When using NVMeoF feature with nova-compute apparmor in enforce
mode, nova-compute is denied from running /usr/sbin/nvme and
/usr/sbin/blkid, and reading /etc/nvme/hostnqn.
Change-Id: Ia23fbf341d5b7ad469337d8a0c65c18ec519a891
Closes-Bug: #2039161
(cherry picked from commit 0f9c730817b4f175e617ab5ce362bf9ff5157092)
(cherry picked from commit 557c47f37baa83e96f5618ae0a46a554897977b4)
[v2] Fix migration across nova-compute apps using ceph
This change reworks previous changes [1] and [2] that had
been respectively reverted and abandoned.
When using the config libvirt-image-backend=rbd, VMs
created from image have their disk data stored in ceph
instead of the compute node itself.
When performing live-migrations, both nodes need to
access the same ceph credentials to access the VM's
disk in ceph, but this is currently not possible
if the nodes involved pertain to different
nova-compute charm apps.
This patch changes app name sent to ceph to
'nova-compute-ceph-auth-c91ce26f', a unique name common to
all nova-compute apps, allowing all nova-compute apps to
use the same ceph auth.
This change also ensures newly deployed nodes install
the old credentials first on ceph-joined hook,
and then supercedes it with the new credentials
on ceph-changed hook, therefore also retaining
the old credentials.
Nova-compute uses ssh and scp commands extensively and this
patch allows the process to read the configuration too in
/etc/ssh/ssh_config.d/ directory.
Closes-Bug: #2044983
Change-Id: I336ce64d493c549096d0b8706996e0f17a2728fb
(cherry picked from commit 4d6f4c07c9b634e22d5445a702be3d3ee9730ab3)
The template previously could use v2.0 depending on the value of
api_version. This was causing issues in newer releases of OpenStack
where the value of api_version was reporting as something other than
"3", and the generated Ironic config tried to use the v2.0 Keystone API.
This patch removes the optional logic in the template for v2.0 and rely
on the global default just like templates/parts/section-placement does.
Closes-Bug: #1995778
Change-Id: I8e0270b933f9c8fb5d6a65f9ebb930a0b21fead8
(cherry picked from commit 8d560b3ff55257370be0b9bc9b5dea73ee82d0ca)
Set nova config for rbd instance folder cleanup after evacuations
After evacuations and revert resizes when using rbd storage backend,
the instance folder is usually left behind and causes issues when
migrating the instance back to the host.
With the config option set, the nova-compute service will cleanup
those folders as part of the periodic checks that run for instances
that have been evacuated/migrated.
Closes-bug: #2019141
Change-Id: I846ccb0a95d04139b41fdad6cbf465d303d6cc09
(cherry picked from commit e61d89aa47cba71bb4dda12d836fde8a8fa7092c)
Sync from charm-helpers to update [service_user] config to use the
service domain.
The keystone charm currently creates two service users, one for the
service domain (for v3 authentication), and the other for the default
domain (for v2 authentication). The [service_user] config needs to
use the service domain.
Sync to the latest revision available in the stable/antelope branch, among the
most relevant patches are:
837a8b58 Support legacy cert requests (#799)
580c7764 Update Makefile to be consistent with CI (#777) (#795)
a2468260 Run CI on stable branches (#786) (#787)
ed014373 Update method for checking endpoint protocol (#769) (#775)
This patch configures Nova to send a service token along with the
received user token on requests to other services. This can allow those
other services to accept the request even if the user token has been
invalidated since received by Nova. Also with this patch Nova will
accept request from other services with invalid user tokens but valid
service tokens. Service tokens exist since Openstack Queens.
Closes-Bug: #1992840
Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1
(cherry picked from commit 3c53110282b97c42a00cee9ee344f32dc8cf29c5)