From 216b7a5cd50bb0ef10edfeb6b551b75b083952ae Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Wed, 7 Dec 2016 15:03:24 +0000
Subject: [PATCH] Switch to using lxd: namespace for extra-specs

Use of unscoped extra-specs confuses the ComputeCapabilitiesFilter,
causing all LXD compute hosts to be excluded as targets for
scheduling of instances.

Switch supported extra-specs to the lxd: namespace to ensure that
they are correctly ignored by other parts of Nova, but remain
visible in the LXD compute driver:

  lxd_isolated -> lxd:isolated
  lxd_privileged_allowed -> lxd:privileged_allowed
  lxd_nested_allowed -> lxd:nested_allowed

(also fixup branch configuration for stable/mitaka)

Change-Id: I5ff696769c25639ff28eb029f27c8d22d5769adf
Closes-Bug: 1648056
---
 .gitreview                                      | 3 ++-
 contrib/glance_metadefs/compute-lxd-flavor.json | 6 ++++++
 nova_lxd/nova/virt/lxd/config.py                | 6 +++---
 nova_lxd/tests/test_config.py                   | 8 ++++----
 4 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/.gitreview b/.gitreview
index 642f1466..78d26645 100644
--- a/.gitreview
+++ b/.gitreview
@@ -1,4 +1,5 @@
 [gerrit]
 host=review.openstack.org
 port=29418
-project=openstack/nova-compute-lxd.git
\ No newline at end of file
+project=openstack/nova-lxd.git
+defaultbranch=stable/mitaka
diff --git a/contrib/glance_metadefs/compute-lxd-flavor.json b/contrib/glance_metadefs/compute-lxd-flavor.json
index 61716841..eb85c4f1 100644
--- a/contrib/glance_metadefs/compute-lxd-flavor.json
+++ b/contrib/glance_metadefs/compute-lxd-flavor.json
@@ -21,6 +21,12 @@
             "description": "Containers created as Privileged have elevated powers on the compute host. You should not set this option on containers that you don't fully trust.",
             "type": "string",
             "default": false
+        },
+        "lxd:isolated": {
+            "title": "Create idmap isolated containers",
+            "description": "Containers created as idmap isolated will run under different subuid/subgid ranges from other containers on the same host, decreasing the risk of cross container compromises within a single compute host.",
+            "type": "string",
+            "default": false
         }
     }
 }
diff --git a/nova_lxd/nova/virt/lxd/config.py b/nova_lxd/nova/virt/lxd/config.py
index 2956d707..0f311c01 100644
--- a/nova_lxd/nova/virt/lxd/config.py
+++ b/nova_lxd/nova/virt/lxd/config.py
@@ -164,18 +164,18 @@ class LXDContainerConfig(object):
         # Determine if we require a nested container
         flavor = instance.flavor
         lxd_nested_allowed = flavor.extra_specs.get(
-            'lxd_nested_allowed', False)
+            'lxd:nested_allowed', False)
         if lxd_nested_allowed:
             config['security.nesting'] = 'True'
 
         # Determine if we require a privileged container
         lxd_privileged_allowed = flavor.extra_specs.get(
-            'lxd_privileged_allowed', False)
+            'lxd:privileged_allowed', False)
         if lxd_privileged_allowed:
             config['security.privileged'] = 'True'
 
         lxd_isolated = flavor.extra_specs.get(
-            'lxd_isolated', False)
+            'lxd:isolated', False)
         if lxd_isolated:
             extensions = self.session.get_host_extensions()
             if 'id_map' in extensions:
diff --git a/nova_lxd/tests/test_config.py b/nova_lxd/tests/test_config.py
index b9c0e755..8de262de 100644
--- a/nova_lxd/tests/test_config.py
+++ b/nova_lxd/tests/test_config.py
@@ -122,14 +122,14 @@ class LXDTestContainerConfig(test.NoDBTestCase):
 
     def test_container_nested_container(self):
         instance = stubs._fake_instance()
-        instance.flavor.extra_specs = {'lxd_nested_allowed': True}
+        instance.flavor.extra_specs = {'lxd:nested_allowed': True}
         config = self.config.config_instance_options({}, instance)
         self.assertEqual({'security.nesting': 'True',
                           'boot.autostart': 'True'}, config)
 
     def test_container_privileged_container(self):
         instance = stubs._fake_instance()
-        instance.flavor.extra_specs = {'lxd_privileged_allowed': True}
+        instance.flavor.extra_specs = {'lxd:privileged_allowed': True}
         config = self.config.config_instance_options({}, instance)
         self.assertEqual({'security.privileged': 'True',
                           'boot.autostart': 'True'}, config)
@@ -138,7 +138,7 @@ class LXDTestContainerConfig(test.NoDBTestCase):
                        mock.Mock(return_value=['id_map']))
     def test_container_isolated(self):
         instance = stubs._fake_instance()
-        instance.flavor.extra_specs = {'lxd_isolated': True}
+        instance.flavor.extra_specs = {'lxd:isolated': True}
         config = self.config.config_instance_options({}, instance)
         self.assertEqual({'security.idmap.isolated': 'True',
                           'boot.autostart': 'True'}, config)
@@ -147,7 +147,7 @@ class LXDTestContainerConfig(test.NoDBTestCase):
                        mock.Mock(return_value=[]))
     def test_container_isolated_unsupported(self):
         instance = stubs._fake_instance()
-        instance.flavor.extra_specs = {'lxd_isolated': True}
+        instance.flavor.extra_specs = {'lxd:isolated': True}
 
         self.assertRaises(
             exception.NovaException,