I noticed that nova, neutron and cinder's rootwrap exec_dirs include
/usr/local/{sbin,bin} which is a standardised location for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends. See neutron and cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all include
/usr/local/*bin.
See the same patch of nova for more information:
https://review.openstack.org/#/c/280052/1
And see I710cf142b834381c00e651cfc062299ae755c33f for brief discussion
of doing this via devstack before.
Change-Id: I1be8ff63d06424e84ea2b39bc0d285fe95beebb2
This beefs up the functional test suite to do some tests on a
tenant router. The test can now creates one-off tenants to be used
in the tests. The new tests act entirely on behalf of the test
router and attempt on only use admin-level things when required.
Partially-Implements: blueprint ci-updates-mitaka
Change-Id: I26fa70f877522f09075dc87583f2359cc0dcaf41
This drops tracking of the generated sample from git, since the output
of generation is non-deterministic, we end up with big changes to this
file anytime someone proposes a change that requires a new sample.
Instead, lets track orchestrator.ini and update it at milestone/release
times.
Also, have the devstack plugin generate and use a sample, that way we
get some gate testing on proposed config changes.
Change-Id: Iaf5127733765e973dbf0e812f267a3304c575fd4
Closes-bug: #1535889
This switches keystone to use oslo-config-generator, where the contents
of our sample configuration file are configured using a configuration
file in etc/oslo-config-generator.
Also fix some config problems.
blueprint autogen-astara-conf-file
Change-Id: I394805b18eecc4fbc583f9d64d34b8e95b55a845
This allows users to configure a specific API listening address
for the astara administrative API. This also updates devstack
plugin to publish this into the keystone catalog, for easier
lookup by astara-horizon.
Partially-implements: blueprint astara-horizon-mitaka
Partial-bug: #1516787
Change-Id: I2b96137c05b832a68ad01a11ec0cfb2371111c3c
For now, the enabled driver contains 'router' and 'loadbalancer',
without loadbalancer example parameters, perhaps some users have
no idea how to write the used flavor/image in configuration.
Closes-Bug:1530030
Change-Id: Ie62cdd5927612223a829abc8a0d91549d52ebf4d
Signed-off-by: Yang Li <yang.li@easystack.cn>
This deprecates usage of the old amqp_url in favor of using backend-specific
oslo.messaging configuration. Removes the old, pre-Liberty options and silences
a bunch of deprecation warnings to boot.
Change-Id: Ib666901c28f66a7616aa445ecc7120fe9d1e1364
Closes-bug: #1524595
In this step all of the imports and usage of akanda.rug is updated to
use astara. Addtionally rename all internal references from Akanda to
Astara.
Change-Id: I0cb8596066d949bceaadc4718b210fc373b5f296
Depends-On: I87106ae63747291bb6424839b5155f53136c54f9
Implements: blueprint convert-to-astara
This converts from using our own auth config to relying on keystoneclient
and keystone authtoken middleware instead. We construct a keystone session
instead and pass that into clients.
Switching to session-backed novaclient exposes a race in our novaclient
usage where we attempt to access attributes on a server object before
its data is completely lazily loaded. This adds a small spin before
we attempt to access its server status.
This also cleans up the default config a bit as well as silents some
noisy debug logging from isol8601 and cliff.
Change-Id: Ic41dc48e44f692d768ab0eafc0a65d98255ae260
This adds support for running multiple RUG processes to scale out
and distribute appliance load across them. It uses a hash ring implementation
lifted from Ironic (with modification). The gist is:
* Workers now maintain a copy of the hash ring, which is hashed using the
list of members in the cluster.
* A new subprocess connects to an external coordination service via tooz, ie
memcache or zookeeper. This service's only purpose is to track cluster
membership and report changes to this subprocess. On membership changes,
the coordination subprocess creates a REBALANCE event and puts it on the
internal notification queue. There is no leadership election required.
* When a worker gets a REBALANCE event, it rebalances the hash ring based
on the new membership list.
* Prior to processing any events bound for a specified router, the worker
first checks the hash manager to find if the resource is assigned to it.
If not, it ignores it. If it is, it processes the event. This also applies
to incoming command events.
Partially implements: blueprint rug-scaling
Change-Id: I8d04100ffc0e2f2223ebf4b079551dac99224344
For tenant networks port_security makes sense, but for the VRRP router
case it can get in the way. This change disables it for Akanda managed
ports for now.
Change-Id: I0fb9fd5253ad0538a35b25d8806323f83cfc48e4
Closes-bug: #1482389
This removes the hard-coded password from the appliance VM's user-data
and replaces it with a SSH public key, which is read from a file whos
path is configured in rug.ini.
It also disables password logins for the user. Another patch to
akanda-appliance-builder will allow developers to include a specified
debug user to allow debugging in dev environments.
Change-Id: I7db92bc7fd3743d89d73ab2a0b8da14685c30c69