When using NVMeoF feature with nova-compute apparmor in enforce
mode, nova-compute is denied from running /usr/sbin/nvme and
/usr/sbin/blkid, and reading /etc/nvme/hostnqn.
Change-Id: Ia23fbf341d5b7ad469337d8a0c65c18ec519a891
Closes-Bug: #2039161
Nova-compute uses ssh and scp commands extensively and this
patch allows the process to read the configuration too in
/etc/ssh/ssh_config.d/ directory.
Closes-Bug: #2044983
Change-Id: I336ce64d493c549096d0b8706996e0f17a2728fb
The template previously could use v2.0 depending on the value of
api_version. This was causing issues in newer releases of OpenStack
where the value of api_version was reporting as something other than
"3", and the generated Ironic config tried to use the v2.0 Keystone API.
This patch removes the optional logic in the template for v2.0 and rely
on the global default just like templates/parts/section-placement does.
Closes-Bug: #1995778
Change-Id: I8e0270b933f9c8fb5d6a65f9ebb930a0b21fead8
After evacuations and revert resizes when using rbd storage backend,
the instance folder is usually left behind and causes issues when
migrating the instance back to the host.
With the config option set, the nova-compute service will cleanup
those folders as part of the periodic checks that run for instances
that have been evacuated/migrated.
Closes-bug: #2019141
Change-Id: I846ccb0a95d04139b41fdad6cbf465d303d6cc09
This patch configures Nova to send a service token along with the
received user token on requests to other services. This can allow those
other services to accept the request even if the user token has been
invalidated since received by Nova. Also with this patch Nova will
accept request from other services with invalid user tokens but valid
service tokens. Service tokens exist since Openstack Queens.
Closes-Bug: #1992840
Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1
This is needed as all mkfs.* variants end up calling mke2fs.
Closes-bug: #2008391
Related-Bug: #1960231
Change-Id: I940bf0ca9cd330ae0b45b53d0d19844806a4bbbb
vnc_enabled, novnc_enabled are depreacted but should
be in DEFAULT section. Commit [1] moved the deprecated
options under vnc group so they dont have any effect.
This leads to vnc as True which is default option
in nova.
Change the template to use enabled option instead of
deprecated ones
[1] 73edc4f817
Closes-Bug: #1998300
Change-Id: I4193c042f6b3a55dfb1dc57f0f4d3bc71e19006f
The default_ephemeral_format line in nova.conf was not in the [DEFAULT]
section in the templates and has therefore been ignored ny nova-compute.
This change moves it to the correct section for all releases.
Closes-Bug: #1992386
Change-Id: Idc0602f95e5378be1243926aa88dc7b5282ee844
On s390x environments there is no usb controller, hence the default
pointer model (usbtable) produces failures when launching new instances
with the following error:
unsupported configuration: USB is disabled for this domain,
but USB devices are present in the domain XML
Change-Id: I58f7f1148096d703384e089292959718fd413157
Closes-Bug: #1962381
This merge request focuses on fixing the VNC config for OpenStack Yoga
on the Focal and Jammy series. Originally, the Yoga version of this
charm was using a template nova.conf file from Train which did not use
the new [vnc] required for Yoga. Train had the VNC config in the
[DEFAULT] section, which is depreciated in Yoga.
Itemized changes to charm below:
* Create templates/yoga
* Move VNC config to [vnc] section in nova.conf
* Rename VNC config keys to follow the Yoga specification.
Closes-Bug: #1974082
Closes-Bug: #1734683
Change-Id: Ic100528f9f38bbc0c83e4f563166113024e3db59
In iSCSI usecases including cinder-lvm, os-brick requires lock files
such as:
- /run/lock/nova/os-brick-connect_volume
- /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1
and lsscsi requires following access to compose a rescan command such as
"/sys/bus/scsi/drivers/sd/2:0:0:0/rescan":
- /dev/
- /sys/bus/scsi/devices/
Closes-Bug: #1979812
Related-Bug: #1939390
Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1
Commit abe5a289 fixed the rendering of the ironic driver in the
nova-compute.conf file for OpenStack versions >= Wallaby. However, it
always renders the nova-compute.conf file for train and above, which is
hard-coded to the Ironic libvirt driver.
This adds additional templating logic to the nova-compute.conf driver in
order to render the correct driver to use.
Related-Bug: #1968547
Change-Id: I12cd4bf5953170d227d52793764c49f3871e25f9
The apparmor profile is missing some updates for versions on Jammy/Yoga.
Add read access to /proc/*/limits and some updates for sudo access.
Additionally, needed to move /var/lib/contrail access rule to be
alphabetically sorted.
Change-Id: I9b7175470f84515fb15715324bf1d8887dd5791f
Enable vTPM support in nova-compute charm. This adds new packages to be
installed swtpm and swtpm-tools as well as updates the nova-compute.conf
file and the qemu.conf file to set appropriate user/groups for swtpm.
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/696
Change-Id: Idf0d19d75b9231f029fa6a7dc557d2a9ee04915b
Nova uses python libraries, which uses libuuid in order to generate
UUIDs. The apparmor profile does not allow for the nova-compute service
to access the /run/uuidd/request socket in order to generate a secure
UUID. Update the apparmor profile to allow nova to use the uuid service.
Closes-Bug: #1958689
Change-Id: I2ec6e7aba5c84c697733227ce36f762e4787cce1
Update the apparmor profile for nova-compute to allow it to read the
firmware configuration information for qemu. This is necessary in order
to launch instances using UEFI when apparmor enforcement is enabled.
Closes-Bug: #1958686
Change-Id: I7d9152dcc684923600c40ff0227c3c3eaafa7574
This update will clear the issue where access and writing to the
port directories are denied.
journal logs showing 2 for the same port:
AVC apparmor="ALLOWED" operation="mknod" profile="/usr/bin/nova-compute" name="/var/lib/contrail/ports/bc2f6fb2-5dee-48da-b17d-10fdaeda761a" comm="python" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
AVC apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute" name="/var/lib/contrail/ports/bc2f6fb2-5dee-48da-b17d-10fdaeda761a" comm="python" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
Signed-off-by: Arif Ali <arif.ali@canonical.com>
Change-Id: I92dbd1fa8cfacfcdc66c3ca562ac9e1c9849f9c5
In the audit log we get uptime being called, and this ie being
denied read access to /proc/sys/kernel/osrelease. The first part
should fix this.
journal logs shows:
AVC apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/sys/kernel/osrelease" pid=2846362 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
As part of allowing iscsi devices there are various files and names
in /sys/devices/virtual/block/, such that you could have dm-7/dm/name
so this should help to get this resolved.
journal log shows:
AVC apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/virtual/block/dm-8/dm/name" pid=802673 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0
Signed-off-by: Arif Ali <arif.ali@canonical.com>
Change-Id: I40589702ac697d9e2969bcf75815ffb724a5a3ab
Without this, creating an instance using a vGPU will fail with
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7393, in _allocate_mdevs
chosen_mdev = self._create_new_mediated_device(parent_device)
File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7309, in _create_new_mediated_device
chosen_mdev = nova.privsep.libvirt.create_mdev(
File "/usr/lib/python3/dist-packages/oslo_privsep/priv_context.py", line 247, in _wrap
return self.channel.remote_call(name, args, kwargs)
File "/usr/lib/python3/dist-packages/oslo_privsep/daemon.py", line 204, in remote_call
raise exc_type(*result[2])
PermissionError: [Errno 13] Permission denied
dmesg then shows
[151718.966526] audit: type=1400 audit(1646304589.915:193): apparmor="DENIED" operation="mknod" profile="/usr/bin/nova-compute" name="/sys/devices/pci0000:c0/0000:c0:03.1/0000:c1:00.0/mdev_supported_types/nvidia-108/create" pid=1649515 comm="privsep-helper" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Change-Id: I27588e1d56076b3c0c891444cb9b2a58bf56c4cf
By default resizing an instance to the same host as the source is
not enabled. This change adds new charm config option that maps
directly to the nova.conf setting which effectively gives a user
possibility to enable/disable this functionality.
Closes-Bug: #1946620
Depends-On: I13d0c332cd0b110344b7a1645e3e4fd250fce33a
Change-Id: I2f2e9e44f6bba48e15621a216539089c7e3abc1d
The upstream has 3 min as the timeout (60 retries at 3-seconds
interval). It should work if an image is in a raw format to leverage
Ceph's copy-on-write or an image is small enough to be copied quickly.
However, there are some cases exeeding the 3 min deadline such as a big
enough image with Qcow2 or other formats like Windows images, or storage
backend doesn't have copy-on-write from Glance.
Let's bump the deadline to 15 min (300 retries at 3-seconds interval) to
cover most of the cases out of the box, and let operators tune it
further by exposing those options.
Co-authored-by: Mark Maglana <mark.maglana@canonical.com>
Closes-Bug: 1758607
Change-Id: I6f6da8e90c6bbcd031ee183ae86d88eccd392230
Live migration post-copy was not working because to be effective,
'live_migration_timeout_action' must be set to 'force_complete'.
Closes-bug: #1950894
Change-Id: I66984a12b89cb0ac2aeebeb393a6f6c026d865da
The config is necessary to calculate available disk space for VMs with
disk-allocation-ratio which is already exposed as a charm option.
Closes-Bug: #1952184
Change-Id: I0ef55987517bded50f855e0dbc5e420cfbff4c1b
Especially with arm64/aarch64, the default value limits the number of
volume attachments to two usually. And when more than two volumes are to
be attached, it will fail with "No more available PCI slots". There is
no one-size-fits-all value here so let operators override the default
value.
Closes-Bug: #1944214
Change-Id: I9b9565873cbaeb575704b94a25d0a8556ab96292
If an ephemeral-device storage configuration has been provided,
ensure that the nova-compute service will not start until the
mountpoint (currently /var/lib/nova/instances) has actually
been mounted. If this does not happen the nova-compute service
will fail to start in a failsafe condition.
Change-Id: Ic16691e119e430faec9994f6e207596629e47bb6
Closes-Bug: 1863358
templates/train/nova.conf is also used for subsequent versions and the
'train' at the top of the file is very confusing for operators who are
running, e.g. Ussuri.
Change-Id: Ia7c97d66d5d03887d5ec076222d0e572b6d5869d
Allow access to main multipath configuration file from the
nova-compute daemon.
Change-Id: Ibaa5f45b7fd72fcc936986286939e1285bcdb945
Closes-Bug: 1906727
Nova supports setting allocation ratios at the nova-compute level from
Liberty onwards. Prior to this allocation ratios were set at the
nova-scheduler level.
Newton introduced the Placement API, and Ocata introduced the ability to
have compute resources (Core/RAM/Disk) precomputed before passing
candidates to the FilterScheduler [0]. Pike removed CoreFilter,
RAMFilter and DiskFilter scheduler filters.
From Pike onwards valid methods for settings these allocation ratios are via:
- A call to the Placement API [1].
- Config values to supplied to nova-compute (xxx_allocation_ratio).
Stein introduced initial_xxx_allocation_ratio in response to the runtime
behaviour of the ResourceTracker [2].
Currently, the precedence of resource ratio values are:
xxx_allocation_ratio > Placement API call > initial_xxx_allocation_ratio
That is a (compute) resource provider's allocation ratios will default
to initial_xxx_allocation_ratio which may be overridden at run time by a
call to the Placement API. If xxx_allocation_ratio is set it will
override all configurations for that provider.
When not otherwise configured, we set initial_xxx_allocation_ratio to
the values provided by ncc to maintain backwards compatibility. Where
initial_xxx_allocation_ratio is not available we set
xxx_allocation_ratio.
[0] https://specs.openstack.org/openstack/nova-specs/specs/ocata/implemented/resource-providers-scheduler-db-filters.html
[1] https://docs.openstack.org/api-ref/placement/#update-resource-provider-inventories
[2] https://specs.openstack.org/openstack/nova-specs/specs/stein/implemented/initial-allocation-ratios.html
Change-Id: Ifa314e9e23e0ae5d16113cd91a7507e61f9de704
Closes-Bug: #1677223
The cross_az_attach property needs to be configured on the compute
nodes. The policy is set on the ncc service and is propigated to the
compute nodes on the cloud-compute relation. Update the relevant cinder
config setting based on the value provided.
Note, the default value for cross_az_attach is aligned with the nova
default of True.
Closes-Bug: #1899084
Change-Id: I7d00b50acbfe05dfd943a3511126b507fc570aeb
The nova-compute daemon requires access to a couple of additional
paths to support querying the underlying hardware in hardware
offload enabled scenarios.
Update apparmor profile to reflect these additional requirements.
Change-Id: I4283f12e4346b64f89dbc13bb64e5fb7edca2f62
Closes-Bug: 1895530
Prior to this commit the SPICE agent was hard set to True regardless of
the nova-cloud-controller spice-agent-enabled value, preventing the use
of hw_pointer_model=usbtablet for Windows guests.
Change-Id: I6553623414acfadeb415342e8601a00ba5d80660
This config option is to enable admin
password injection at instance boot time
* Added unit test to verify the config
is correctly set and nova.config is
updated.
* Updated all of the templates that have
inject-password set
* Moved inject_* options out of
{if libvirt_images_type and rbd_pool}
block as they are irrelevant.
Closes-Bug: #1755696
Change-Id: Ie766a14bfa6b16337aa957bf7adf2d869462f9d7