It seems that setting "sysctl kernel.dmesg_restrict" was changed
in Ubuntu 22.04 (Jammy) to "1" and because of that running "dmesg"
command requires now root privileges.
Closes-bug: #1994023
Change-Id: I2adc76e3025fadf994bab2e2e1fd608e688874fc
If stack.sh is run on a system that already has OVN packages
installed, it could fail to find its DB sockets. This is because
the 'ln -s' will place the symlink inside of /var/run/ovn
instead of using a single directory as intended.
Change the code in neutron_plugins/ovn_agent to not make the
symlink and instead use separate directories for OVS and OVN.
Closes-bug: #1980421
Change-Id: Ic28a93bdc3dfe4a6159234baeabd0064db452b07
This patch changes user who runs ovsdb-server and ovn-nortd services
to root.
It also adds installation of the libssl dev package before compilation
of the openvswitch if TLS service is enabled.
Co-Authored-By: Fernando Royo <froyo@redhat.com>
Closes-Bug: #1987832
Change-Id: I83fc9250ae5b7c1686938a0dd25d66b40fc6c6aa
In case of online mode, there is a procedure to recreate tempest venv.
For consistency of tempest venv during the entire stack.sh process,
add logic to consider the TEMPEST_VENV_UPPER_CONSTRAINTS option here.
Closes-bug: #1980483
Signed-off-by: June Yi <june.yi@samsung.com>
Change-Id: I0cea282152fd363af8671cab1b5f733ebe2bd4df
neutron-ns-metadata-proxy was dropped from Neutron 5 years ago, no need
to keep trying to kill it.
Change-Id: I20b6d68dd8dde36057a2418bca0841bdea377b07
When barbican is enabled, add the "creator" role to cinder's service
user so that cinder can create secrets. Cinder needs to create
barbican secrets when migrating encryption keys from the legacy
ConfKeyManager to barbican. Cinder also needs to create barbican
secrets in order to support transferring encrypted volumes.
Implements: bp/transfer-encrypted-volume
Depends-On: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
Change-Id: Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
In I90316208d1af42c1659d3bee386f95e38aaf2c56 support for nova-network
was removed, but some bits remained, fix this up.
Change-Id: Iba7e1785fd0bdf0a6e94e5e03438fc7634621e49
Openstack client can return the id field for create/show commands using
`-f value -c id`. Cleaned up the use of grep 'id' with get_field
Change-Id: I2f4338f30c11e5139cda51c92524782b86f0aacc
Recently the experimental mechanism has been added to Neutron and now
it requires the [experimental] linuxbridge option when the linuxbridge
mechanism driver is used.
Depends-on: https://review.opendev.org/c/openstack/neutron/+/845181
Change-Id: Ice82a391cda9eb0193f23e6794be7ab3df12c40b
We see some cases where OVN startup takes much longer than 5 seconds, up
to 28 seconds have been observed, so increase the limit to 40 to be on
the safe side.
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Closes-Bug: 1980421
Change-Id: I6da4a537e6a8d527ff71a821f07164fc7d342882
Because of the missing "$" before ENFORCE_SCOPE in the lib/neutron
module, it was treated as an ENFORCE_SCOPE string instead of variable
and Neutron was deployed always with old defaults and disabled scope
enforcement.
Change-Id: Ibe67fea634c5f7abb521c0369ff30dd5db84db8c
Currently Devstack uses short hostname for configuration of OVN.
This leads to inability to start instances (failing port binding)
on hosts with full hostnames (including dots). Open vSwitch expects
hostname in external_ids that corresponds to one returned by
``hostname`` command.
Closes-Bug: #1943631
Change-Id: I15b71a49c482be0c8f15ad834e29ea1b33307c86
This patch reduces memory usage on the Cinder Volume and Backup services
by tuning glibc.
The specific tuning consist on disabling the per thread arenas and
disabling dynamic thresholds.
The Cinder Backup service suffers from high water mark memory usage and
uses excessive memory. As an example just after 10 restore operations
the service uses almost 1GB of RAM and does not ever free it afterwards.
With this patch the memory consumption of the service is reduced down to
almost 130MB. If we add a revert from Cinder (Change-Id
I43a20c8687f12bc52b014611cc6977c4c3ca212c) it goes down to 100MB during
my tests.
This glibc tuning is not applied to all Python services because I
haven't done proper testings on them and at first glance they don't seem
to have such great improvements.
Related-bug: #1908805
Change-Id: Ic9030d01468b3189350f83b04a8d1d346c489d3c
Currently, neutron tunnel endpoints must be IPv4 addresses,
i.e. $HOST_IP, although IPv6 endpoints are supported by most
drivers.
Create a TUNNEL_IP_VERSION variable to choose which host IP
to use, either HOST_IP or HOST_IPV6, and configure it in the
OVS and Linuxbridge agent driver files. The default is still
IPv4, but it can be over-ridden by specifying TUNNEL_ENDPOINT_IP
accordingly.
This behaves similar to the SERVICE_IP_VERSION option, which
can either be set to 4 or 6, but not 4+6 - the tunnel overhead
should be consistent on all systems in order not to have MTU
issues.
Must set the ML2 overlay_ip_version config option to match
else agent tunnel sync RPC will not work.
Must set the OVN external_ids:ovn-encap-ip config option to
the correct address.
Updated 'devstack-ipv6-only' job definition and verification role
that will set all services and tunnels to use IPv6 addresses.
Closes-bug: #1619476
Change-Id: I6034278dfc17b55d7863bc4db541bbdaa983a686
When cephadm is used, if ENABLE_CEPH_C_BAK is True both pool and
key are created by devstack-plugin-ceph. This piece of code can
still stay here to make sure the cinder config is properly built.
Change-Id: I799521f008123b8e42b2021c1c11d374b834bec3
Swift removed sha1 from supported digests with [1] and
that broked ironic tinyipa job. Temorary add sha1 to
allowed_digests until it's fixed in ironic.
[1] https://review.opendev.org/c/openstack/swift/+/525771
Story: 2010068
Task: 45539
Change-Id: I68dfc472ce901058b6a7d691c98ed1641d431e54
Grenade jobs stop services, check fip connectivity
for a nova server and then upgrade to next release.
But since ovn data plane and db services are stopped along
with other services, fip connectivity fails as a result.
We shouldn't stop these services along with other
neutron services. This patch adds a new variable
"SKIP_STOP_OVN" which can be used by grenade jobs
to skip stop of ovn services.
This will also fix the ovn grenade jobs.
Also source fixup_stuff.sh so function fixup_ovn_centos
is available. It's already sourced in stack.sh but
that's not used in grenade run.
Change-Id: I94818a19f19973779cb2e11753d2881d54dfa3bc
The job is broken since it is running with python3.7 and most services
now require at least python3.8.
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: Ie21f71acffabd78c79e2b141951ccf30a5c06445
Glance image import is asynchronous and may be configured to do image
conversion. If image import is being used, it's possible that the
tempest configuration code is executed before the import has
completed and there may be no active images yet. In that case,
we will poll glance every TEMPEST_GLANCE_IMPORT_POLL_INTERVAL seconds
(default: 1) to see if there are TEMPEST_GLANCE_IMAGE_COUNT active
images (default: 1) up to TEMPEST_GLANCE_IMPORT_POLL_LIMIT times
(default: 12).
You can see an example of the issue this patch addresses in real
life:
https://review.opendev.org/c/openstack/glance/+/841278/1#message-456096e48b28e5b866deb8bf53e9258ee08219a0
Change-Id: Ie99f12691d9062611a8930accfa14d9540970cc5
Without it segment plugin fails to connect with
placement api. Configure the placement section
if service is deployed.
Closes-Bug: #1973783
Change-Id: Ie7f37770a04f622735cf2263c601257669ab5064
Two runs of the same job on the same patch can yield quite different
numbers for API calls if we just count the raw calls. Many of these
are tempest polling for resources, which on a slow worker can require
many more calls than a fast one.
Tempest seems to not change its User-Agent string, but the client
libraries do. So, if we ignore the regular "python-urllib" agent
calls, we get a much more stable count of service-to-service API
calls in the performance report.
Note that we were also logging in a different (less-rich) format for
the tls-proxy.log file, which hampers our ability to parse that
data in the same format. This switches it to "combined" which is used
by the access.log and contains more useful information, like the
user-agent, among other things.
Change-Id: I8889c2e53f85c41150e1245dcbe2a79bac702aad
The mysql performance_schema method for counting per-database queries
is very heavyweight in that it requires full logging (in a table) of
every query. We do hundreds of thousands in the course of a tempest
run, which ends up creating its own performance problem.
This changes the approach we take, which is to bundle a very tiny
sqlalchemy plugin module which counts just what we care about in
a special database.
It is more complex than just enabling the features in mysql, but it
is a massively smaller runtime overhead. It also provides us the
opportunity to easily zero the counters just before a tempest run.
Change-Id: I361bc30bb970cdaf18b966951f217862d302f0b9
When OVN is setup from distro packages, the
main service is ovn-central which when restarted,
restarts ovn-northd, ovn nb and db services.
And during the restart ovn dbs(ovnnb_db.db and ovnsb_db.db)
are created, which may sometime takes time as seen with
ubuntu jammy tests[1].
We already checking for socket's file to be available,
let's also check for db files as without it ovn-*ctl
operations succeed but changes are not persisted until
db files are available and changes are lost with the restart.
[1] https://review.opendev.org/c/openstack/devstack/+/839389
Change-Id: I178da7af8cba8bcc8a67174e439df7c0f2c7d4d5
A long time ago, Ironic's IPv6 only job started to fail working with
errors indicated the host was unreacable. Turns out, this was because
the $ext_gw_interface was not being set to up, and thus could
be found in a Down state, and thus the kernel would not accept routes
for it.
Adds an explicit step to turn up the public bridge, much as done in
the IPv4 router plugin code which would also be executed in 4+6.
That being said, Ironic's CI jobs are very intentionally IPv6 only
to ensure that we have no chances of v4 addressing getting used
at any point in time.
This should allow Ironic to return it's IPv6 only CI job back
to the normal check queue, once a ironic plugin issue has been
resolved which was introduced while it was removed.
Change-Id: I121ec8a2e9640b21a7126f2eeb23da36b4aa95bf
This updates each devstack service library, to use it as the
default value for service-specific RBAC configuration.
Change-Id: I41061d042206c411ee3dd94ce91098e612af7ae7
This makes us gather a bunch of consistent statistics after we run
tempest that can be use to measure the impact of a given change. These
are stable metrics such as "number of DB queries made" and "how much
memory is each service using after a tempest run."
Note that this will always run after devstack to generate the JSON
file, but there are two things that control its completeness:
- MYSQL_GATHER_PERFORMANCE must be enabled to get per-db stats
- Unless tls-proxy is enabled, we will only get API stats for keystone
Change-Id: Ie3b1504256dc1c9c6b59634e86fa98494bcb07b1
After patch [1] project_id in that module is no longer needed as to make
it working with new secure RBAC policies we had to hardcode "demo"
project to be used always.
This is small follow-up patch with cleaning after [1].
[1] https://review.opendev.org/c/openstack/devstack/+/826851/
Change-Id: Iddf9692817c91807fc3269547910e4f83585f07f
