CentOS 7 job is running with python2, which is no longer supported by
nova. Devstack also dropped it's platform tests for CentOS.
Change-Id: I74b04cf6ecd978bfc5fbf3b2c7484a79d28ae826
With python3 we are getting the following error:
Traceback (most recent call last):
File "/usr/bin/novajoin-ipa-setup", line 103, in <module>
args['tls_ca_cert'] = cafile.decode('UTF-8')
AttributeError: 'str' object has no attribute 'decode'
Let's just use the normal assignment in case the .decode() call
fails.
Also apply the same fixes to files/cloud-config-novajoin.json
Tested and we correctly get past this error.
Change-Id: Ia77ebde46ff885c9f929d834f981acb97f26a4ec
Co-Authored-By: Luca Miccini <lmiccini@redhat.com>
Closes-Bug: #1820961
Since novajoin is branchless, we need to support
older releases, which may call this script from the
old location. Additional novajoin-ipa-setup script is
installed in the old location for backward compatibility
and calls the new "compiled" script in the default bin
directory.
Change-Id: I0a25ffb1f5fd3f8723bff8a1bcfc6dfc486b2b4a
This patch also moves the novajoin-install and novajoin-ipa-setup
scripts to the default python scripts directory. This is because
there is no other way to fixup the #! line for python3, apart from
modifying setup.py, which is managed by the global requirements repo.
Change-Id: I21ccb475905feebdb91aa158ce3845744b2f0a5f
Support nova versioned notifications. Unversioned notifications
are still supported and the default. The CI is configured to test
versioned notifications, and both implementations use the same methods.
Because of this, testing versioned notifications also covers
unversioned notifications, since the execution path flows through both.
Change-Id: If028afa9e9fbcb344786cd287605e0d9af5d3c01
This adds support for creating and removing DNS A records when
floating IPs are associated and disassociated in neutron.
novajoin-install and functional tests are enhanced to test it.
Change-Id: I82c83ad9e8c84ddfd4ecfc4d5c3b31a418af97a7
A basic test to check that a spawned instance
will be added to and than deleted from FreeIPA.
This also fixes the novajoin-install script to
work by default on devstack.
Change-Id: Id7e940360ade74d605fef9004c6a5454790c55a4
setup.py points to /etc/novajoin, while novajoin-install
configured nova.conf to point to /etc/nova directory.
Change-Id: I94658945cca795aee2c53344081bca6c1c554b66
In freeipa f62a0fdb904d2a4bb1961847e240dbb6df3b0b67 the IPA
client library was modified to remove the log_manager. This patch
fixes the novajoin code for all versions of IPA.
See rhbz# 1644747
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: I2da12bedfc8790ebd1005c98f2e05953d127b3b9
We were falling back to using the KRB5CCNAME that the user had set
beforehand instead of relying on the one that we get from using the
credentials that the user actually provided.
This lead to the credentials being ignored, and the setup failing.
Closes-Bug: #1746989
Change-Id: I90daa2d3341989878b7b4da8ed9cbb23e08da68b
The changes were more significant than just a few imports as
initially thought. The RPC API changed signficantly mostly due
to switching from NSS to OpenSSL as the crypto layer.
Related changes include:
* Handling the new random password generator
* Writing the CA chain to a file instead of an NSS db
* Dealing with certificates having their own object
These are handled via the ipapython.version library to tell
what version of IPA we have. This cannot rely on the API
value because these changes are lower-level.
Change-Id: I8ee03edc4b0b2db566db43f2ea64256fe15a3a8b
The default in OSP Director is service and in Packstack services.
Use 'service' as the overall default.
Change-Id: I3e209b10d41720b1f0536b0d64d9fb08020f106a
Up to 4.4.0 the import was in ipalib. With 4.5.0 it moved
to ipalib/install.
Try both imports before failing.
Change-Id: Ie89108e31f311d74976f946a6df4a24edc5ca879
We are now requiring a token, provide the configuration needed
to verify the incoming token against Keystone.
Change-Id: I0dbc37b591968b868d09c5952bebd7ff1dec3a6e
The old default port, 9999, was being set in a few places.
In novajoin-install, the standalone installer, a few things
were not being configure.
- The join api_paste_config option wasn't being set
- The service credentials section was incomplete
Change-Id: I3169c68d29be11edea52c74535ae43b75884fb66
Something must be doing a fork somewhere which is causing the
tokens to be reset. This will work around the issue for now.
Change-Id: I2f6b3ff26e49114e730a3d2f36d7771d6c08d049
IPA 4.4 added thin client capabilities. This is done by downloading
the call schema from the IPA server and is done during the
finalize() step. This requires a TGT.
So we need to ensure that a kinit is done before finalize() is
called both in the standalone installer and in the ipa code.
Change-Id: Id87b83cb945c946cf78c425aae19c311d900249a
Be more Openstack-ish and expect an auto-generated config file
and make discrete changes to that.
This code expects that /etc/nova/join.conf exists.
This also switches back to using the config object directly
instead of converting it into a dict.
Change-Id: I49166c4be09f7bc59a78582ce5c8b6c813de0051
For the case of Triple-O we don't want to pass IPA admin
credentials to the undercloud so instead pre-create the IPA
entries for undercloud and pass in an OTP that can be used to
enroll it using ipa-client-install.
Another feature of --precreate is that it doesn't require the
machine to be enrolled as an IPA client. The required options must
be provided on the command-line.
Change-Id: Ia69b5b4fbc275c04f5e07e9d2ef62e3547725ac8
This used to handle IPA connectivity manually by using
python-requests so the URL was necessary. This was replaced
by using the IPA framework instead and the host(s) to
contact are handled by that.
Change-Id: I4009b044ad079fd97591a28d8f47d18621506d6e
When installing via puppet the configuration changes aren't
necessary and in fact can cause problems. All that really needs
to happen is the IPA work to add the permissions, privilege and
role and create the nova service and fetch the keytab.
This is broken out into a separate class that can be called from
either the existing novajoin-install or the new
novajoin-ipa-setup. The bash script equivalent was removed.
The paste configuration doesn't include authentication so there
is no need for keystone_authtoken. This also means that
the option keystone_auth_uri can be removed.
Also drop man page reference to the keystone_identity option.
I compared join.conf with nova.conf and neutron.conf and made
it conform more closely to those two in configuration in thej
keystone_authtoken and service_credentials sections.
The authentication scheme of the REST API is still a bit up
in the air so switch this to not rely/expect authentication
but instead to use the nova service user to talk to other
services.
Eventually this should use its own service user.
This enables us to get images from glance but also to handle
looking up the information we need when Neutron assigns a
floating IP address. This means we can create the hostname
in IPA DNS in advance so it will be on the public network
and not the private one.
Remove some unused options in the Keystone configuration and
add options so the installer can automatically configure things
to work without manual changes.
Add a log_dir to the configuration so all logging is saved.
Set the IPA domain in join.conf so hostnames will get the
IPA domain, instance_name + domain.
Don't blow up if metadata or system_metadata comes in as None.
Add some missing variable definitions caught by pylint.
Read join.conf in the notify server as well.
Re-order the kinit in the installation script to not fail
if the user has no pre-existing ticket.
Don't copy join.conf and api-paste.ini from going into
/usr/share/novajoin.
This is based heavily on the WSGI code in cinder.
There are two services: a REST service and a notification
listener.
Currently both log only to stdout.
The configuration file join.conf controls the REST service.
nova configuration should look like this (assuming the REST
service is running on the nova compute host).
vendordata_providers = StaticJSON, DynamicJSON
vendordata_dynamic_targets = 'join@http://127.0.0.1:9999/v1/'
vendordata_driver = nova.api.metadata.vendordata_http.HTTPFileVendorData
vendordata_dynamic_connect_timeout = 5
vendordata_dynamic_read_timeout = 30
vendordata_jsonfile_path = /etc/nova/cloud-config.json
For the notification service like this:
notification_driver = messaging
notification_topic = notifications
notify_on_state_change = vm_state
Authentication is disabled in api-paste.ini for now.
Remove the unused cacert option. Rely instead on system certificates.
Add password-file option to pass in the IPA admin password.
Use the IPA-provided user_input which is more robust.
Drop message about loading metadata as it is done automatically now.