This commit adds Keystone audit middleware API logging to the Cinder
charm in versions Yoga and newer to allow users to configure their
environment for CADF compliance. This feature can be enabled/disabled
and is set to 'disabled' by default to avoid bloat in log files.
The logging output is configured to /var/log/apache2/cinder_error.log.
This commit builds on previous discussions:
https://github.com/juju/charm-helpers/pull/808.
Related-Pr: https://github.com/juju/charm-helpers/pull/893
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1200
Closes-Bug: 1856555
Change-Id: Ia7dbd6af2305e92eaa9a65890644c4a324ab2c65
admin_tenant_id and admin_user_id are more explicit than
admin_tenant_name and admin_user as names could duplicate
and cause issues.
Includes sync from Charm-helpers PR #874 below
Charm-helpers-pr: https://github.com/juju/charm-helpers/pull/874
Closes-Bug: #2030755
Change-Id: Idbc2f3d12dcf325b4a53a3dda1ecfa75a199295a
The service token section [service_user] is not required when
cinder-volume is deployed as a separate service. In other words
it is not required for the identity-credentials relation.
The [service_user] section is nearly the same as the
[keystone_authtoken] section, and the keystone_authtoken data
is only produced for the IdentityServiceContext, therefore this
change will not render [service_user] for the
IdentityCredentialsContext.
Closes-Bug: #2024676
Change-Id: Iaecae3c22db1f4f2309f73f8c6836e6c072b848b
This patch configures Cinder to send a service token along with the
received user token on requests to other services. This can allow those
other services to accept the request even if the user token has been
invalidated since received by Cinder. Also with this patch Cinder will
accept request from other services with invalid user tokens but valid
service tokens. Service tokens exist since Openstack Queens.
Closes-Bug: #1992840
Change-Id: I6cb9b1cb257db0b57bd7984c795b8caa1e3b74d9
This change add several configuration options to enable HTTP checks
to the HAProxy configuration, instead of the default TCP connection
checks (which continue to be the default). It also enables /healthcheck
endpoint for cinder-api on openstack releases >= ocata.
Closes-Bug: #1880610
Change-Id: I9d118f70fc1390be7b800ad20ae20e77818adac7
Commit 024de37 added the nova section on cinder.conf, but placed it
on the Victoria folder. This issue is also observed on Ussuri, so
this patch moves this from Victoria to Ussuri.
Closes-Bug: #1939389
Change-Id: Ia39177d6f47ddda0b1acb27cde02ae5e74a01032
Cinder sometimes needs to communicate with nova,
for example to notify VMs when live-resizing a disk.
Under certain circumstances,
the autodetected authentication details don't work,
so we must add a dedicated section in the config
for the nova client with proper credentials.
This issue has been observed on victoria and newer,
hence the addition of cinder.conf for victoria.
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/776
Closes-Bug: #1939389
Co-authored-by: Samuel Walladge <samuel.walladge@canonical.com>
Change-Id: I6d44223b7c2863c6d9c62b46a41275fd360f92d1
Add new config option: `scheduler-default-filters`.
This is unset by default, so cinder retains the default value for
scheduler_default_filters.
Closes-Bug: #1956727
Change-Id: I9777bf8fe5ddbb69689db60c2790e8a4be57e1ab
Support new configuration to turn on image volume cache in Cinder
service. User can control the maximum size and count from
configuration too.
Closes-Bug: #1869903
Change-Id: If96dbb9c0974bfa1f6d67405bb430a7cd251f821
It's useful when multiple storage backends to be connected to Cinder.
The corresponding volume type must be created after a deployment via API
to take effect, e.g., `openstack volume type create VOLUME_TYPE
--property volume_backend_name=BACKEND_NAME`
Please note that there is a regression in upstream as LP: #1879578, so
it doesn't work for Train or later releases until the issue gets fixed.
The other way to have the similar effect is to edit the definition of
__DEFAULT__ volume type via API (available for Train or later releases).
Howevers it's not as flexible as the option in cinder.conf since it
doesn't allow any modification unless all of the volumes with the
__DEFAULT__ type get deleted.
Change-Id: I031a6bf2a066bb9d3157e545bb9df782a76551f3
Closes-Bug: #1884548
Currently, Apache ports.conf file is not being configured by this
charm. This patch changes the ports.conf default file with another one
that does not open port 80 on SSL environments.
Change-Id: Iaa80573dc2661089093c4c87ab100bf941f8b3b8
Closes-bug: #1845665
Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.
Change-Id: I896334b232589baacb48da2285829f9e9f0963f9
Closes-bug: #1845665
Ensure "rabbit_use_ssl" is specified in the [oslo_messaging_rabbit]
config section instead of "ssl" for Ocata, since "ssl" was not yet
introduced.
Change-Id: I070b8bbebed4e53fa524047599c71f73dc1c79fc
Closes-Bug: #1838696
The stein version of python-oslo.messaging (9.0.0+) has removed
the following config options from the [oslo_messaging_rabbit]
section:
rabbit_host, rabbit_port, rabbit_hosts, rabbit_userid,
rabbit_password, rabbit_virtual_host rabbit_max_retries, and
rabbit_durable_queues.
The above change requires a sync from charm-helpers.
Additionally the transport_url directive has been moved to the
[DEFAULT] section.
These have been deprecated since Ocata, therefore this change
will be provided to pre-Stein templates in order to drop
deprecation warnings.
See release notes at:
https://docs.openstack.org/releasenotes/oslo.messaging/index.html
test_300_cinder_config is also removed in this change as amulet
tests no longer need to confirm config file settings.
Change-Id: Ia93be49430e8d95c38ed521d08bbb62f47e13e59
Closes-Bug: #1817672
The default in cinder is to only allow the admin to
force delete a volume; this change allows the
admin_or_owner to force delete a volume.
This was previously authored by Chris MacNaughton in change
I703a21b68186059a63f0d06d88cd2528e821f3d3
And then reverted in change
I77f9351da8516e5af40fea57400101e6dd16b528
This change includes gating on the OpenStack version.
Change-Id: I35599bae8a94724869a36c555ebfc6bf94384bd4
Co-Authored-By: Chris MacNaughton <chris.macnaughton@canonical.com>
Closes-Bug: #1782008
The default in cinder is to only allow the admin to
force delete a volume; this change allows the
admin_or_owner to force delete a volume.
Change-Id: I703a21b68186059a63f0d06d88cd2528e821f3d3
Closes-Bug: #1782008
Now that charmhelpers have the template with the same content so we can
switch to it for future maintainability.
Change-Id: Icfc7834de8215836b035bed98cdd64f479c5b2c9
Related-Bug: #1758675
Drop generation of upstart override file and /etc/environment and
scrub any existing charm configuration in these locations from
an existing install.
These where required way back in the dawn of time when ceph support
was alpha/beta in cinder.
Provide backend specific configuration file path, allowing multiple
ceph clusters to be used with a single cinder application.
Change-Id: I7adba0d35fb7406afa40f047b79a9ab51a6a333d
Closes-Bug: 1769196
Ensure that oslo.middleware parses any proxy information
forwarded from haproxy/apache with regards to protocol;
this ensures that https connections are correctly detected.
Change-Id: I64e8c14123e5d12850902ce99490697ca4bb853d
Closes-Bug: 1758675
Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release. This feature is unmaintained and has
no known users.
Change-Id: Icd464e950c6f53470311e3c110b530a69bff6e2f
While I was reading the code, I found some spelling mistakes
in the comments and corrected them here.
Change-Id: Ib847f484a883523cd330a517bdb719ec7ea7b32b
Closes-Bug:#1709830
Use oslo_messaging_notifications for mitaka or later releases
including setting the transport_url to the value provided by
the AMQP context.
This removes use of deprecated configuration options for
ceilometer notifications.
Change-Id: Ic363af31b5e74ae0830e4d3213ce21231a332773
Using DEFAULT section to configure drivers is not supported since
Ocata. This change lists backends in enabled_backends.
Note: Using sectional config causes the os-vol-host-attr:host
volume attribute to change which invalidates existing volumes.
A subsequant change is needed to add an action for renaming
the host attribute of existing volumes *1
*1 https://docs.openstack.org/admin-guide/blockstorage-multi-backend.html#enable-multiple-storage-back-ends
Partial-Bug: #1665272
Change-Id: I22c3e74b0874c051bee89e4609088facf95b4664
This change adds the config directive called
volume-usage-audit-period for versions >= kilo.
Also, According to the doc change I90dff1b5c2a7dd2943cfa7ff25bb63c08eb7986d,
messagingv2 should be the default for anything > Icehouse.
So, this change also sets the following configuration section for
versions >= mitaka.
[oslo_messaging_notifications]
driver = messagingv2
This change adds a specific configuration context that installs
a crontab entry for running the cinder-volume-usage-audit recurrently.
Change-Id: I0056edaac55210a1a1f509ec908ae61c0ea887df
Closes-Bug: #1623144
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@canonical.com>
systemd is used instead of upstart by default since Ubuntu 15.10
(Wily). This adds systemd init file support for cinder services
that are deployed from source.
Change-Id: I476074659c03d44a78dd607e7a91c87de0734562
The keystone_auth section has changed for Mitaka. The Liberty format
,which is currently being used, is incompatible with keystone v3 on
Mitaka as it assumes the id of the default domain is default where
as in Mitaka it is a uuid.
The install documentation for Mitaka dictates that domain name should
be used rather than id when setting project_domain and user_domain
Change-Id: Ic8621020db16eaa4ac398e48406d8a858f974ae4
Partial-Bug: 1571347
Openstack mostly defaults to using public endpoints for
internal communication between services. This patch adds
a new option use-internal-endpoints which, if set to True,
will configure services to use internal endpoints where
possible.
Closes-Bug: 1456876
Change-Id: Iadd1e4e8833f637d75d3b5080e49ddabb0f78427
sync charmhelper to pickup new keystone auth template section file and
update amulet to account for the changes
Change-Id: Id1c58d7a2081eb59ff620e53adbd9515013b8085
Folsom, grizzly and havana have not been supported for some time;
rollup any templates as required and drop unsupported series.
Change-Id: I6d50531792a821101c3d808b0d2a2ba41faa2474
Myles Penner