Ensure that VNC only binds on the internal network
When the VNC server is set to bind to 0.0.0.0,
unauthenticated console access is possible to any
VM via any of the compute host's interfaces. This
access should be restricted to an internal network.
Change-Id: Ibbc12ae282320f966eec90e9116388233e65eb9a
Closes-Bug: #1843004
(cherry picked from commit 82c5027814577535ba3db479e8e45a39548f4105)
Contrail Nova VIF plugin relies on Nova (core) code to create a tap
interface before a vrouter interface is plugged. Thus nova-compute needs
to be able to access /dev/net/tun which it cannot with the current
apparmor profile when enforcing mode is enabled.
Prevent unnecessary nova-compute restarts on ceph_changed
Function 'is_broker_action_done' should return False when it
finds a response from ceph broker not marked done, in order
to trigger a nova restart. However, it also returns False if
there is no response data from ceph broker, triggering an
unecessary restart.
The function 'ceph_changed' is invoked under different remote
unit contexts when there are updates to the relation. When
querying the broker response, only the context of the remote
unit that is the broker can see the response, unless
specifically queried for that given unit.
The 'ceph_changed' invocations under a remote context that
are not the broker end up returning False in
'is_broker_action_done' and causing restarts, even after
the action is already marked done. This also happens on
'config-changed' hooks.
To fix this problem, the logic is now changed have each
'ceph_changed' invocation loop through units and process
the broker response, regardless of remote context.
This is an initial change to address the issue locally
in nova-compute charm. A later change will be worked on
to move the new helper methods to charmhelpers,
refactoring the existing ones there.
Change-Id: I2b41f8b252f4ccb68830e90c5e68456e15372bcf
Closes-bug: #1835045
(cherry picked from commit b1701e1b3174dcb06c05684319d6c73d6b2f509c)
A recent change (commit ceab1e91dc2e3948f6ba7c121c1801ad1641643c)
removed libvirt from the pause/resume list of services. This affected
series upgrade. Libvirt stayed down and did not start back up on resume.
This change checks the hook being executed and if it is
post-series-upgrade it includes libvirt as a service to start on resume.
This patch reverts the non-charmhelpers changes from
the patch landed for bug 1835045 that is causing a
regression whereby new deployments that relate to
ceph-mon are prevented from sending broker requests
to do e.g. create the pool needed by
libvirt-image-backend=rbd.