSON.test_list_get_volume_attachments

The theory behind this fix is that tests are creating/deleting /dev/sdX
devices and LVM ends up attempting to open an already removed device
which causes LVM to temporarily block. Setting the global_filter will
limit the block devices that are used by LVM system components.
Microstack only uses a loopback device for LVM.

Closes-Bug: #1918306
Change-Id: I8cccf7a1b1af2e15106b11023652af23c7715e6f
2021-03-17 17:01:29 -04:00
Corey Bryant
7a966ed3f0 Avoid staging conflicts
Builds started failing due to staging failures where init,
openstack-projects, launch, cluster, qemu, and microstack parts
are attempting to stage the same files with different contents for
pip, pkg_resources, setuptools, and libglib2.0-0 libraries.

Change-Id: I759391edfff8fd1010eccba0c38814e3be49cc84
2021-03-15 12:22:32 -04:00
Corey Bryant
a622c6bb26 Switch to elasticsearch 7.x
There have been frequent 404 errors attempting to access the
artifacts.elastic.co archive for 5.x.

This also adds a tenacity retry to instance ping.

Change-Id: I04529e8d5584e006c090e790e9903592609343ee
2021-03-11 11:48:28 -05:00
Chris MacNaughton
84367961e3 Fail fast when one of the gate jobs fails
Change-Id: I8fc2b087400431ff4e850e1eafcc45fb12071004
2021-03-11 16:17:48 +01:00
Billy Olsen
0ae9adef3e Add missing dependencies to requirements.txt
Add missing dependencies to tools/init/test-requirements.txt
for running unit tests. Libraries are placed in test-
requirementss.txt rather than requirements.txt due to library
versions included within the snap; if the versions in requirements.txt
differ from whats installed in the snap from Ubuntu core then the snap
fails to build.

Closes-Bug: #1908610
Change-Id: I83d623db3a8d3cd8f328b42da4aff5b71f2f0520
2021-01-21 18:49:08 +00:00
Dmitrii Shcherbakov
a904cb6804 Rework the test framework & the clustering test
* Remove the dead code;
* Rework the test types;
* Restore the instance connectivity check;
* Rework the clustering test to support the new node addition workflow;
* Check whether a machine where MicroStack is installed has hardware
  virtualization capabilities for different architectures. If not, use
  software emulation;
  * the host model is used with KVM since the default QEMU CPU models on
    x86_64 are subject to vulnerabilities without certain CPU-specific
    features. This conflicts with being able to use live migration
    reliably across hosts with different CPUs.
* Add a default-source-ip init argument to allow controlling the source
  IP of the installation host that will be used as a control ip or
  compute ip locally.
  * used in the clustering test so that the local host IP on the
    multipass network is used as a control IP instead of the IP
    through which the default gateway is available;
  * the IP through which the default gateway is accessible is
    used as a fallback for default-source-ip;
* Given upstream CI has a low amount of resources allocated per machine
  use LXD to set up a dummy compute node;
  * Set RLIMIT_MEMLOCK to 'unlimited' in the LXD container profile
    (see the discussion in LP: #1906280);
  * set remember_owner to 0 in qemu.conf for libvirt to avoid the
    uses of XATTRS (the root user is used anyway so there is no
    need to remember a file owner), otherwise libvirt errors out
    in an unprivileged LXD container.
* Use numeric versions of OpenStack packages in the python-packages
  section of the openstack-projects part since the resolver change in
  recent versions of pip disallows for constraints dependencies of
  packages that come from a URL or a path.
  https://github.com/pypa/pip/issues/8210
  * The newest released version of pip is always used during builds
    since snapcraft uses venv to set up virtual environments and the
    ensurepip package is invoked such that a pip version shipped with
    the distro version of python is upgraded:
    https://github.com/python/cpython/blob/3.8/Lib/venv/__init__.py#L282-L289
            cmd = [context.env_exe, '-Im', 'ensurepip', '--upgrade',
                                                    '--default-pip']
  * Environment variables are ignored when pip is installed in the venv:
    https://docs.python.org/3/using/cmdline.html#id2 (-I option)
    So there is no way to use the old pip version resolver.

Minor clustering client and add-compute changes:

* use stderr for diagnostic messages;
* use stdout to output the connection string so that it can be easily
  picked up by CLI tools without parsing.

Change-Id: I5cb3872c5d142c34da2c8b073652c67021d9ef55
2021-01-15 15:58:03 +03:00
Chris MacNaughton
902bd7c6c6 Migrate functional testing to third-parth CI
* enable running lint with the upstream linters job;
* Use numeric versions of OpenStack packages in the python-packages
  section of the openstack-projects part since the resolver change in
  recent versions of pip disallows for constraints dependencies of
  packages that come from a URL or a path.
  https://github.com/pypa/pip/issues/8210
  * The newest released version of pip is always used during builds
    since snapcraft uses venv to set up virtual environments and the
    ensurepip package is invoked such that a pip version shipped with
    the distro version of python is upgraded:
    https://github.com/python/cpython/blob/3.8/Lib/venv/__init__.py#L282-L289
          cmd = [context.env_exe, '-Im', 'ensurepip', '--upgrade',
                                                  '--default-pip']
  * Environment variables are ignored when pip is installed in the venv:
  https://docs.python.org/3/using/cmdline.html#id2 (-I option)
  So there is no way to use the old pip version resolver.

Change-Id: Id97dc7f14301ed0f6aed3e10f5c00e6dd7ac93d2
Co-Authored-By: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
2021-01-15 14:08:02 +03:00
Corey Bryant
cbe8209969 Add command to README for retrieving admin password
The admin password is no longer hardcoded so update the README
with details for how to retrieve the password.

Change-Id: I72e79a6abce089d0da8e9bb1d27f120fbd5cc49f
2020-12-03 16:44:31 +00:00
Dmitrii Shcherbakov
a2cc37e278 Fix service enablement during init
Some services were disabled in the install hook and then started during
the init phase without being enabled. Thus, after a machine restart they
were not brought back up by systemd.

Change-Id: I27f7d7fa6b8df104567b91b5bc998ebe98b478a2
2020-11-12 15:01:32 +03:00
Dmitrii Shcherbakov
6087f4cb3b Skip hostname checks and drop IP-based ACLs
* A reliable DNS setup cannot be assumed in MicroStack installations so
  relying on the host cache behavior of MySQL is not reliable. MySQL resolves
  an IP address to a host name and resolves that host name back to an IP
  address (https://dev.mysql.com/doc/refman/8.0/en/host-cache.html);
* IP addresses are not guaranteed to be static in a MicroStack
  deployment although this is preferable. Likewise, for services like
  cinder-volume to access the database on secondary nodes they need to
  be allowed to do that at the MySQL ACL level.

Change-Id: Ib87ab0a71fa83dad8e8ddb40f34907ab24999423
2020-11-09 13:30:41 +03:00
Billy Olsen
d7f3c1229f Use UTC for expiration date of tokens
Keystone assumes UTC for expires_at dates when generating auth
tokens, so set the the expires_at to UTC timezone before making
the request.

Change-Id: I55cb6ccf7a8cf79057d5699372ecd27bf936643f
Closes-Bug: #1903208
2020-11-05 20:42:03 -07:00
Dmitrii Shcherbakov
c19525476d Drop pci-stub from the load-modules service
pci-stub is available on Ubuntu from modules-extra kernel packages,
however, those are not always installed.

By the looks of it, this module is no longer supported by Libvirt either
(presumably in favor of VFIO):
b8e7e9be9a

Change-Id: I0db4d43d458893493232e150ae2f5b2bb7e05772
Closes-Bug: #1900113
2020-10-21 16:07:17 +03:00
Dmitrii Shcherbakov
e690b22381 Add a [placement] section into Neutron config
It appears to be that the Neutron Segment plugin needs to instantiate a
placement service client which requires credentials and other connection
details:
https://opendev.org/openstack/neutron/src/branch/stable/ussuri/neutron/services/segments/plugin.py#L188

Otherwise, the following exception can be seen periodically in the
Neutron log:

keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin:
 An auth plugin is required to determine endpoint URL

Change-Id: I480292a1c74c376db5c9797b1fcc8469e0e5507a
2020-10-15 14:30:15 +03:00
Dmitrii Shcherbakov
0ba5358865 Add Secure Clustering
* Add a connection-string based workflow to MicroStack;
  * microstack add-compute command can be run at the Control node in
    order to generate a connection string (an ASCII blob for the user);
  * the connection string contains:
    * an address of the control node;
    * a sha256 fingerprint of the TLS certificate used by the clustering
      service at the control node (which is used during verification
      similar to the Certificate Pinning approach);
    * an application credential id;
    * an application credential secret (short expiration time, reader
      role on the service project, restricted to listing the service
      catalog);
  * a MicroStack admin is expected to have ssh access to all nodes that
    will participate in a cluster - prior trust establishment is on
    them to figure out which is normal since they provision the nodes;
  * a MicroStack admin is expected to securely copy a connection string
    to a compute node via ssh. Since it is short-lived and does not
    carry service secrets, there is no risk of a replay at a later time;
  * If the compute role is specified during microstack.init, a
    connection string is requested and used to perform a request to the
    clustering service and validate the certificate fingerprint. The
    credential ID and secret are POSTed for verification to the
    clustering service which responds with the necessary config data
    for the compute node upon successful authorization.
* Set up TLS termination for the clustering service;
  * run the flask app as a UWSGI daemon behind nginx;
  * configure nginx to use a TLS certificate;
  * generate a self-signed TLS certificate.

This setup does not require PKI to be present for its own purposes of
joining compute nodes to the cluster. However, this does not mean that
PKI will not be used for TLS termination of the OpenStack endpoints.

Control node init workflow (non-interactive):

sudo microstack init --auto --control
microstack add-compute
<the connection string to be used at the compute node>

Compute node init workflow (non-interactive):

sudo microstack init --auto --compute --join <connection-string>

Change-Id: I9596fe1e6e5c1a325cc71fd3bf0c78b660b9a83e
2020-10-15 01:37:33 +03:00
Dmitrii Shcherbakov
81cbaa4433 Fix the Neutron OVN metadata service setup
* Set the Nova metadata server address properly so that
  neutron-ovn-metadata-agents running on compute nodes forward the
  requests to the right place instead of trying to use 127.0.0.1;
* generate a random secret instead of hard-coding one.

Change-Id: I6525a4150808ef257bb7a8f49589c1151ca279b0
2020-10-10 08:32:11 +03:00
Dmitrii Shcherbakov
32ad5af7f4 Generate random passwords instead of hard-coding
* The prototype stage hard-coding of passwords is replaced by random
  generation of passwords for:
  * all API services;
  * RabbitMQ;
  * MySQL;
  * OpenStack admin user;
  * OpenStack service users;
* Passwords are not replaced upon successive microstack.init calls to
  preserve idempotency.

Change-Id: Ic3d6108a81d09bdd09e986f80b3040b030605178
2020-10-08 11:25:25 +03:00
Dmitrii Shcherbakov
71ad68d36a Fix Clustering after a rebase to Ussuri + OVN
The previous work included incorrect handling of
configuration for the multi-node case in terms of
OVN configuration.

This change addresses that in addition to other
minor fixes related to the clustering setup.

Change-Id: Ibf04af95271d1746f59192d11831d6129ba5b8d0
2020-10-05 02:37:02 +03:00
Dmitrii Shcherbakov
192dac812a Fix the cluster-server service definition
Looks like the cluster-server service got extra keys during editing of
the snapcraft.yaml file which went unnoticed. This change addresses
that.

Change-Id: I294b0b1e5702cb78bb5f22d01eae02e51a9056a0
2020-09-29 17:48:29 +03:00
Dmitrii Shcherbakov
9cfed61a07 Minor fixes per review 738242
* Set max_header_size to 38 per the upstream Neutron guide albeit the
header size can be variable:
https://tools.ietf.org/html/draft-ietf-nvo3-geneve-16#page-14

* The empty "plugs" entry results in the following error raised by the
auto-review tool of the snap store:

"invalid plugs entry (empty) lint-snap-v2_app_plugs (rabbitmq-plugins)"

Let's avoid this by removing the section altogether.

Change-Id: I1b192140c8ca3445bd817f7e583f303d1bb0a338
2020-09-28 19:23:55 +03:00
Dmitrii Shcherbakov
780a4c4ead Use focal/core20/Ussuri/OVN & enable confinement
Major changes:

* Plumbing necessary for strict confinement with
  the microstack-support interface
  https://github.com/snapcore/snapd/pull/8926
  * Until the interface is merged, devmode will be used and kernel
    modules will be loaded via an auxiliary service.
* upgraded OpenStack components to Focal (20.04) and OpenStack Ussuri;
  * reworked the old patches;
  * added the Placement service since it is now separate;
  * addressed various build issues due to changes in snapcraft and
    built dependencies:
    * e.g. libvirt requires the build directory to be separate from the
      source directory) and LP: #1882255;
    * LP: #1882535 and https://github.com/pypa/pip/issues/8414
    * LP: #1882839
    * LP: #1885294
    * https://storyboard.openstack.org/#!/story/2007806
    * LP: #1864589
    * LP: #1777121
    * LP: #1881590
* ML2/OVS replated with ML2/OVN;
  * dnsmasq is not used anymore;
  * neutron l3 and DHCP agents are not used anymore;
  * Linux network namespaces are only used for
    neutron-ovn-metadata-agent.
  * ML2 DNS support is done via native OVN mechanisms;
  * OVN-related database services (southbound and northbound dbs);
  * OVN-related control plane services (ovn-controller, ovn-northd);
* core20 base support (bionic hosts are supported);
* the removal procedure now relies on the "remove" hook since `snap
remove` cannot be used from the confined environment anymore;
* prerequisites to enabling AppArmor confinement for QEMU processes
  created by the confined libvirtd.
* Added the Spice html5 console proxy service to enable clients to
  retrieve and use it via
  `microstack.openstack console url show --spice <servername>`.
* Added missing Cinder templates and DB migrations for the Cinder DB.
* Added experimental support for a loop device-based LVM backend for
  Cinder. Due to LP: #1892895 this is not recommended to be used in
  production except for tempest testing with an applied workaround;
  * includes iscsid and iscsi-tcp kernel module loading;
  * includes LIO and loading of relevant kernel modules;
  * An LVM PV is created on top of a loop device with a backing file
  present in $SNAP_COMMON/cinder-lvm.img;
  * A VG is created on top of the PV;
  * LVs are created by Cinder and exported via LIO over iscsi to iscsid
  which hot-plugs new SCSI devices. Those SCSI devices are then
  propagated by Nova to libvirt and QEMU during volume attachment;
* Added post-deployment testing via rally and tempest (via the
  microstack-test snap). A set of tests included into Refstack 2018.02
  is executed (except for object storage tests due to the lack of object
  storage support).

Change-Id: Ic70770095860a57d5e0a55a8a9451f9db6be7448
2020-09-25 13:20:12 +00:00
Dmitrii Shcherbakov
e59d15eb58 Add dirmngr to build-packages for lma-prep
LP builds fail due to the lack of dirmngr:

gpg: failed to start the dirmngr '/usr/bin/dirmngr':
No such file or directory

The tactical fix would be to add it, however, this will be removed once
the confinement patch change lands.

Change-Id: I955be9e91476a3da62d6c6ba954815220443d491
2020-07-09 14:35:30 +03:00
Dmitrii Shcherbakov
47a1e79389 Use $SNAPCRAFT_PROJECT_DIR instead of relpaths
Launchpad builds are failing due to the use of relative paths to the
project directory from the current directory. Example:
https://launchpadlibrarian.net/487726073/buildlog_snap_ubuntu_bionic_amd64_microstack_BUILDING.txt.gz

SNAPCRAFT_PROJECT_DIR can be used instead.

Change-Id: I17d0876236a8f9d56c9fd5972e5ade9388119584
2020-07-08 22:06:22 +03:00
beierlm
f0c0fdd245 Adds genisoimage for cloud-init
Userdata is not able to be generated as a config drive
due to missing package in snap.

Change snap build to explicitly install LXD as confined
snap.

Change-Id: If03923a7a8223a9eec4e49bd612d39b231e788fb
Closes-Bug: 1884320
Signed-off-by: beierlm <mark.beierl@canonical.com>
2020-07-02 14:47:14 -04:00