This change adds the keystonemiddleware audit paste filter[0]
and enables it for the neutron-server service.
This provides the ability to audit API requests for neutron.
[0] https://docs.openstack.org/keystonemiddleware/latest/audit.html
Change-Id: I86b4df1436ae59bc9a151c28337af7c06c83e45f
to set local_ip in osh, you have to use nic name.
but some devices can have different nic name.
so I add new option for getting tunnel device by cidr.
Added value:
network:
interface:
tunnel: null
tunnel_network_cidr: "0/0"
Change-Id: I8bffae640dfe0086de0b5274bb8c3cdce9754160
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This PS tells neutron to make rabbitmq queues ha when available.
Change-Id: I708d354224a14e9b49be3faf1589f5a4791f5de9
Signed-off-by: Pete Birley <pete@port.direct>
Under python3 an Exception no longer has the message attribute,
instead you can just str the exception to get the error message
Change-Id: I38225a76e01118b88353038ed7ef132d019dd976
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this
pod:
mounts:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
- name: nova-etc
...
helm template parser complains with
Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>
So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.
Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
Previously, when adding interfaces to an ovs bridge we would set the
link state to up. Some environments assume this is the case so
restore that behavior.
This fixes the problem where external (public) IPs for routers and VMs
no longer respond.
Change-Id: I59e21bd5cde7e239320125e9a7e0a33adae578a8
Health_probe for neutron pods accomplish both liveness and
readiness probe.
Neutron DHCP/L3/OVS agents:
Sends an RPC call with a non-existence method to agent’s queue.
Assumes no other agent subscribed to tunnel-update queue other
than OVS. Probe is success if agent returns with NoSuchMethod
error.
Neutron Metadata agent:
Sends a message to Unix Domain Socket opened by Metadata agent.
Probe is success if agent returns with HTTP status 404.
In both the cases, if agent is not reachable or fails to
respond in time, returns failure to probe.
Readiness probe for Neutron L3/DHCP/Metadata/SRIOV agents
Following are the operations executed on the pod as part of
readiness probe on the neutron agents:
- Check if the agent process is up and running.
- Retrieve the sockets associated with the process from the /proc fs.
- Check the status of tcp sockets related to Rabbitmq communication.
- Check the reachability of the rabbitmq message bus from the agent.
- For SRIOV Agent, check if VFs are configured properly for the
configured NICs in sriov_agent.ini conf file
Change-Id: Ib99ceaabbad1d1e0faf34cc74314da9aa688fa0a
.Values.network.auto_bridge_add is a global config. So in multi nodes
deployment, it requires that all hosts have the same nic names. This is
a strict limit.
This patch is to support per-host auto_bridge_add, so that we can define
different auto_bridge_add for hosts.
Also, this patch move .network.auto_bridge_add to .conf.auto_bridge_add
Change-Id: I4a4d6efbbfe073d035bc5c03700fbe998e708d0f
Story: 2005059
Task: 29601
The current helm chart defaults drops logs of any warnings
(and above) for any logger outside of the namespace
of the deployed chart.
This is a problem, as logging could reveal important information for
operators. While this could be done with a value override, there
is no reason to hide warning, errors, or critical information that
are happening in the cycle of the operation of the software
deployed with the helm charts. For example, nothing would get
logged in oslo_service, which is a very important part of running
OpenStack.
This fixes it by logging to stdout all the warnings (and above)
for OpenStack apps.
Change-Id: I16f77f4cc64caf21b21c8519e6da34eaf5d31498
Adding this parameter to Cinder, Heat, Glance,and Neutron
config. Adding this parameter allows proper handling to resource
links in response using API services behind https proxy.
Change-Id: Ib99a16b6252b15d9f138417485731ec401cb8f81
the defaults in Python [0] and oslo.log [1] are such that when using
separate config file for logging configuration (log-config-append)
the log fomat of dates containes miliseconds twice (as in sec,ms.ms)
which is exactly what is currently seen in logs of OpenStack services
deployed by openstack-helm.
When not provided with datefmt log formatter option, Python effectively
uses '%Y-%m-%d %H:%M:%S,%f' [0] as a default time formatting string to
render `%(asctime)s`, but the defaults in oslo.log add another `.%f`
to it [1].
Since `log-date-format` oslo.log option has no effect when using
log-config-append, we need to explicitly set date format to avoid double
miliseconds rendering in date of log entries.
[0] 6ee41793d2/Lib/logging/__init__.py (L427-L428)
[1] http://git.openstack.org/cgit/openstack/oslo.log/tree/oslo_log/_options.py?id=7c5f8362b26313217b6c248e77be3dc8e2ef74a5#n148
Change-Id: I47aa7ce96770d94b905b56d6fe4abad428f01047
Resolve issue with sriov dependency removal.
sriov key is required even if there are no dependencies.
Change-Id: I978b411502af575579e4f4a56e0974ef2baf5f52
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
neutron-sanity-check module load logging.conf file
but there is no config file.
Change-Id: I5e6dd298ccd9fb5432002f76bad3931ec035bb16
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
Since rally 1.0, rally has been a platform for testing, and rally for
openstack has been separated by rally-openstack. The current version
of rally in openstack-helm is version 0.8 which corresponds to ocata.
This patch tests with the latest version of rally-openstack, version
1.3.0, and removes scenarios that are no longer in use.
Change-Id: I380a976c0f48c4af0796c9d866fc8787025ce548
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This PS fixes the neutron db sync job to perform full db migrations
in addaion to tap-as-a-service when enabled.
Change-Id: Ieab54649344fb8737e2d8855f00a9ed574ace5ee
Signed-off-by: Pete Birley <pete@port.direct>
securityContext with non-root user is implemented
at Pod level and leveraged the helm-toolkit snippet
Fix for adding allowPrivilegeEscalation flag in container
securityContext in the neutron charts whereever needed
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: Id93b56d2e3886b9dd9115e79c28f661930146b00
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.
Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
Need to adjust taas rootwrap filter for i40e_sysfs_command.
Add code to allow sriov agent init script to run best effort.
Update way to set nic promisc mode.
Change-Id: Id1e22ea4b636ae7e05b880739a88c410a4da587c
This PS udpates the sriov init script to by default create the
max number of vfs supported by the card -1. Which works round
issues encoutered with many cards that prevents ther theroretical
max being attainable.
Change-Id: I01f8ce1f36b6053a5ef68119d87b67050ffe99d1
Signed-off-by: Pete Birley <pete@port.direct>
This PS exposes the ability to set the vf device mtu.
Change-Id: If1193a71f1da391918e122c3d60f967023b732e1
Signed-off-by: Pete Birley <pete@port.direct>
The current default for exclude_devices is null, which will
render suboptimally when using secret-based configmaps.
This changes it to "" (empty string) which will render correctly
when SRIOV is enabled.
Change-Id: Ib33181943d90278e1e1e9498bb0d77fd6c029ce5
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This is the second draft to enhance neutron in ocata to support
Tap-as-a-service (TaaS) as a L2 Extension.
Change-Id: I96951b38dd43ab4904339b778b5726a579c76a4c
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the logging config to pass null as a string though to
the rendering engine, which is required to avoid things like `<no value>`
when base64 encoding output.
Change-Id: I04d6afbc693ec1adf560c7be15704c8b7434c08f
Signed-off-by: Pete Birley <pete@port.direct>
