This change adds the keystonemiddleware audit paste filter[0]
and enables it for the neutron-server service.
This provides the ability to audit API requests for neutron.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f
to set local_ip in osh, you have to use nic name.
but some devices can have different nic name.
so I add new option for getting tunnel device by cidr.
Added value:
network:
interface:
tunnel: null
tunnel_network_cidr: "0/0"
Change-Id: I8bffae640dfe0086de0b5274bb8c3cdce9754160
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
Under python3 an Exception no longer has the message attribute,
instead you can just str the exception to get the error message
Change-Id: I38225a76e01118b88353038ed7ef132d019dd976
Previously, when adding interfaces to an ovs bridge we would set the
link state to up. Some environments assume this is the case so
restore that behavior.
This fixes the problem where external (public) IPs for routers and VMs
no longer respond.
Change-Id: I59e21bd5cde7e239320125e9a7e0a33adae578a8
Health_probe for neutron pods accomplish both liveness and
readiness probe.
Neutron DHCP/L3/OVS agents:
Sends an RPC call with a non-existence method to agent’s queue.
Assumes no other agent subscribed to tunnel-update queue other
than OVS. Probe is success if agent returns with NoSuchMethod
error.
Neutron Metadata agent:
Sends a message to Unix Domain Socket opened by Metadata agent.
Probe is success if agent returns with HTTP status 404.
In both the cases, if agent is not reachable or fails to
respond in time, returns failure to probe.
Readiness probe for Neutron L3/DHCP/Metadata/SRIOV agents
Following are the operations executed on the pod as part of
readiness probe on the neutron agents:
- Check if the agent process is up and running.
- Retrieve the sockets associated with the process from the /proc fs.
- Check the status of tcp sockets related to Rabbitmq communication.
- Check the reachability of the rabbitmq message bus from the agent.
- For SRIOV Agent, check if VFs are configured properly for the
configured NICs in sriov_agent.ini conf file
Change-Id: Ib99ceaabbad1d1e0faf34cc74314da9aa688fa0a
.Values.network.auto_bridge_add is a global config. So in multi nodes
deployment, it requires that all hosts have the same nic names. This is
a strict limit.
This patch is to support per-host auto_bridge_add, so that we can define
different auto_bridge_add for hosts.
Also, this patch move .network.auto_bridge_add to .conf.auto_bridge_add
Change-Id: I4a4d6efbbfe073d035bc5c03700fbe998e708d0f
Story: 2005059
Task: 29601
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
neutron-sanity-check module load logging.conf file
but there is no config file.
Change-Id: I5e6dd298ccd9fb5432002f76bad3931ec035bb16
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This PS fixes the neutron db sync job to perform full db migrations
in addaion to tap-as-a-service when enabled.
Change-Id: Ieab54649344fb8737e2d8855f00a9ed574ace5ee
Signed-off-by: Pete Birley <pete@port.direct>
securityContext with non-root user is implemented
at Pod level and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag in container
securityContext in the neutron charts whereever needed
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: Id93b56d2e3886b9dd9115e79c28f661930146b00
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
Need to adjust taas rootwrap filter for i40e_sysfs_command.
Add code to allow sriov agent init script to run best effort.
Update way to set nic promisc mode.
Change-Id: Id1e22ea4b636ae7e05b880739a88c410a4da587c
This PS udpates the sriov init script to by default create the
max number of vfs supported by the card -1. Which works round
issues encoutered with many cards that prevents ther theroretical
max being attainable.
Change-Id: I01f8ce1f36b6053a5ef68119d87b67050ffe99d1
Signed-off-by: Pete Birley <pete@port.direct>
This PS exposes the ability to set the vf device mtu.
Change-Id: If1193a71f1da391918e122c3d60f967023b732e1
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This is the second draft to enhance neutron in ocata to support
Tap-as-a-service (TaaS) as a L2 Extension.
Change-Id: I96951b38dd43ab4904339b778b5726a579c76a4c
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
This proposes changing the tags added to the openstack logs
gathered by the fluentd handler from `openstack.<service>` to
`Namespace.Release` to account for multiple instances of openstack
services being deployed into different namespaces. This allows for
fine tuning the search queries in elasticsearch/kibana to target
specific service deployments in specific namespaces
Change-Id: Ia12dceb4089e107e15d8e30c92c91f350dc31318
This adds support for executing helm tests via the armada test
directive. It enables theses tests for all services, except for
nova and neutron as executing tests with armada force a chart to
wait. Forcing nova and neutron to wait effectively sequences the
charts, which will result in a failure to deploy past those
services
Depends-On: https://review.openstack.org/#/c/581148
Change-Id: I6ac845c82d744e2f5fd79c3e2ff3c1479dd1ddab
This PS updates the agent init container scripts to ensure that the
local IP address is populated on agent startup.
Change-Id: Ib5857d9dc82b1138a1b5f496ebe46dc1e3f221e7
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves the neutron agents to run as child processes of either
the pause container or use the hosts init system (for k8s <1.10)
to prevent defunct process sprawl.
Change-Id: I3392bdc957144c1aa83314583d57183d35279336
Co-Authored-By: Hyunsun Moon <hyunsun.moon@gmail.com>
Signed-off-by: Pete Birley <pete@port.direct>
This introduces a mechanism for generating the logging.conf
file for the openstack services via the values. This allows us to
define loggers, handlers, and formatters for the services and the
modules they're composed of.
This also allows us to take advantage of the oslo fluent handler
and formatter. The fluent handler and formatter give us the
following benefits: sending logs directly to fluentd instead of
routed to stdout/stderr and then through fluentbit to fluentd,
project specific tags on the logged events (enables us to define
more robust filters in fluentd for aggregation if required),
full traceback support, and additional metadata (modules that
created logged event, etc)
Depends-On: https://review.openstack.org/577796
Change-Id: I63340ce6b03191d93a74d9ac6947f0b49b8a1a39
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.
Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
This PS removes the use of the `quote and truncate` approach to
suppress output from gotpl actions in templates and replaces it
with the recommended practice of defining `$_` instead.
Change-Id: I5f35c5f7e70b4f7f461d772e3b72ed1c695c56a8
Signed-off-by: Pete Birley <pete@port.direct>
This PS removes an unused variable from the resolution of
dynamic pod dependencies.
Change-Id: I95728a7b91d5143c2a44566179ef8066727020af
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use the current ga version for kubernetes daemonsets,
additionally any remaining deployments that were using the
`extensions/v1beta1` have been updated to `apps/v1`.
Story: 2002205
Task: 21735
Depends-On: If9703162dc472af1e6096bf2b9062802fd5ce8ab
Change-Id: Iba4e3d2798c54639e077b80999e669c79b616c6f
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves to use the current ga version for kubernetes deployments.
Story: 2002205
Task: 21735
Depends-On: Icb4e7aa2392da6867427a58926be2da6f424bd56
Change-Id: I062a8a29dff70427ee9bcf09f595011b3611b0b1
Signed-off-by: Pete Birley <pete@port.direct>
When removing helm-toolkit from OSH and swithcing to use the
toolkit from OSH-Infra, the image declaration function was missed.
Depends-On: I2f2012590d81ffcb159d49d8a76eedd4441744cd
Change-Id: I0f1118bb748f3fe1b6bb73acfc00e77c5cca9c7d
Signed-off-by: Pete Birley <pete@port.direct>
There is a neutron bug in Queens that needs resolved for now, if we cannot
even get the version of neutron-sanity-check, skip this validation.
see: https://bugs.launchpad.net/neutron/+bug/1769868
Change-Id: Id41625f0073f197fcf8fe6170696977b8025dc7f
Signed-off-by: Pete Birley <pete@port.direct>
Also changed ovs-agent-init to take care of configuring default external
bridge and interface for cosistency with lb-agent.
Change-Id: I1d893b73a784f55594c30f17ef022348d68f0f1b
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.
Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
This PS enables sharing of network namespaces with the host,
allowing for hitless upgrades of agents, and much simpler debugging.
It does however require mount propogation to be enabled in kubernetes
which is a alpha gated feature introduced in 1.8, and enabled by default
as a beta feature in 1.10.
Depends-On: I7a37f45ff6061b144c6f04233712cd84fccb3e83
Change-Id: I2a191a343fe637cbfd9e4af5277f9784af736dd1
This PS moves all the config files to be directly values driven,
both simplifying over-ride and allowing configs to be targeted
to pods in future work.
Change-Id: Ifcbc19b17aa1d145f12ed1aed8b15a69ca045bb7
