Commit Graph

332 Commits

Author SHA1 Message Date
Zuul ab35c61165 Merge "AppArmor policy update for NVMeoF" 2024-02-14 16:29:54 +00:00
Felipe Reyes 0f9c730817 AppArmor policy update for NVMeoF
When using NVMeoF feature with nova-compute apparmor in enforce
mode, nova-compute is denied from running /usr/sbin/nvme and
/usr/sbin/blkid, and reading /etc/nvme/hostnqn.

Change-Id: Ia23fbf341d5b7ad469337d8a0c65c18ec519a891
Closes-Bug: #2039161
2024-01-05 02:23:31 +00:00
Olivier Dufour-Cuvillier 4d6f4c07c9 Update apparmor profile for nova-compute
Nova-compute uses ssh and scp commands extensively and this
patch allows the process to read the configuration too in
/etc/ssh/ssh_config.d/ directory.

Closes-Bug: #2044983
Change-Id: I336ce64d493c549096d0b8706996e0f17a2728fb
2023-11-28 17:06:07 +09:00
Zuul cc7ffa9884 Merge "Drop the path from the auth_url." 2023-08-01 14:49:19 +00:00
Jadon Naas 8d560b3ff5 Drop the path from the auth_url.
The template previously could use v2.0 depending on the value of
api_version. This was causing issues in newer releases of OpenStack
where the value of api_version was reporting as something other than
"3", and the generated Ironic config tried to use the v2.0 Keystone API.

This patch removes the optional logic in the template for v2.0 and rely
on the global default just like templates/parts/section-placement does.

Closes-Bug: #1995778
Change-Id: I8e0270b933f9c8fb5d6a65f9ebb930a0b21fead8
2023-07-27 16:43:06 -04:00
Rodrigo Barbieri e61d89aa47 Set nova config for rbd instance folder cleanup after evacuations
After evacuations and revert resizes when using rbd storage backend,
the instance folder is usually left behind and causes issues when
migrating the instance back to the host.
With the config option set, the nova-compute service will cleanup
those folders as part of the periodic checks that run for instances
that have been evacuated/migrated.

Closes-bug: #2019141
Change-Id: I846ccb0a95d04139b41fdad6cbf465d303d6cc09
2023-06-06 10:15:41 -03:00
Jorge Merlino 3c53110282 Add support for using service tokens
This patch configures Nova to send a service token along with the
received user token on requests to other services. This can allow those
other services to accept the request even if the user token has been
invalidated since received by Nova. Also with this patch Nova will
accept request from other services with invalid user tokens but valid
service tokens. Service tokens exist since Openstack Queens.

Closes-Bug: #1992840
Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1
2023-05-03 12:32:06 +00:00
Jorge Merlino 7e3ead3389 Adding mke2fs to apparmor
This is needed as all mkfs.* variants end up calling mke2fs.
Closes-bug: #2008391
Related-Bug: #1960231

Change-Id: I940bf0ca9cd330ae0b45b53d0d19844806a4bbbb
2023-02-23 16:48:18 -03:00
Edward Hope-Morley 98191ea5bf Make virt_mkfs configurable with ext4 default
Closes-Bug: #1960231
Change-Id: Ia2ac7318f1164a9015bdf9e7ce7d20a129e22af4
2023-01-18 15:51:16 +00:00
Hemanth Nakkina 83497e833d Use enabled option for vnc
vnc_enabled, novnc_enabled are depreacted but should
be in DEFAULT section. Commit [1] moved the deprecated
options under vnc group so they dont have any effect.
This leads to vnc as True which is default option
in nova.

Change the template to use enabled option instead of
deprecated ones

[1] 73edc4f817

Closes-Bug: #1998300
Change-Id: I4193c042f6b3a55dfb1dc57f0f4d3bc71e19006f
2023-01-05 06:17:55 +00:00
Marcus Boden a3da54fb41 Move default_ephemeral_format to [DEFAULT] section
The default_ephemeral_format line in nova.conf was not in the [DEFAULT]
section in the templates and has therefore been ignored ny nova-compute.
This change moves it to the correct section for all releases.

Closes-Bug: #1992386
Change-Id: Idc0602f95e5378be1243926aa88dc7b5282ee844
2022-11-17 12:51:20 +01:00
Felipe Reyes 6a710c86a3 [s390x] Set pointer_model to ps2mouse
On s390x environments there is no usb controller, hence the default
pointer model (usbtable) produces failures when launching new instances
with the following error:

    unsupported configuration: USB is disabled for this domain,
    but USB devices are present in the domain XML

Change-Id: I58f7f1148096d703384e089292959718fd413157
Closes-Bug: #1962381
2022-10-24 18:38:59 -03:00
NucciTheBoss 73edc4f817 Update nova.conf for OpenStack Yoga
This merge request focuses on fixing the VNC config for OpenStack Yoga
on the Focal and Jammy series. Originally, the Yoga version of this
charm was using a template nova.conf file from Train which did not use
the new [vnc] required for Yoga. Train had the VNC config in the
[DEFAULT] section, which is depreciated in Yoga.

Itemized changes to charm below:

 * Create templates/yoga
 * Move VNC config to [vnc] section in nova.conf
 * Rename VNC config keys to follow the Yoga specification.

Closes-Bug: #1974082
Closes-Bug: #1734683

Change-Id: Ic100528f9f38bbc0c83e4f563166113024e3db59
2022-07-25 17:47:50 +00:00
Nobuto Murata cf0f464391 AppArmor policy update for os-brick and iSCSI
In iSCSI usecases including cinder-lvm, os-brick requires lock files
such as:
  - /run/lock/nova/os-brick-connect_volume
  - /run/lock/nova/os-brick-connect_to_iscsi_portal-192.168.0.1

and lsscsi requires following access to compose a rescan command such as
"/sys/bus/scsi/drivers/sd/2:0:0:0/rescan":
  - /dev/
  - /sys/bus/scsi/devices/

Closes-Bug: #1979812
Related-Bug: #1939390
Change-Id: Id2db3a70b8d1287bda006f1bbc5442038f7070f1
2022-06-24 23:58:32 +09:00
Billy Olsen f6c536baec Render correct driver in nova-compute.conf
Commit abe5a289 fixed the rendering of the ironic driver in the
nova-compute.conf file for OpenStack versions >= Wallaby. However, it
always renders the nova-compute.conf file for train and above, which is
hard-coded to the Ironic libvirt driver.

This adds additional templating logic to the nova-compute.conf driver in
order to render the correct driver to use.

Related-Bug: #1968547
Change-Id: I12cd4bf5953170d227d52793764c49f3871e25f9
2022-04-19 20:00:02 -07:00
Billy Olsen 01c0ce8506 Update apparmor profiles for Jammy/Yoga
The apparmor profile is missing some updates for versions on Jammy/Yoga.
Add read access to /proc/*/limits and some updates for sudo access.
Additionally, needed to move /var/lib/contrail access rule to be
alphabetically sorted.

Change-Id: I9b7175470f84515fb15715324bf1d8887dd5791f
2022-04-08 20:38:10 -07:00
Billy Olsen a8c4cd7b29 Enable vTPM support in nova-compute
Enable vTPM support in nova-compute charm. This adds new packages to be
installed swtpm and swtpm-tools as well as updates the nova-compute.conf
file and the qemu.conf file to set appropriate user/groups for swtpm.

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/696

Change-Id: Idf0d19d75b9231f029fa6a7dc557d2a9ee04915b
2022-04-04 11:34:11 -07:00
Billy Olsen 958e054694 Allow access to secure uuidd socket
Nova uses python libraries, which uses libuuid in order to generate
UUIDs. The apparmor profile does not allow for the nova-compute service
to access the /run/uuidd/request socket in order to generate a secure
UUID. Update the apparmor profile to allow nova to use the uuid service.

Closes-Bug: #1958689
Change-Id: I2ec6e7aba5c84c697733227ce36f762e4787cce1
2022-04-03 19:13:17 -07:00
Billy Olsen f4eeb0650a Allow read access to firmware information
Update the apparmor profile for nova-compute to allow it to read the
firmware configuration information for qemu. This is necessary in order
to launch instances using UEFI when apparmor enforcement is enabled.

Closes-Bug: #1958686
Change-Id: I7d9152dcc684923600c40ff0227c3c3eaafa7574
2022-04-03 19:13:17 -07:00
Aurelien Lourot 23f45aa921 Extend apparmor profile for attaching cinder-lvm volumes
Change-Id: Ic7b3e068886f1efd788d3ed309b391e1a82087fd
Closes-Bug: #1963922
2022-03-07 15:40:19 +01:00
Zuul 4fb655d7c3 Merge "Extend apparmor profile for ports in contrail" 2022-03-04 10:32:58 +00:00
Arif Ali de810645a3
Extend apparmor profile for ports in contrail
This update will clear the issue where access and writing to the
port directories are denied.

journal logs showing 2 for the same port:

AVC apparmor="ALLOWED" operation="mknod" profile="/usr/bin/nova-compute" name="/var/lib/contrail/ports/bc2f6fb2-5dee-48da-b17d-10fdaeda761a"  comm="python" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

AVC apparmor="ALLOWED" operation="open" profile="/usr/bin/nova-compute" name="/var/lib/contrail/ports/bc2f6fb2-5dee-48da-b17d-10fdaeda761a"  comm="python" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

Signed-off-by: Arif Ali <arif.ali@canonical.com>
Change-Id: I92dbd1fa8cfacfcdc66c3ca562ac9e1c9849f9c5
2022-03-04 07:54:45 +00:00
Arif Ali 8719cbcf30
Update apparmor rules for uptime and iscsi
In the audit log we get uptime being called, and this ie being
denied read access to /proc/sys/kernel/osrelease. The first part
should fix this.

journal logs shows:

AVC apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/proc/sys/kernel/osrelease" pid=2846362 comm="uptime" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

As part of allowing iscsi devices there are various files and names
in /sys/devices/virtual/block/, such that you could have dm-7/dm/name
so this should help to get this resolved.

journal log shows:

AVC apparmor="DENIED" operation="open" profile="/usr/bin/nova-compute" name="/sys/devices/virtual/block/dm-8/dm/name" pid=802673 comm="nova-compute" requested_mask="r" denied_mask="r" fsuid=64060 ouid=0

Signed-off-by: Arif Ali <arif.ali@canonical.com>
Change-Id: I40589702ac697d9e2969bcf75815ffb724a5a3ab
2022-03-03 21:54:14 +00:00
Aurelien Lourot 202edd3e59 Extend apparmor profile for vGPU
Without this, creating an instance using a vGPU will fail with
  File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7393, in _allocate_mdevs
    chosen_mdev = self._create_new_mediated_device(parent_device)
  File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 7309, in _create_new_mediated_device
    chosen_mdev = nova.privsep.libvirt.create_mdev(
  File "/usr/lib/python3/dist-packages/oslo_privsep/priv_context.py", line 247, in _wrap
    return self.channel.remote_call(name, args, kwargs)
  File "/usr/lib/python3/dist-packages/oslo_privsep/daemon.py", line 204, in remote_call
    raise exc_type(*result[2])
PermissionError: [Errno 13] Permission denied

dmesg then shows
[151718.966526] audit: type=1400 audit(1646304589.915:193): apparmor="DENIED" operation="mknod" profile="/usr/bin/nova-compute" name="/sys/devices/pci0000:c0/0000:c0:03.1/0000:c1:00.0/mdev_supported_types/nvidia-108/create" pid=1649515 comm="privsep-helper" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Change-Id: I27588e1d56076b3c0c891444cb9b2a58bf56c4cf
2022-03-03 12:46:23 +01:00
Zuul 5650741d59 Merge "Allow resizing to the same host" 2022-02-16 16:24:28 +00:00
Marcin Wilk c3bd6788a7 Allow resizing to the same host
By default resizing an instance to the same host as the source is
not enabled. This change adds new charm config option that maps
directly to the nova.conf setting which effectively gives a user
possibility to enable/disable this functionality.

Closes-Bug: #1946620
Depends-On: I13d0c332cd0b110344b7a1645e3e4fd250fce33a
Change-Id: I2f2e9e44f6bba48e15621a216539089c7e3abc1d
2022-02-11 15:54:14 +00:00
Nobuto Murata 2283f12edd Expose block-device-allocate-retries and interval
The upstream has 3 min as the timeout (60 retries at 3-seconds
interval). It should work if an image is in a raw format to leverage
Ceph's copy-on-write or an image is small enough to be copied quickly.
However, there are some cases exeeding the 3 min deadline such as a big
enough image with Qcow2 or other formats like Windows images, or storage
backend doesn't have copy-on-write from Glance.

Let's bump the deadline to 15 min (300 retries at 3-seconds interval) to
cover most of the cases out of the box, and let operators tune it
further by exposing those options.

Co-authored-by: Mark Maglana <mark.maglana@canonical.com>
Closes-Bug: 1758607
Change-Id: I6f6da8e90c6bbcd031ee183ae86d88eccd392230
2022-02-08 18:03:20 +09:00
Zuul c437eb1db0 Merge "Clarify header of templates/train/nova.conf" 2021-12-17 11:32:02 +00:00
Zuul 839cd20778 Merge "Fixes Nova live-migration post-copy" 2021-12-10 14:00:13 +00:00
Erlon R. Cruz 4c4bc999e9 Fixes Nova live-migration post-copy
Live migration post-copy was not working because to be effective,
'live_migration_timeout_action' must be set to 'force_complete'.

Closes-bug: #1950894
Change-Id: I66984a12b89cb0ac2aeebeb393a6f6c026d865da
2021-12-02 10:03:30 -03:00
Nobuto Murata a5dc16393a Expose reserved_host_disk_mb for nova.conf
The config is necessary to calculate available disk space for VMs with
disk-allocation-ratio which is already exposed as a charm option.

Closes-Bug: #1952184
Change-Id: I0ef55987517bded50f855e0dbc5e420cfbff4c1b
2021-11-25 15:44:48 +09:00
James Troup 034d6e36c2 Spelling fixes found by codespell.
Change-Id: I819aa04eef6cc72a24ecaf39a350b30015612165
2021-11-15 21:54:13 +00:00
Zuul c501f196d0 Merge "Block nova-compute startup on mountpoint" 2021-10-08 16:08:30 +00:00
Nobuto Murata 22523e5b54 Allow overriding libvirt/num_pcie_ports
Especially with arm64/aarch64, the default value limits the number of
volume attachments to two usually. And when more than two volumes are to
be attached, it will fail with "No more available PCI slots". There is
no one-size-fits-all value here so let operators override the default
value.

Closes-Bug: #1944214
Change-Id: I9b9565873cbaeb575704b94a25d0a8556ab96292
2021-09-28 12:31:20 +00:00
James Page af2e403625 Block nova-compute startup on mountpoint
If an ephemeral-device storage configuration has been provided,
ensure that the nova-compute service will not start until the
mountpoint (currently /var/lib/nova/instances) has actually
been mounted.  If this does not happen the nova-compute service
will fail to start in a failsafe condition.

Change-Id: Ic16691e119e430faec9994f6e207596629e47bb6
Closes-Bug: 1863358
2021-09-16 09:22:27 +01:00
Stephan Pampel 6ab0d0d5f6 Added neutron_physnet and neutron_tunnel config
Adding neutron_physnet and neutron_tunnel as config options
for numa affinity to the charm.

Implementation of [0] config options.
Only affects OpenStack releases >= rocky

[0]https://docs.openstack.org/nova/rocky/configuration/config.html#neutron.physnets

Closes-Bug: #1921067
Change-Id: Ib050c23f5e4d2da8262c37f136dbc66129141017
2021-08-31 10:24:39 +02:00
James Troup 973a85d539 Clarify header of templates/train/nova.conf
templates/train/nova.conf is also used for subsequent versions and the
'train' at the top of the file is very confusing for operators who are
running, e.g. Ussuri.

Change-Id: Ia7c97d66d5d03887d5ec076222d0e572b6d5869d
2021-08-20 13:11:49 +01:00
James Troup f526b1f4a9 Allow nova-compute to read /sys/module/kvm_amd/parameters/sev
Closes-Bug: #1935697
Change-Id: I4cb54c26f285e0ea283193416f58bda3080bb38d
2021-08-06 15:14:12 +00:00
Zuul aff2a0b182 Merge "Added allocation-ratio config opts" 2021-07-15 23:36:30 +00:00
Zuul 6713703894 Merge "Port ncc pci-alias list fix to nova-compute" 2021-06-17 18:25:56 +00:00
Rodrigo Barbieri d51e010fca Port ncc pci-alias list fix to nova-compute
Port of https://review.opendev.org/535350

Fix for this bug already exists for
nova-cloud-controller charm, therefore
port it over to nova-compute.

Closes-bug: #1921147
Change-Id: I0c37d2bce3b195f5dc18111bb70a30de03b2bbc6
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/587
2021-06-14 14:39:56 -03:00
Zuul 369b67b28a Merge "apparmor: ensure multipath.conf is accessible" 2021-06-11 15:08:54 +00:00
Zuul 06fbe4aa6c Merge "Set cross_az_attach mode from ncc relation configuration" 2021-06-11 14:49:42 +00:00
James Page 9d9a74ddda apparmor: ensure multipath.conf is accessible
Allow access to main multipath configuration file from the
nova-compute daemon.

Change-Id: Ibaa5f45b7fd72fcc936986286939e1285bcdb945
Closes-Bug: 1906727
2021-06-08 13:29:22 +01:00
Brett Milford 43acdd4f80 Added allocation-ratio config opts
Nova supports setting allocation ratios at the nova-compute level from
Liberty onwards. Prior to this allocation ratios were set at the
nova-scheduler level.

Newton introduced the Placement API, and Ocata introduced the ability to
have compute resources (Core/RAM/Disk) precomputed before passing
candidates to the FilterScheduler [0]. Pike removed CoreFilter,
RAMFilter and DiskFilter scheduler filters.

From Pike onwards valid methods for settings these allocation ratios are via:
- A call to the Placement API [1].
- Config values to supplied to nova-compute (xxx_allocation_ratio).

Stein introduced initial_xxx_allocation_ratio in response to the runtime
behaviour of the ResourceTracker [2].

Currently, the precedence of resource ratio values are:
xxx_allocation_ratio > Placement API call > initial_xxx_allocation_ratio

That is a (compute) resource provider's allocation ratios will default
to initial_xxx_allocation_ratio which may be overridden at run time by a
call to the Placement API. If xxx_allocation_ratio is set it will
override all configurations for that provider.

When not otherwise configured, we set initial_xxx_allocation_ratio to
the values provided by ncc to maintain backwards compatibility. Where
initial_xxx_allocation_ratio is not available we set
xxx_allocation_ratio.

[0] https://specs.openstack.org/openstack/nova-specs/specs/ocata/implemented/resource-providers-scheduler-db-filters.html
[1] https://docs.openstack.org/api-ref/placement/#update-resource-provider-inventories
[2] https://specs.openstack.org/openstack/nova-specs/specs/stein/implemented/initial-allocation-ratios.html

Change-Id: Ifa314e9e23e0ae5d16113cd91a7507e61f9de704
Closes-Bug: #1677223
2021-05-24 15:39:47 +10:00
Liam Young 120235f359 Add apparmor rule to support /usr/sbin
It seems that as of Disco *1 /sbin is a symlink to /usr/sbin. This
patch adds support for file in either location.

*1 https://lists.ubuntu.com/archives/ubuntu-devel-announce/2018-November/001253.html

Change-Id: I66fa27f3f5e29d83cfea0f1afb33374303ab4669
Closes-Bug: #1925511
2021-04-26 13:51:06 +00:00
Billy Olsen 17e44e12e3 Set cross_az_attach mode from ncc relation configuration
The cross_az_attach property needs to be configured on the compute
nodes. The policy is set on the ncc service and is propigated to the
compute nodes on the cloud-compute relation. Update the relevant cinder
config setting based on the value provided.

Note, the default value for cross_az_attach is aligned with the nova
default of True.

Closes-Bug: #1899084
Change-Id: I7d00b50acbfe05dfd943a3511126b507fc570aeb
2021-04-13 11:45:24 -07:00
James Page 08728a3adf apparmor: update profile for hardware offload
The nova-compute daemon requires access to a couple of additional
paths to support querying the underlying hardware in hardware
offload enabled scenarios.

Update apparmor profile to reflect these additional requirements.

Change-Id: I4283f12e4346b64f89dbc13bb64e5fb7edca2f62
Closes-Bug: 1895530
2021-03-02 10:55:49 +00:00
James Vaughn c5eb1b01a2 Fix SPICE agent setting in Train nova.conf template
Prior to this commit the SPICE agent was hard set to True regardless of
the nova-cloud-controller spice-agent-enabled value, preventing the use
of hw_pointer_model=usbtablet for Windows guests.

Change-Id: I6553623414acfadeb415342e8601a00ba5d80660
2021-01-25 16:11:52 +00:00
Linda Guo d58faab1e9 Added config option 'inject-password'
This config option is to enable admin
 password injection at instance boot time
 * Added unit test to verify the config
   is correctly set and nova.config is
   updated.
 * Updated all of the templates that have
   inject-password set
 * Moved inject_* options out of
   {if libvirt_images_type and rbd_pool}
   block as they are irrelevant.

Closes-Bug: #1755696
Change-Id: Ie766a14bfa6b16337aa957bf7adf2d869462f9d7
2020-12-17 08:43:05 +11:00