Switch to using lxd: namespace for extra-specs
Use of unscoped extra-specs confuses the ComputeCapabilitiesFilter, causing all LXD compute hosts to be excluded as targets for scheduling of instances. Switch supported extra-specs to the lxd: namespace to ensure that they are correctly ignored by other parts of Nova, but remain visible in the LXD compute driver: lxd_isolated -> lxd:isolated lxd_privileged_allowed -> lxd:privileged_allowed lxd_nested_allowed -> lxd:nested_allowed (also fixup branch configuration for stable/mitaka) Change-Id: I5ff696769c25639ff28eb029f27c8d22d5769adf Closes-Bug: 1648056
This commit is contained in:
parent
de65e00341
commit
216b7a5cd5
|
@ -1,4 +1,5 @@
|
|||
[gerrit]
|
||||
host=review.openstack.org
|
||||
port=29418
|
||||
project=openstack/nova-compute-lxd.git
|
||||
project=openstack/nova-lxd.git
|
||||
defaultbranch=stable/mitaka
|
||||
|
|
|
@ -21,6 +21,12 @@
|
|||
"description": "Containers created as Privileged have elevated powers on the compute host. You should not set this option on containers that you don't fully trust.",
|
||||
"type": "string",
|
||||
"default": false
|
||||
},
|
||||
"lxd:isolated": {
|
||||
"title": "Create idmap isolated containers",
|
||||
"description": "Containers created as idmap isolated will run under different subuid/subgid ranges from other containers on the same host, decreasing the risk of cross container compromises within a single compute host.",
|
||||
"type": "string",
|
||||
"default": false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -164,18 +164,18 @@ class LXDContainerConfig(object):
|
|||
# Determine if we require a nested container
|
||||
flavor = instance.flavor
|
||||
lxd_nested_allowed = flavor.extra_specs.get(
|
||||
'lxd_nested_allowed', False)
|
||||
'lxd:nested_allowed', False)
|
||||
if lxd_nested_allowed:
|
||||
config['security.nesting'] = 'True'
|
||||
|
||||
# Determine if we require a privileged container
|
||||
lxd_privileged_allowed = flavor.extra_specs.get(
|
||||
'lxd_privileged_allowed', False)
|
||||
'lxd:privileged_allowed', False)
|
||||
if lxd_privileged_allowed:
|
||||
config['security.privileged'] = 'True'
|
||||
|
||||
lxd_isolated = flavor.extra_specs.get(
|
||||
'lxd_isolated', False)
|
||||
'lxd:isolated', False)
|
||||
if lxd_isolated:
|
||||
extensions = self.session.get_host_extensions()
|
||||
if 'id_map' in extensions:
|
||||
|
|
|
@ -122,14 +122,14 @@ class LXDTestContainerConfig(test.NoDBTestCase):
|
|||
|
||||
def test_container_nested_container(self):
|
||||
instance = stubs._fake_instance()
|
||||
instance.flavor.extra_specs = {'lxd_nested_allowed': True}
|
||||
instance.flavor.extra_specs = {'lxd:nested_allowed': True}
|
||||
config = self.config.config_instance_options({}, instance)
|
||||
self.assertEqual({'security.nesting': 'True',
|
||||
'boot.autostart': 'True'}, config)
|
||||
|
||||
def test_container_privileged_container(self):
|
||||
instance = stubs._fake_instance()
|
||||
instance.flavor.extra_specs = {'lxd_privileged_allowed': True}
|
||||
instance.flavor.extra_specs = {'lxd:privileged_allowed': True}
|
||||
config = self.config.config_instance_options({}, instance)
|
||||
self.assertEqual({'security.privileged': 'True',
|
||||
'boot.autostart': 'True'}, config)
|
||||
|
@ -138,7 +138,7 @@ class LXDTestContainerConfig(test.NoDBTestCase):
|
|||
mock.Mock(return_value=['id_map']))
|
||||
def test_container_isolated(self):
|
||||
instance = stubs._fake_instance()
|
||||
instance.flavor.extra_specs = {'lxd_isolated': True}
|
||||
instance.flavor.extra_specs = {'lxd:isolated': True}
|
||||
config = self.config.config_instance_options({}, instance)
|
||||
self.assertEqual({'security.idmap.isolated': 'True',
|
||||
'boot.autostart': 'True'}, config)
|
||||
|
@ -147,7 +147,7 @@ class LXDTestContainerConfig(test.NoDBTestCase):
|
|||
mock.Mock(return_value=[]))
|
||||
def test_container_isolated_unsupported(self):
|
||||
instance = stubs._fake_instance()
|
||||
instance.flavor.extra_specs = {'lxd_isolated': True}
|
||||
instance.flavor.extra_specs = {'lxd:isolated': True}
|
||||
|
||||
self.assertRaises(
|
||||
exception.NovaException,
|
||||
|
|
Loading…
Reference in New Issue