The replication promote and reenable API were removed
from Mitaka, these two policies are useless now.
Change-Id: Idc693c3e298f9adff01ea63147f67205811cfc57
When deploying Cinder as an SDS without Glance we have no way to prevent
volume creation from images even when we know they will not succeed.
This patch adds a specific policy so we can prevent this specific
creation action from being accepted. By doing so the user will know
immediately that this is not possible, instead of having to look through
the logs to see that this is not an option.
TrivialFix
Change-Id: Iabc10a1927eea6419dd677a632cfc7d32dc08091
Adds getfattr and mount.quobyte which are run with root
ownership by the Quobyte driver if
nas_secure_file_operations is set to false.
Closes-Bug: #1586953
Change-Id: I135d96afb460e94f4396beb01894f731b562e614
Now that we support having multiple c-vol services using the same
storage backend under one cluster, they no longer clean all resources
from the backend with ongoing statuses in the DB, only those from their
own host because those are failed operations that were left "in the air"
when the service was stopped. So we need a way to trigger the cleanup
of resources that were being processed by another c-vol service that
failed in the same cluster.
This patch adds a new API endpoint (/workers/cleanup) that will trigger
cleanup for c-vol services as microversion 3.19.
The cleanup will be performed by other services that share the same
cluster, so at least one of them must be up to be able to do the
cleanup.
Cleanup cannot be triggered during a cloud upgrade, but a restarted
service will still cleanup it's own resources during an upgrade.
If no arguments are provided cleanup will try to issue a clean message
for all nodes that are down, but we can restrict which nodes we want to
be cleaned using parameters `service_id`, `cluster_name`, `host`,
`binary`, and `disabled`.
Cleaning specific resources is also possible using `resource_type` and
`resource_id` parameters.
We can even force cleanup on nodes that are up with `is_up`, but that's
not recommended and should only used if you know what you are doing.
For example if you know a specific cinder-volume is down even though
it's still not being reported as down when listing the services and you
know the cluster has at least another service to do the cleanup.
API will return a dictionary with 2 lists, one with services that have
been issued a cleanup request (`cleaning` key) and another list with
services that cannot be cleaned right now because there is no
alternative service to do the cleanup in that cluster (`unavailable`
key).
Data returned for each service element in these two lists consist of the
`id`, `host`, `binary`, and `cluster_name`. These are not the services
that will be performing the cleanup, but the services that will be
cleaned up or couldn't be cleaned up.
Specs: https://specs.openstack.org/openstack/cinder-specs/specs/newton/ha-aa-cleanup.html
APIImpact: New /workers/cleanup entry
Implements: blueprint cinder-volume-active-active-support
Change-Id: If336b6569b171846954ed6eb73f5a4314c6c7e2e
Allow volume delete to take parameters "cascade",
or "force", or both.
A new policy field, "volume:force_delete" is added
with the default of "rule:admin_api".
Implements: blueprint volume-delete-parameters
APIImpact: New parameters to volume delete
Change-Id: Ic47cfcf1cc7d172d7f9d5b093233035f797982f5
Currently the administrator could only reset the generic group
status by db operation,this change intends to add new admin
actions to achieve these.
The patch list:
1. group API(this).
2. group snapshot API(https://review.openstack.org/#/c/389577/).
3. cinder client(https://review.openstack.org/390169/).
4. documentation(https://review.openstack.org/#/c/395464).
APIImpact
DocImpact
Partial-Implements: blueprint reset-cg-and-cgs-status
Change-Id: Ib8bffb806f878c67bb12fd5ef7ed8cc15606d1c5
Currently the administrator could only reset the group snapshot
status by db operation, this change intends to add new admin
action to achieve this.
The patch list:
1. group API(https://review.openstack.org/#/c/389091/).
2. group snapshot API(this).
3. cinder client(https://review.openstack.org/390169/).
4. documentation(https://review.openstack.org/#/c/395464/).
APIImpact
DocImpact
Partial-Implements: blueprint reset-cg-and-cgs-status
Change-Id: I9e3a26950c435038cf40bea4b27aea1bd5049e95
Cinder has supported to query project id of volume
and snapshot, for consistency, this will introduce
backup project attribute in querying operation.
APIImpact
Add 'os-backup-project-attr:project_id: xxxx' in querying
response.
Implements: blueprint: backup-tenant-attribute-support
Change-Id: I6fde17baffe88ab4d4e69dcc2fefdbcb8d7a4dc5
When using LVM the various cmds have a number of potential formats due
to options like LVM_SUPPRESS_FD_WARNINGS and LVM_SYSTEM_DIR
specifications. The volume.filters were set up to provide each
combination by having a second, third and fourth version of the filter:
# LVM related show commands
pvs: EnvFilter, env, root, LC_ALL=C, pvs
vgs: EnvFilter, env, root, LC_ALL=C, vgs
lvs: EnvFilter, env, root, LC_ALL=C, lvs
lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
# -LVM related show commands with suppress fd warnings
pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
This no longer works, the first pvs/vgs/lvs filters will always get picked up
and the cmds for any special configs will fail. We used to use regexs for this
sort of thing, but then we switched to just adding unique filters. I'm not sure
how this was working or why it doesn't seem to work as of Newton, but regardless,
replacing the _xxxx with just an integer seems to work fine, rootwrap apparantly
just doesn't like '_' or '-' in the filter name, so we'll change it to just use
a digit appended to the filter name. There are some other filters that may need
checked here as well.
Change-Id: I1a7c3048841c095a8e92795d7dfa0cb5c2a96645
Close-Bug: #1646053
In order for a user with the admin role to be able to perform
administrative actions, the role must be assigned to a project
that is deemed the "admin" project in the Keystone server. This
prevents someone being assigned admin on some random project
from being admin everywhere.
Change-Id: Ic4294cc1746702c345259c64bad1e20675a7d9ab
Closes-Bug: 968696
For some reason the leaded descriptor warning message coming
from LVM is causing Cinder to fail startup and it appears to be
masking out the vg response in vgs calls.
We typically don't hit this, but due to the nature of Kolla and
I guess going through the different processes via the containers
this gets logged every time vgs is called. Eric Harney rightly
pointed out that rather than use exception handling and such
that we should use the LVM env variable mechanism we already have
in place in Cinder.
For now this patch added a new config option to the LVM driver:
lvm_suppress_fd_warnings=True|False
This is useful for K8 deployments that have an indirect call to the
LVM cmds which results in failures.
For those that are interested, this can also be done outside of
cinder by setting the silence_logs variable in lvm.conf
This is made optional as a config flag to avoid any breakage for
existing deployments during upgrade.
Change-Id: I85612fa49475beea58d30330c8fe8352a2f91123
Closes-Bug: #1619701
This patch allows different policy rules for create and
update volume metadata.
Change-Id: I23dabd8866a9358c41eb3e048d91011a53c41cc3
Closes-Bug: #1472042
This is the fifth patch that implements the generic-volume-group
bluerpint. It adds APIs for group snapshots and create group
from source.
This patch depends on the fourth patch which implements group
snapshots support in the volume manager:
https://review.openstack.org/#/c/361376/
Client side patch is here:
https://review.openstack.org/#/c/329770/
Current microversion is 3.14. The following CLI's are supported:
cinder --os-volume-api-version 3.14 group-create-from-src
--name my_group --group-snapshot <group snapshot uuid>
cinder --os-volume-api-version 3.14 group-create-from-src
--name my_group --source-group <source group uuid>
cinder --os-volume-api-version 3.14 group-snapshot-create
--name <name> <group uuid>
cinder --os-volume-api-version 3.14 group-snapshot-list
cinder --os-volume-api-version 3.14 group-snapshot-show
<group snapshot uuid>
cinder --os-volume-api-version 3.14 group-snapshot-delete
<group snapshot uuid>
APIImpact
DocImpact
Partial-Implements: blueprint generic-volume-group
Change-Id: I2e628968afcf058113e1f1aeb851570c7f0f3a08
This is the second patch that implements the generic-volume-group
bluerpint. It adds the groups table and introduces create/delete/
update/list/show APIs for groups.
It depends on the first patch which adds group types and group specs:
https://review.openstack.org/#/c/320165/
Client side patch is here:
https://review.openstack.org/#/c/322627/
Current microversion is 3.13. The following CLI's are supported:
cinder --os-volume-api-version 3.13 group-create --name my_group
<group type uuid> <volume type uuid>
cinder --os-volume-api-version 3.13 group-list
cinder --os-volume-api-version 3.13 create --group-id <group uuid>
--volume-type <volume type uuid> <size>
cinder --os-volume-api-version 3.13 group-update <group uuid>
--name new_name description new_description
--add-volumes <uuid of volume to add>
--remove-volumes <uuid of volume to remove>
cinder --os-volume-api-version 3.13 group-show <group uuid>
cinder --os-volume-api-version 3.13 group-delete
--delete-volumes <group uuid>
APIImpact
DocImpact
Change-Id: I35157439071786872bc9976741c4ef75698f7cb7
Partial-Implements: blueprint generic-volume-group
This patch adds support for group types and group specs.
This is the first patch to implement the blueprint
generic-volume-group.
The client side patch is here:
https://review.openstack.org/#/c/320157/
Current microversion is 3.11. The following CLI's are supported.
cinder --os-volume-api-version 3.11 group-type-create my_test_group
cinder --os-volume-api-version 3.11 group-type-list
cinder --os-volume-api-version 3.11 group-type-show my_test_group
cinder --os-volume-api-version 3.11 group-type-key my_test_group
set test_key=test_val
cinder --os-volume-api-version 3.11 group-specs-list
cinder --os-volume-api-version 3.11 group-type-key my_test_group
unset test_key
cinder --os-volume-api-version 3.11 group-type-update <group type uuid>
--name "new_group" --description "my group type"
cinder --os-volume-api-version 3.11 group-type-delete new_group
APIImpact
DocImpact
Change-Id: I38b938782e0c3b2df624f975bd07e0b81684c888
Partial-Implements: blueprint generic-volume-group
Add update interface so that users can update
name and description of a backup.
This new API endpoint is added in microversion 3.9.
APIImpact
Add PUT to /backups/<id>.
DocImpact
Change-Id: If592b53c7e1dcdc36dbcaa89425b8e44a51684c3
This patch adds new API /cluster that allows summary and detailed
listings, show and update operations.
It also updates service listings to return cluster_name for each
service.
DocImpact: 3 new policies have been added for cluster, "get", "get_all" and
"update".
APIImpact: Return cluster_name in service listings and add /cluster endpoint.
Specs: https://review.openstack.org/327283
Implements: blueprint cinder-volume-active-active-support
Change-Id: If1ef3a80900ca6d117bf854ad3de142d93694adf
Volume clearing is intended to provide safety against
data leaking between different volumes/tenants when
backing storage is reused. dd is sufficient to
accomplish this, and since 'shred' does not add anything
meaningful and has not seen much real-world use,
we should remove it for simplicity.
This change makes 'volume_clear=shred' call dd and
warns that this option will be removed.
Change-Id: I190dc22c5edb6efc56b98c5eac870a35c03fcd3f
This patch adds support for a volume format, which can
be used for containers in Virtuozzo Server.
This format is different from qcow2 images, because it consists
of 2 or more files in a directory.
The first file is an xml description of a bundle. It includes
paths to base image and deltas, which usually stored in the same
directory. Here is a description of base/delta images format -
https://openvz.org/Ploop/format.
Format name is a little ambiguous, because ploop is not only an
image format name, but also a technology, which allows to use
images, stored in files as block devices (like loop devices or
qemu-nbd), but it supports snapshots and has nearly native
performance. qemu-img has limited support of this format - it
can only convert image files, the format is called 'parallels'
in qemu-img.
The main utility to manage such disks is 'ploop'. Here is a man
page - https://static.openvz.org/vz-man/man8/ploop.8.gz.html.
It can create images, make snapshots and create ploop devices,
based on images.
This patch series makes possible all volume operations except for
snapshotting of 'in-use' volumes.
DocImpact
Depends-On: Iebd20544102672d7b7ca820c9e9005833ec2580e
Change-Id: Id3c902c38192fddc02529afe5af7abc213c7b57c
In Kilo, cinder.api.middleware.sizelimit was replaced by a
compatabilityshim calling in to oslo_middleware.sizelimit and a
deprecation log message was added to indicate the change to
use oslo_middleware [1]. However, the wsgi api-paste.ini file
still uses cinder.api.middleware.sizelimit.
This commit modifies api-paste.ini to use oslo_middlware.sizelimit
directly, thereby allowing removal of the compatabilty shim in
the next release.
[1] Ia99ab479cb8ef63a0db1a1208cc2501abba6132c
Change-Id: Ic0e2c401b0facdd9abe954b0531d970abf4bca22
Cinder currently has the ability to take over the management of
existing volumes and snapshots ("manage existing") and to relinquish
management of volumes and snapshots ("unmanage"). The API to manage an
existing volume takes a reference, which is a driver-specific string
that is used to identify the volume on the storage backend. This
patch adds APIs for listing volumes and snapshots available for
management to make this flow more user-friendly.
DocImpact
APIImpact
Change-Id: Iff19b5002e5bc037e28c91d104853f40eb4cb6ab
Implements: blueprint list-manage-existing
Recently the 'find' command has been changed in gpfs driver
with a commit with change ID Id26cb59d88082971465c8fcf0c150c858ab3bced.
Adding the changed options in the rootwrap filters.
Change-Id: I3fde14949db57f89d7fa5e265a67d1d2d7884053
Closes-bug: 1581670
Cinder list with pagination contains wrong scheme for
'next' link in case of SSL endpoints. This patch fixes
it and returns the correct scheme in version URLs if
service is behind an SSL termination proxy.
Change-Id: If5aab9cc25a2e7c66a0bb13b5f7488a667b30309
Closes-Bug: #1558683
These replication v2.1 APIs are not enforced by the
cinder policy.json file. This patch adds policy and
the code to support applying this policy action.
"volume:failover_host": "rule:admin_api",
"volume:freeze_host": "rule:admin_api",
"volume:thaw_host": "rule:admin_api",
Also these methods create a completely new context
instead of doing context.elevated(). It's better
to preserve the information that already there.
Change-Id: Ib577e902cda634ae2bd813edd9e39e022f23fde1
Closes-Bug: #1578722
This patch adds role-based access policy for
upload_image API to etc/cinder/policy.json file.
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
cinder/tests/unit/policy.json file already has
policy for this API.
Change-Id: I6ef30f870fe6bf1bcb818d254697ead8dc461ab6
Closes-Bug: #1578856
These snapshot_metadata APIs are not enforced by
the cinder policy.json file. This patch adds
policy and the code to support applying this
policy action.
"volume:get_snapshot_metadata": "rule:admin_or_owner",
"volume:delete_snapshot_metadata": "rule:admin_or_owner",
"volume:update_snapshot_metadata": "rule:admin_or_owner",
Change-Id: I8c0ef554e71c008cacd610eee9767173dfcca082
Closes-bug: #1578829
This patch implements basic user messages with the following APIs.
GET /messages
GET /messages/<message_id>
DELETE /messages/<message_id>
Implements : blueprint summarymessage
Co-Authored-By: Alex Meade <mr.alex.meade@gmail.com>
Co-Authored-By: Sheel Rana <ranasheel2000@gmail.com>
Change-Id: Id8a4a700c1159be24b15056f401a2ea77804d0a0
Added support for is_public/visibility, and protected
while uploading volume as image to image service.
is_public/visibility is used to make the image publicly accessible
and protected is used to prevent the image from being deleted.
DocImpact
APIImpact
Change-Id: I6e6b2276af22b7809ea88289427c6873211b3faf
Closes-Bug: #1288131
Right now qos_specs_id is only shown to an admin user
when showing a volume type. This patch changes that to
be based on policy to allow for more flexibility. It
also adds unit tests for showing a volume type
with policy permissions for qos_specs_id as well as
extra_specs.
APIImpact
Change-Id: I4e6e99b8992b6941ba247bee90493cc2adba7f0b
Closes-bug: #1512876
The default values needed for cinder's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to cinder's default configuration parsing. This ensures
that if a value remains unset in cinder.conf, it will be set
to use sane defaults, and that an operator modifying the
configuration file will be presented with a default set of
necessary sane headers.
Depends-on: I658e54966c390b41e3b551dd9827606c2e013511
Change-Id: Ia8735d5952d7e03b6948f748afead13e6f890271
Closes-Bug: 1551836
Erroneous space in "rule: admin_api" was introduced in change Ibbd6f47c370d8f10c08cba358574b55e3059dcd1
oslo_policy regards space as a separator,
and fails to parse this rule: http://paste.openstack.org/show/488452/
Change-Id: I5de45c97a06b7ddecb36c2a1793c4f3fd5fd21d6
This change adds the command required to start the os-brick privsep
privileged helper process.
This should be the last "routine" merge to rootwrap filters from
os-brick, since os-brick privileged operations will now go through the
privsep mechanism. The now-obsolete os-brick rootwrap entries will be
removed in a followup change that also bumps the os-brick minimum
version appropriately.
Change-Id: I3b2e337321875cf4abc0ab9b44fe17cf9327d88b
Many changes to the Cinder REST API require changes to the consumers of the API.
For example, If we need to add a required parameter to a method that is called
by Nova, we'd need both the Nova calling code and the cinderclient that
Nova uses to change. But newer Cinder versions with the change must work with
older Nova versions, and there is no mechanism for this at the moment. Adding
microversions will solve this problem.
With microversions, the highest supported version will be negotiated by a field
in the HTTP header that is sent to the Cinder API. In the case where the field
'versions' is not sent (i.e. clients and scripts that pre-date this change),
then the lowest supported version would be used. In order to ensure that the
API consumer is explicitly asking for a microversioned API, a new endpoint v3
is added, which is identical to API version v2. This means that our new
Cinder API v3 would be the default, and consumers of the API that wished to
use a newer version could do so by using that endpoint and a microversion in
the HTTP header.
New tests for microversioned API features on endpoint /v3 should be added to
cinder/tests/unit/api/v3/ directory. Existing functionality will be tested via
the .../v2/ unit tests.
DocImpact
APIImpact
Implements: https://blueprints.launchpad.net/cinder/+spec/cinder-api-microversions
Change-Id: I48cdbbc900c2805e59ee9aebc3b1c64aed3212ae
