From 901c816b23ed232a1dfce7129f9d84166320e650 Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Wed, 18 Nov 2020 16:04:18 -0800 Subject: [PATCH] Add upgrade check, and json2yaml policy handling Adds the ironic-inspector-status command as well with the requried upgrade check. Mostly based upon https://review.opendev.org/#/c/763262/ which is based upon https://review.opendev.org/#/c/748059/ Note: Also had to update the version of eventlet because existing minimum requirement was seemingly incompatible with prior versions and would prevent lower constraints testing to proceed due to issues with ``os`` being patched by eventlet. Change-Id: I1f479f834f1d79e9eeb591c58a52b6ab80c24534 --- devstack/plugin.sh | 3 +- doc/source/cli/index.rst | 9 ++ doc/source/cli/ironic-inspector-status.rst | 83 +++++++++++++++++++ doc/source/configuration/policy.rst | 10 +++ doc/source/index.rst | 1 + ironic_inspector/cmd/status.py | 58 +++++++++++++ ironic_inspector/policy.py | 18 +++- ironic_inspector/test/unit/policy_fixture.py | 6 +- ...t-policy-file-change-a1d0a4aa19dcb37d.yaml | 20 +++++ requirements.txt | 9 +- setup.cfg | 1 + 11 files changed, 206 insertions(+), 12 deletions(-) create mode 100644 doc/source/cli/index.rst create mode 100644 doc/source/cli/ironic-inspector-status.rst create mode 100644 ironic_inspector/cmd/status.py create mode 100644 releasenotes/notes/default-policy-file-change-a1d0a4aa19dcb37d.yaml diff --git a/devstack/plugin.sh b/devstack/plugin.sh index e61b7449e..70a3ec7f1 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -126,7 +126,8 @@ function inspector_iniset { function install_inspector { setup_develop $IRONIC_INSPECTOR_DIR - + # Check if things look okay + ironic-inspector-status upgrade check if [[ "$IRONIC_INSPECTOR_STANDALONE" == "False" ]]; then install_apache_wsgi # NOTE(rpittau) since devstack doesn't install test-requirements diff --git a/doc/source/cli/index.rst b/doc/source/cli/index.rst new file mode 100644 index 000000000..96a660050 --- /dev/null +++ b/doc/source/cli/index.rst @@ -0,0 +1,9 @@ +Command References +================== + +Here are references for commands not elsewhere documented. + +.. toctree:: + :maxdepth: 1 + + ironic-inspector-status diff --git a/doc/source/cli/ironic-inspector-status.rst b/doc/source/cli/ironic-inspector-status.rst new file mode 100644 index 000000000..e4c07cd80 --- /dev/null +++ b/doc/source/cli/ironic-inspector-status.rst @@ -0,0 +1,83 @@ +======================= +ironic-inspector-status +======================= + +Synopsis +======== + +:: + + ironic-inspector-status [] + +Description +=========== + +:program:`ironic-inspector-status` is a tool that provides routines for +checking the status of the ironic-inspector deployment. + +Options +======= + +The standard pattern for executing a :program:`ironic-inspector-status` +command is:: + + ironic-inspector-status [] + +Run without arguments to see a list of available command categories:: + + ironic-inspector-status + +Categories are: + +* ``upgrade`` + +Detailed descriptions are below. + +You can also run with a category argument such as ``upgrade`` to see a list of +all commands in that category:: + + ironic-inspector-status upgrade + +These sections describe the available categories and arguments for +:program:`ironic-inspector-status`. + +Upgrade +~~~~~~~ + +.. _ironic-inspector-status-checks: + +``ironic-status upgrade check`` + Performs a release-specific readiness check before restarting services with + new code. This command expects to have complete configuration and access + to databases and services. + + **Return Codes** + + .. list-table:: + :widths: 20 80 + :header-rows: 1 + + * - Return code + - Description + * - 0 + - All upgrade readiness checks passed successfully and there is nothing + to do. + * - 1 + - At least one check encountered an issue and requires further + investigation. This is considered a warning but the upgrade may be OK. + * - 2 + - There was an upgrade status check failure that needs to be + investigated. This should be considered something that stops an + upgrade. + * - 255 + - An unexpected error occurred. + + **History of Checks** + + **Wallaby** + + * Adds initial status check command as it was not previously needed + as the database structure and use of ironic-inspector's of + ironic-inspector did not require the command previously. + * Adds a check to validate the configured policy file is not JSON + based as JSON based policies have been deprecated. diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index fbd3a810e..d10dde324 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -2,6 +2,16 @@ Policies ======== +.. warning:: + JSON formatted policy files were deprecated in the Wallaby development + cycle due to the Victoria deprecation by the ``olso.policy`` library. + Use the `oslopolicy-convert-json-to-yaml`__ tool + to convert the existing JSON to YAML formatted policy file in backward + compatible way. + +.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html + + The following is an overview of all available policies in **ironic inspector**. For a sample configuration file, refer to :doc:`sample-policy`. diff --git a/doc/source/index.rst b/doc/source/index.rst index 3925aebb3..c160bc841 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -7,6 +7,7 @@ Using Ironic Inspector :maxdepth: 2 install/index + cli/index configuration/index user/index admin/index diff --git a/ironic_inspector/cmd/status.py b/ironic_inspector/cmd/status.py new file mode 100644 index 000000000..e3b99e41a --- /dev/null +++ b/ironic_inspector/cmd/status.py @@ -0,0 +1,58 @@ +# Copyright (c) 2018 NEC, Corp. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import sys + +from oslo_config import cfg +from oslo_upgradecheck import common_checks +from oslo_upgradecheck import upgradecheck + +from ironic_inspector.common.i18n import _ +import ironic_inspector.conf as conf +from ironic_inspector import policy # noqa Import for configuratiog loading. + +CONF = conf.CONF + + +class Checks(upgradecheck.UpgradeCommands): + + """Upgrade checks for the ironic-status upgrade check command + + Upgrade checks should be added as separate methods in this class + and added to _upgrade_checks tuple. + """ + + # A tuple of check tuples of (, ). + # The name of the check will be used in the output of this command. + # The check function takes no arguments and returns an + # oslo_upgradecheck.upgradecheck.Result object with the appropriate + # oslo_upgradecheck.upgradecheck.Code and details set. If the + # check function hits warnings or failures then those should be stored + # in the returned Result's "details" attribute. The + # summary will be rolled up at the end of the check() method. + _upgrade_checks = ( + # Added in Wallaby to raise visibility of the Victoria deprecation + # of oslo.policy's json policy support. + (_('Policy File JSON to YAML Migration'), + (common_checks.check_policy_json, {'conf': CONF})), + ) + + +def main(): + return upgradecheck.main( + cfg.CONF, project='ironic', upgrade_command=Checks()) + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/ironic_inspector/policy.py b/ironic_inspector/policy.py index 82723348d..938f8b9a3 100644 --- a/ironic_inspector/policy.py +++ b/ironic_inspector/policy.py @@ -16,12 +16,21 @@ import sys from oslo_concurrency import lockutils from oslo_config import cfg +from oslo_policy import opts from oslo_policy import policy CONF = cfg.CONF _ENFORCER = None + +# TODO(gmann): Remove setting the default value of config policy_file +# once oslo_policy change the default value to 'policy.yaml'. +# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 +DEFAULT_POLICY_FILE = 'policy.yaml' +opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) + + default_policies = [ policy.RuleDefault( 'is_admin', @@ -154,10 +163,11 @@ def init_enforcer(policy_file=None, rules=None, if _ENFORCER: return - _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file, - rules=rules, - default_rule=default_rule, - use_conf=use_conf) + _ENFORCER = policy.Enforcer( + CONF, policy_file=policy_file, + rules=rules, + default_rule=default_rule, + use_conf=use_conf) _ENFORCER.register_defaults(list_policies()) diff --git a/ironic_inspector/test/unit/policy_fixture.py b/ironic_inspector/test/unit/policy_fixture.py index e3e0feeea..376e59471 100644 --- a/ironic_inspector/test/unit/policy_fixture.py +++ b/ironic_inspector/test/unit/policy_fixture.py @@ -21,8 +21,8 @@ from ironic_inspector import policy as inspector_policy CONF = cfg.CONF -policy_data = """{ -} +policy_data = """ +--- """ @@ -31,7 +31,7 @@ class PolicyFixture(fixtures.Fixture): super(PolicyFixture, self).setUp() self.policy_dir = self.useFixture(fixtures.TempDir()) self.policy_file_name = os.path.join(self.policy_dir.path, - 'policy.json') + 'policy.yaml') with open(self.policy_file_name, 'w') as policy_file: policy_file.write(policy_data) policy_opts.set_defaults(CONF) diff --git a/releasenotes/notes/default-policy-file-change-a1d0a4aa19dcb37d.yaml b/releasenotes/notes/default-policy-file-change-a1d0a4aa19dcb37d.yaml new file mode 100644 index 000000000..d0208d1fb --- /dev/null +++ b/releasenotes/notes/default-policy-file-change-a1d0a4aa19dcb37d.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default value of ``[oslo_policy] policy_file`` config option has been + changed from ``policy.json`` to ``policy.yaml``. + Operators who are utilizing customized policy files or previously generated + static policy files (which are not needed by default), should generate + new policy files and modify them to meet their needs in the event of + any new policies or rules have been added. + Please consult the `oslopolicy-convert-json-to-yaml `_ + tool to convert a JSON to YAML formatted policy file in + backward compatible way. +deprecations: + - | + Use of legacy policy files was deprecated by the ``oslo.policy`` library + during the Victoria development cycle. As a result, this deprecation is + being noted in the Wallaby with an anticipated future removal of support + by ``oslo.policy``. As such operators will need to convert to YAML policy + files. Please see the upgrade notes for details on migration of any + custom policy files. diff --git a/requirements.txt b/requirements.txt index bbf3a806f..47989fde6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ automaton>=1.9.0 # Apache-2.0 alembic>=1.4.2 # MIT construct>=2.9.39 # MIT -eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT +eventlet>=0.26.0 # MIT Flask>=1.1.0 # BSD futurist>=1.2.0 # Apache-2.0 ironic-lib>=4.3.0 # Apache-2.0 @@ -18,18 +18,19 @@ pytz>=2013.6 # MIT PyYAML>=5.3.1 openstacksdk>=0.40.0 # Apache-2.0 oslo.concurrency>=3.26.0 # Apache-2.0 -oslo.config>=5.2.0 # Apache-2.0 +oslo.config>=6.8.0 # Apache-2.0 oslo.context>=2.19.2 # Apache-2.0 oslo.db>=6.0.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 oslo.log>=3.36.0 # Apache-2.0 oslo.messaging>=5.32.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=1.30.0 # Apache-2.0 +oslo.policy>=3.6.0 # Apache-2.0 oslo.rootwrap>=5.8.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.service!=1.28.1,>=1.24.0 # Apache-2.0 -oslo.utils>=3.33.0 # Apache-2.0 +oslo.upgradecheck>=1.2.0 # Apache-2.0 +oslo.utils>=4.5.0 # Apache-2.0 tenacity>=6.2.0 # Apache-2.0 stevedore>=1.20.0 # Apache-2.0 SQLAlchemy>=1.2.19 # MIT diff --git a/setup.cfg b/setup.cfg index 18399455c..cf3adac53 100644 --- a/setup.cfg +++ b/setup.cfg @@ -33,6 +33,7 @@ console_scripts = ironic-inspector-conductor = ironic_inspector.cmd.conductor:main ironic-inspector-rootwrap = oslo_rootwrap.cmd:main ironic-inspector-migrate-data = ironic_inspector.cmd.migration:main + ironic-inspector-status = ironic_inspector.cmd.status:main wsgi_scripts = ironic-inspector-api-wsgi = ironic_inspector.cmd.wsgi:initialize_wsgi_app ironic_inspector.hooks.processing =