x
/
nova-lxd
Code Issues Proposed changes

Switch to using lxd: namespace for extra-specs 

Use of unscoped extra-specs confuses the ComputeCapabilitiesFilter,
causing all LXD compute hosts to be excluded as targets for
scheduling of instances.

Switch supported extra-specs to the lxd: namespace to ensure that
they are correctly ignored by other parts of Nova, but remain
visible in the LXD compute driver:

  lxd_isolated -> lxd:isolated
  lxd_privileged_allowed -> lxd:privileged_allowed
  lxd_nested_allowed -> lxd:nested_allowed

(also fixup branch configuration for stable/mitaka)

Change-Id: I5ff696769c25639ff28eb029f27c8d22d5769adf
Closes-Bug: 1648056
This commit is contained in:
James Page 2016-12-07 15:03:24 +00:00
parent de65e00341
commit 216b7a5cd5
4 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitreview
View File

@ -1,4 +1,5 @@
[gerrit]
host=review.openstack.org
port=29418
project=openstack/nova-compute-lxd.git
project=openstack/nova-lxd.git
defaultbranch=stable/mitaka

6
contrib/glance_metadefs/compute-lxd-flavor.json
View File

@ -21,6 +21,12 @@
"description": "Containers created as Privileged have elevated powers on the compute host. You should not set this option on containers that you don't fully trust.",
"type": "string",
"default": false
},
"lxd:isolated": {
"title": "Create idmap isolated containers",
"description": "Containers created as idmap isolated will run under different subuid/subgid ranges from other containers on the same host, decreasing the risk of cross container compromises within a single compute host.",
"type": "string",
"default": false
}
}
}

6
nova_lxd/nova/virt/lxd/config.py
View File

@ -164,18 +164,18 @@ class LXDContainerConfig(object):
# Determine if we require a nested container
flavor = instance.flavor
lxd_nested_allowed = flavor.extra_specs.get(
'lxd_nested_allowed', False)
'lxd:nested_allowed', False)
if lxd_nested_allowed:
config['security.nesting'] = 'True'
# Determine if we require a privileged container
lxd_privileged_allowed = flavor.extra_specs.get(
'lxd_privileged_allowed', False)
'lxd:privileged_allowed', False)
if lxd_privileged_allowed:
config['security.privileged'] = 'True'
lxd_isolated = flavor.extra_specs.get(
'lxd_isolated', False)
'lxd:isolated', False)
if lxd_isolated:
extensions = self.session.get_host_extensions()
if 'id_map' in extensions:

8
nova_lxd/tests/test_config.py
View File

@ -122,14 +122,14 @@ class LXDTestContainerConfig(test.NoDBTestCase):
def test_container_nested_container(self):
instance = stubs._fake_instance()
instance.flavor.extra_specs = {'lxd_nested_allowed': True}
instance.flavor.extra_specs = {'lxd:nested_allowed': True}
config = self.config.config_instance_options({}, instance)
self.assertEqual({'security.nesting': 'True',
'boot.autostart': 'True'}, config)
def test_container_privileged_container(self):
instance = stubs._fake_instance()
instance.flavor.extra_specs = {'lxd_privileged_allowed': True}
instance.flavor.extra_specs = {'lxd:privileged_allowed': True}
config = self.config.config_instance_options({}, instance)
self.assertEqual({'security.privileged': 'True',
'boot.autostart': 'True'}, config)
@ -138,7 +138,7 @@ class LXDTestContainerConfig(test.NoDBTestCase):
mock.Mock(return_value=['id_map']))
def test_container_isolated(self):
instance = stubs._fake_instance()
instance.flavor.extra_specs = {'lxd_isolated': True}
instance.flavor.extra_specs = {'lxd:isolated': True}
config = self.config.config_instance_options({}, instance)
self.assertEqual({'security.idmap.isolated': 'True',
'boot.autostart': 'True'}, config)
@ -147,7 +147,7 @@ class LXDTestContainerConfig(test.NoDBTestCase):
mock.Mock(return_value=[]))
def test_container_isolated_unsupported(self):
instance = stubs._fake_instance()
instance.flavor.extra_specs = {'lxd_isolated': True}
instance.flavor.extra_specs = {'lxd:isolated': True}
self.assertRaises(
exception.NovaException,