MAAS

Merge ~ack/maas:1988759-vmhost-deploy into maas:master

  1. Git
  2. lp:~ack/maas
  3. 1988759-vmhost-deploy
  4. Merge into master
Proposed by Alberto Donato
Status: Merged
Approved by: Alberto Donato
Approved revision: 9667f89bc33d9b4b0b91fee1cae8f05405ec0136
Merge reported by: MAAS Lander
Merged at revision: not available
Proposed branch: ~ack/maas:1988759-vmhost-deploy
Merge into: maas:master
Diff against target: 88 lines (+10/-8)
4 files modified
src/metadataserver/api_twisted.py (+2/-1)
src/metadataserver/tests/test_vendor_data.py (+1/-1)
src/metadataserver/vendor_data.py (+3/-2)
src/provisioningserver/drivers/pod/lxd.py (+4/-4)
Reviewer Review Type Date Requested Status
MAAS Lander Approve
Adam Collard (community) Approve
Review via email: mp+431574@code.launchpad.net

Commit message

LP:1988759 don't restrict LXD credentials to the maas project on LXD deploy

This causes MAAS not to be able to read storage volumes and networks from LXD

To post a comment you must log in.
Revision history for this message
Adam Collard (adam-collard) :
review: Approve
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b 1988759-vmhost-deploy lp:~ack/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: 9667f89bc33d9b4b0b91fee1cae8f05405ec0136

review: Approve
Revision history for this message
Thomas Parrott (tomparrott) wrote :

stgraber has advised that this will fail for anyone who manually adds the MAAS cert and won't allow it access to all projects (like LXD does for its CI).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/metadataserver/api_twisted.py b/src/metadataserver/api_twisted.py
index bf84b70..070e0c1 100644
--- a/src/metadataserver/api_twisted.py
+++ b/src/metadataserver/api_twisted.py
@@ -185,13 +185,14 @@ POD_CREATION_ERROR = (
185185
186186
187def _create_vmhost_for_deployment(node):187def _create_vmhost_for_deployment(node):
188 node = node.as_node() # ensure a Node instance is passed
188 secret_manager = SecretManager()189 secret_manager = SecretManager()
189 deploy_secrets = secret_manager.get_composite_secret(190 deploy_secrets = secret_manager.get_composite_secret(
190 "deploy-metadata",191 "deploy-metadata",
191 obj=node,192 obj=node,
192 default={},193 default={},
193 )194 )
194 secret_manager.delete_secret("deploy-metadata", obj=node.as_node())195 secret_manager.delete_secret("deploy-metadata", obj=node)
195196
196 # ensure only specified VM host types are registered197 # ensure only specified VM host types are registered
197 if not node.register_vmhost:198 if not node.register_vmhost:
diff --git a/src/metadataserver/tests/test_vendor_data.py b/src/metadataserver/tests/test_vendor_data.py
index ba3519e..c682bcb 100644
--- a/src/metadataserver/tests/test_vendor_data.py
+++ b/src/metadataserver/tests/test_vendor_data.py
@@ -441,7 +441,7 @@ class TestGenerateKVMPodConfiguration(MAASServerTestCase):
441 "lxd init --auto --network-address=[::]",441 "lxd init --auto --network-address=[::]",
442 "lxc project create maas",442 "lxc project create maas",
443 "sh -c 'lxc project edit maas </root/maas-project.yaml'",443 "sh -c 'lxc project edit maas </root/maas-project.yaml'",
444 "lxc config trust add /root/lxd.crt --restricted --projects maas",444 "lxc config trust add /root/lxd.crt",
445 "rm /root/lxd.crt /root/maas-project.yaml",445 "rm /root/lxd.crt /root/maas-project.yaml",
446 ],446 ],
447 ),447 ),
diff --git a/src/metadataserver/vendor_data.py b/src/metadataserver/vendor_data.py
index 8d992fa..f32b54c 100644
--- a/src/metadataserver/vendor_data.py
+++ b/src/metadataserver/vendor_data.py
@@ -229,7 +229,7 @@ def generate_kvm_pod_configuration(node):
229 "lxd init --auto --network-address=[::]",229 "lxd init --auto --network-address=[::]",
230 f"lxc project create {maas_project}",230 f"lxc project create {maas_project}",
231 f"sh -c 'lxc project edit {maas_project} <{project_conf_file}'",231 f"sh -c 'lxc project edit {maas_project} <{project_conf_file}'",
232 f"lxc config trust add {cert_file} --restricted --projects {maas_project}",232 f"lxc config trust add {cert_file}",
233 f"rm {cert_file} {project_conf_file}",233 f"rm {cert_file} {project_conf_file}",
234 ]234 ]
235235
@@ -293,12 +293,13 @@ def generate_kvm_pod_configuration(node):
293 ]293 ]
294294
295 secret_manager = SecretManager()295 secret_manager = SecretManager()
296 node = node.as_node()
296 if deploy_secrets:297 if deploy_secrets:
297 secret_manager.set_composite_secret(298 secret_manager.set_composite_secret(
298 "deploy-metadata", deploy_secrets, obj=node299 "deploy-metadata", deploy_secrets, obj=node
299 )300 )
300 else:301 else:
301 secret_manager.delete_secret("deploy-metadata", obj=node.as_node())302 secret_manager.delete_secret("deploy-metadata", obj=node)
302303
303 if arch == "ppc64el":304 if arch == "ppc64el":
304 rc_script = dedent(305 rc_script = dedent(
diff --git a/src/provisioningserver/drivers/pod/lxd.py b/src/provisioningserver/drivers/pod/lxd.py
index 3244747..05b6575 100644
--- a/src/provisioningserver/drivers/pod/lxd.py
+++ b/src/provisioningserver/drivers/pod/lxd.py
@@ -875,7 +875,7 @@ class LXDPodDriver(PodDriver):
875 try:875 try:
876 client.authenticate(password)876 client.authenticate(password)
877 except LXDAPIException as e:877 except LXDAPIException as e:
878 raise Error(f"Password authentication failed: {e}")878 raise Error(f"Password authentication failed: {e}") from e
879 return client879 return client
880880
881 try:881 try:
@@ -898,10 +898,10 @@ class LXDPodDriver(PodDriver):
898 raise Error(898 raise Error(
899 "Certificate is not trusted and no password was given"899 "Certificate is not trusted and no password was given"
900 )900 )
901 except ClientConnectionFailed:901 except ClientConnectionFailed as e:
902 raise LXDPodError(902 raise LXDPodError(
903 f"Pod {pod_id}: Failed to connect to the LXD REST API."903 f"Pod {pod_id}: Failed to connect to the LXD REST API: {e}"
904 )904 ) from e
905 else:905 else:
906 yield client906 yield client
907 finally:907 finally:

Subscribers

People subscribed via source and target branches