The admin password is no longer hardcoded so update the README
with details for how to retrieve the password.
Change-Id: I72e79a6abce089d0da8e9bb1d27f120fbd5cc49f
Some services were disabled in the install hook and then started during
the init phase without being enabled. Thus, after a machine restart they
were not brought back up by systemd.
Change-Id: I27f7d7fa6b8df104567b91b5bc998ebe98b478a2
* A reliable DNS setup cannot be assumed in MicroStack installations so
relying on the host cache behavior of MySQL is not reliable. MySQL resolves
an IP address to a host name and resolves that host name back to an IP
address (https://dev.mysql.com/doc/refman/8.0/en/host-cache.html);
* IP addresses are not guaranteed to be static in a MicroStack
deployment although this is preferable. Likewise, for services like
cinder-volume to access the database on secondary nodes they need to
be allowed to do that at the MySQL ACL level.
Change-Id: Ib87ab0a71fa83dad8e8ddb40f34907ab24999423
Keystone assumes UTC for expires_at dates when generating auth
tokens, so set the the expires_at to UTC timezone before making
the request.
Change-Id: I55cb6ccf7a8cf79057d5699372ecd27bf936643f
Closes-Bug: #1903208
pci-stub is available on Ubuntu from modules-extra kernel packages,
however, those are not always installed.
By the looks of it, this module is no longer supported by Libvirt either
(presumably in favor of VFIO):
b8e7e9be9a
Change-Id: I0db4d43d458893493232e150ae2f5b2bb7e05772
Closes-Bug: #1900113
It appears to be that the Neutron Segment plugin needs to instantiate a
placement service client which requires credentials and other connection
details:
https://opendev.org/openstack/neutron/src/branch/stable/ussuri/neutron/services/segments/plugin.py#L188
Otherwise, the following exception can be seen periodically in the
Neutron log:
keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin:
An auth plugin is required to determine endpoint URL
Change-Id: I480292a1c74c376db5c9797b1fcc8469e0e5507a
* Add a connection-string based workflow to MicroStack;
* microstack add-compute command can be run at the Control node in
order to generate a connection string (an ASCII blob for the user);
* the connection string contains:
* an address of the control node;
* a sha256 fingerprint of the TLS certificate used by the clustering
service at the control node (which is used during verification
similar to the Certificate Pinning approach);
* an application credential id;
* an application credential secret (short expiration time, reader
role on the service project, restricted to listing the service
catalog);
* a MicroStack admin is expected to have ssh access to all nodes that
will participate in a cluster - prior trust establishment is on
them to figure out which is normal since they provision the nodes;
* a MicroStack admin is expected to securely copy a connection string
to a compute node via ssh. Since it is short-lived and does not
carry service secrets, there is no risk of a replay at a later time;
* If the compute role is specified during microstack.init, a
connection string is requested and used to perform a request to the
clustering service and validate the certificate fingerprint. The
credential ID and secret are POSTed for verification to the
clustering service which responds with the necessary config data
for the compute node upon successful authorization.
* Set up TLS termination for the clustering service;
* run the flask app as a UWSGI daemon behind nginx;
* configure nginx to use a TLS certificate;
* generate a self-signed TLS certificate.
This setup does not require PKI to be present for its own purposes of
joining compute nodes to the cluster. However, this does not mean that
PKI will not be used for TLS termination of the OpenStack endpoints.
Control node init workflow (non-interactive):
sudo microstack init --auto --control
microstack add-compute
<the connection string to be used at the compute node>
Compute node init workflow (non-interactive):
sudo microstack init --auto --compute --join <connection-string>
Change-Id: I9596fe1e6e5c1a325cc71fd3bf0c78b660b9a83e
* Set the Nova metadata server address properly so that
neutron-ovn-metadata-agents running on compute nodes forward the
requests to the right place instead of trying to use 127.0.0.1;
* generate a random secret instead of hard-coding one.
Change-Id: I6525a4150808ef257bb7a8f49589c1151ca279b0
* The prototype stage hard-coding of passwords is replaced by random
generation of passwords for:
* all API services;
* RabbitMQ;
* MySQL;
* OpenStack admin user;
* OpenStack service users;
* Passwords are not replaced upon successive microstack.init calls to
preserve idempotency.
Change-Id: Ic3d6108a81d09bdd09e986f80b3040b030605178
The previous work included incorrect handling of
configuration for the multi-node case in terms of
OVN configuration.
This change addresses that in addition to other
minor fixes related to the clustering setup.
Change-Id: Ibf04af95271d1746f59192d11831d6129ba5b8d0
Looks like the cluster-server service got extra keys during editing of
the snapcraft.yaml file which went unnoticed. This change addresses
that.
Change-Id: I294b0b1e5702cb78bb5f22d01eae02e51a9056a0
* Set max_header_size to 38 per the upstream Neutron guide albeit the
header size can be variable:
https://tools.ietf.org/html/draft-ietf-nvo3-geneve-16#page-14
* The empty "plugs" entry results in the following error raised by the
auto-review tool of the snap store:
"invalid plugs entry (empty) lint-snap-v2_app_plugs (rabbitmq-plugins)"
Let's avoid this by removing the section altogether.
Change-Id: I1b192140c8ca3445bd817f7e583f303d1bb0a338
Major changes:
* Plumbing necessary for strict confinement with
the microstack-support interface
https://github.com/snapcore/snapd/pull/8926
* Until the interface is merged, devmode will be used and kernel
modules will be loaded via an auxiliary service.
* upgraded OpenStack components to Focal (20.04) and OpenStack Ussuri;
* reworked the old patches;
* added the Placement service since it is now separate;
* addressed various build issues due to changes in snapcraft and
built dependencies:
* e.g. libvirt requires the build directory to be separate from the
source directory) and LP: #1882255;
* LP: #1882535 and https://github.com/pypa/pip/issues/8414
* LP: #1882839
* LP: #1885294
* https://storyboard.openstack.org/#!/story/2007806
* LP: #1864589
* LP: #1777121
* LP: #1881590
* ML2/OVS replated with ML2/OVN;
* dnsmasq is not used anymore;
* neutron l3 and DHCP agents are not used anymore;
* Linux network namespaces are only used for
neutron-ovn-metadata-agent.
* ML2 DNS support is done via native OVN mechanisms;
* OVN-related database services (southbound and northbound dbs);
* OVN-related control plane services (ovn-controller, ovn-northd);
* core20 base support (bionic hosts are supported);
* the removal procedure now relies on the "remove" hook since `snap
remove` cannot be used from the confined environment anymore;
* prerequisites to enabling AppArmor confinement for QEMU processes
created by the confined libvirtd.
* Added the Spice html5 console proxy service to enable clients to
retrieve and use it via
`microstack.openstack console url show --spice <servername>`.
* Added missing Cinder templates and DB migrations for the Cinder DB.
* Added experimental support for a loop device-based LVM backend for
Cinder. Due to LP: #1892895 this is not recommended to be used in
production except for tempest testing with an applied workaround;
* includes iscsid and iscsi-tcp kernel module loading;
* includes LIO and loading of relevant kernel modules;
* An LVM PV is created on top of a loop device with a backing file
present in $SNAP_COMMON/cinder-lvm.img;
* A VG is created on top of the PV;
* LVs are created by Cinder and exported via LIO over iscsi to iscsid
which hot-plugs new SCSI devices. Those SCSI devices are then
propagated by Nova to libvirt and QEMU during volume attachment;
* Added post-deployment testing via rally and tempest (via the
microstack-test snap). A set of tests included into Refstack 2018.02
is executed (except for object storage tests due to the lack of object
storage support).
Change-Id: Ic70770095860a57d5e0a55a8a9451f9db6be7448
LP builds fail due to the lack of dirmngr:
gpg: failed to start the dirmngr '/usr/bin/dirmngr':
No such file or directory
The tactical fix would be to add it, however, this will be removed once
the confinement patch change lands.
Change-Id: I955be9e91476a3da62d6c6ba954815220443d491
Userdata is not able to be generated as a config drive
due to missing package in snap.
Change snap build to explicitly install LXD as confined
snap.
Change-Id: If03923a7a8223a9eec4e49bd612d39b231e788fb
Closes-Bug: 1884320
Signed-off-by: beierlm <mark.beierl@canonical.com>
As PhantomJS is no longer maintained and there are packaging problems,
let's switch to using Firefox in a headless configuration which is a
scenario supported by Selenium.
Change-Id: Ic98c5b71202f033b9013c126f6bacdb49980acfa
Fixed issue where tests/framework.py was ignorning DISTRO env
variable.
Added SNAP_FILE env variable, which allows tests to be run on an
abitrary .snap file. For example, one fetch with `snap download`.
Change-Id: Ie6cce841e00d6d56d0525d0a81c4faad3c54e8e8
(Not complete strict confinement, but these don't break anything
devmode related, and get us closer to having strict confinement
working.)
Added more needed interfaces to snapcraft.yaml.
Created a wrapper around dnsmasq so that we can run as the snap_daemon
user. Added snap_daemon user to snapcraft.yaml.
Added a utility script for connecting interfaces that don't auto
connect (tools/connect.sh). Not useful for production, but saves a lot
of time when testing.
libvirt no longer uses unix sock group "sudo" (can't run setguid in
strict confinement).
Got rid of "find_missing_plugins" in init script. By the time we
release strict confinement to production, all those plugins will auto
connect.
Change-Id: I8324ac7bd0332c41cac17703eb15d7301e7babf3
pyScss, which is a build dependency for horizon, currently relies on
the depcrecated Feature class of setuptools. The latest update to
setuptools removed the class entirely, breaking pyScss.
For now, we point to a fork of pyScss 1.3.4, which removes the
reference to the Feature class. In the near future, the upstream
OpenStack project will probably release a better fix; this gets us
unblocked for now.
We point to our custom pyScss by downloading and patching the stein
upper-constraints in our patch app. This is nicer than keeping a local
version of the file in our repo, as we'll automatically get updates,
and our patch will become a no-op when it is no longer needed.
Change-Id: I664ce6402f69d24fa9730c99315cbf65859b0aa3
Closes-bug: 1867360
neutron has been added to the upper constraints file, which means we
can't install it from a tarball (pip gets upset when you try to
install from source while also attempting to specify a version in your
constraints). This commit replaces the reference to the tarball in the
openstack-projects part w/ a reference to neutron from pip.
We still install other OpenStack packages in the part from tarballs,
as the versions of those packages are not locked down in the
upper-constraints.
Change-Id: Id73fbc927c0b56ae6242f2abcaed7b6208f69a9e
Make MicroStack strictly confined, albeit in devmode for now.
Addresses unpredictable breakages with apt package upgrades in eoan
and focal, and sets the stage for a better isolated, less fragile snap
going forward.
We now use layouts to handle libvirt and qemu setting paths at compile
time. This is cleaner than the organize hack.
Moved away from calls to systemctl in init, as a strictly confined
snap cannot call systemctl on a non snappy system.
Disabled call to sysctl to set ipv4_fowarding, as we don't have access
to sysctl in a strictly confined snap. This may break some users, and
we need to figure out a way to address the breakage.
Got rid of questions.shell.shell routine, moving rabbitmq setup into a
bash script instead (it's just cleaner).
Moved keypair creation into launch script, as it's difficult to do
sensible things with keypair creation in the init script, which is
running using sudo, and therefore doesn't have access to
/home/<someuser>/snap
Added (but commented out) code that will check to verify that plugs
are connected before running microstack.init or ovs-vsctl. This code
may go away entirely, as we plan on auto connecting all of our
interfaces, and don't technically need to guard against not having
them connected.
Added temporary local upper-constraints file, to fix an issue where
upstream upper-constraints was breaking pip install by setting a
neutron version. This needs a better long term fix, but works for now.
Closes-bug: 1860660
Change-Id: Iaf1f1482609f05285ed9061317b32e90bffd2da0
This reverts commit ce5e82e3191acb40b1ab801cde25333037d89bcb.
MicroStack cannot currently install due to a missing ovs-related
library. This is possibly due to recent changes in spacraft, or
possibly due to the workarounds for those changes. Regardless, it
appears that backing out the DPDK changes gets us back to a state
where we can install.
Partial-Bug: 1862911
Change-Id: I060c1a0095470639f9158cb9e9ebe8281a65a678
- Snapped binary packages of Filebeat, NRPE and Telegraf (disabled by default)
- Added W/A of Telegraf segfault after ELF patching by snapcraft
- Implemented IPMI input tuning for Telegraf
- Allowed to run NRPE as root:root (from custom PPA)
- Implemented Filebeat, NRPE and Telegraf control scripts and config on top of snap-overlay
- Added support for checking Microstack systemd services by NRPE
- Added few generic and Microstack-specific NRPE checks
- Added possibility to override default config paths for the daemons
- Added support for in-band IPMI input to Telegraf
- Stick LMA wrappers and services naming to Microstack conventions
- Increase build timeout in .zuul conf by 30min
Change-Id: I68dbdb11248cf0c1e22e9333af3cf0f88954f557
We are now building with a version of snapcraft and snapd that doesn't
need the passthrough property for "after" commands in a daemon. We can
get rid of the properties, which will allow us to upload to the snap
store automatically, as a bonus.
Change-Id: I6defdac64f7b61a2894f3d6417597f7d03bc61d4
Added build-environment to qemu (works around issue where patchelf was
not finding libs).
Added hack to force wrapping of all non bash apps, to work around
snapd issue with multiple instances of PATH in the snap environment.
Also snuck in fix for horizon build. Horizon is specified in upstream
constraints now, which means that our build fails if we try to build
it from source in the same part that looks at the constriants file.
Misc fixes to make the tests nicer.
Change-Id: I50c88878c4f9dbb07006cab899a717e334be07d0
Running microstack.remove will remove the br-ex virtual bridge device,
then uninstall MicroStack.
We do this because we can't use ovs-ctl to remove the bridge as part
of a remove hook, as the Open vSwitch daemons are not running at that
point. The microstack.remove command gives operators a way to cleanly
uninstall the snap, without needing to reboot to get rid of br-ex.
Added test exercising the code to test_basic.py.
Rerranged entry points a bit (moved some things into main.py) to make
code sharing easier, and to prevent a proliferation of entry point
scripts in our root dir.
Change-Id: I9ff25864cd96ada3a9b3da8992c2b33955eff0b4
Closes-Bug: #1852147
Fixed backticks so that they actually wrap the whole command.
Added code to gamely make a guess about the username of the launched
instance and the location of the ssh key. Falls back on placeholders
if it can't.
Closes-bug 1850586
Change-Id: I980ee8617dfc4bf7c60846052d66ff18cf8aa8e9
Added a script to tools that makes it a bit easier to spin up a
checkout of the MicroStack source in a vm, in preparation for making a
change and testing a build.
Change-Id: I6b88c99f4c3bfa22e82bc740193c1993776eb757
Addresses requests to make it easier to avoid conflicts between the
Horizon dashboard and http services that might already be running on
the machine.
Configurable via snap config. Exposing via arguments to .init and
testing post init configuration is left for a separate PR.
Eventually, these may move to non standard ports by default. This PR
sets the stage for that, but further discussion is needed before we
decide whether to implement.
(This commit also contains a sneaky fix for the username display at the
end of the launch script.)
Closes-Bug: 1814829
Change-Id: If728d6ec8024bca4d3e809637fbdcc03ed4e6934
This change prevents builds in the gate from timing out while pulling
the iptables part, which was happening with increasing frequency.
The part was originally added in an attempt to isolate ourselves
better from the host system, despite being classically confined. This
approach was unreliable -- it doesn't work particularly well for
commands requiring sudo. We can back off this change (especially since
we've removed the special pathing that pointed us at the snapcraft
built iptables anyway -- I think that the part is superfluous).
In addition to the automated tests, I have verified that the following
work:
1. xenial and eoan installs
2. clustering
3. refresh from beta and edge
Change-Id: I7d314eccc0433e54a800ed47add684c2e0fa6565
Closes-bug: 1854081
Now happens in a template, just like all the other values, which fixes
an issue where it doesn't get overridden during an upgrade.
Change-Id: Ied84ddc0282c77de6797f90efc8923ae66a9d59e
Broke default config settings into a separate script, which the
install hook always called, and post-refresh calls if it can't find
the new config hierarchy.
This fixes issues w/ upgrading from beta to edge.
Change-Id: I6b11109c2a2f6aca142a18c9fa274b332891d5c8
When refreshing a snap, set-br-ex could fail because the iptables
rules that it sets were already setup. We now exit zero if this is
true, which prevents us from breaking on upgrades.
Change-Id: Ibfee98cabfa3e35bf53dbd191de2cf46f3709a51
Refactored test framework so that we have more flexibility in terms of
installing various versions of microstack before and after running
some tests. Moved in class "globals" into per instance variables,
to avoid broken cases with incomplete cleanup.
Added test_refresh.py, plus matching env in tox.
Refresh tests will fail currently, because we have some pending issues
that break refreshes. Fixing those is a subject for a different
commit.
Refactored cluster_test.py and control_test.py to use new framework.
Should (and do) pass.
Framework now cleans up multipass hosts regardless of whether or not
the tests passed. Leaning on the .tar.gz for local troubleshooting
helps us make it better for in gate troubleshooting.
Change-Id: I6a45b39132f5959c2944fe1ebbe10f71408ee777
Now reflects current build process, and has correct url to source code.
Also changed references to "microstack" and "Microstack" to
"MicroStack".
Change-Id: I60f6a28c3e47ed785692e59c0de79e298e437900
Closes-Bug: 1846979
Previously, the snap set up a bridge using the default 10.20.20.0/24
network upon install. If there was a good reason not to use this
network (e.g., it already exists and is being used for another
purpose), MicroStack, and the host machine, could wind up in a broken
state.
This PR delays setting up the bridge until after we have given an
operator a chance to override the default settings.
This has been manually tested. To test, do the following:
1) Checkout the code, and run tox -e build
2) Run tools/make-a-microstack.sh
3) snapctl set config.network.ext-cidr and config.network.ext-gateway
4) Run microstack_init
5) Exit the snap shell and run microstack.launch
Change-Id: I9e268495f313b29d9781d80a2468fc0a1a450aa0
Closes-Bug: https://bugs.launchpad.net/microstack/+bug/1851521
Remove some of the redundancy in tox.ini.
Fixed some lint issues that weren't caught before due to gaps in the
linting coverage.
I think that there's more work to be done here, but this does make
things better than they were before.
Change-Id: I82487dbb9366f3de16b25615bd081b6315671655
Added a question which allows off host access to horizon
dashboard. Activated it by default, as that's probably what people are
going to actually want.
Change-Id: I0d5bccb3b2eb2b409072d8ae5f8b923942386119
Moved to pure Python where clib conflicts arose in using command line
tools.
Fixed erroneous assumptions about the presence and reliability of a
$HOME variable while running init.
Added tests specific to eoan, disco and xenial. They are not yet part
of the gate.
Change-Id: I2fc74fcc2ae9876442bb87a3446aef48d0428f2f