Steven Hardy [Tue, 13 Nov 2012 09:48:49 +0000 (09:48 +0000)]
heat engine : create boto config via instance userdata
Create boto config via instance userdata, which the instance
cfntools can read instead of /etc/boto.cfg, avoids messy post
install sed-mangling in the templates
Change-Id: Ic94bfc2e362a3a3f93b9bdeaad6a5f988371346e Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Mon, 12 Nov 2012 18:31:16 +0000 (18:31 +0000)]
heat engine : append watch server url to instance userdata
Append url for watch server to instance userdata, which avoids
post-install sed mangling in the template, and will make it easier
to transparently switch to a different metric service
Change-Id: I59b9b7efcd75d44e88ebe0a116a9ce1e3ef20c14 Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Tue, 13 Nov 2012 17:19:12 +0000 (18:19 +0100)]
Don't use OpenStack plugin in tox
This plugin provides syntax colouring of the tox output, at the cost of no
longer reporting errors in test setup (instead it just reports no tests run
-> success).
Steven Hardy [Mon, 12 Nov 2012 19:59:58 +0000 (19:59 +0000)]
heat engine : Don't wait() for killed greenthreads
We don't care about the return value of any killed threads on
delete_stack, and the greenthreads will all raise a GreenletExit
exception after being kill()'d anyway.
Also see related openstack-common fix : https://review.openstack.org/15906
Steve Baker [Fri, 9 Nov 2012 02:45:06 +0000 (15:45 +1300)]
Switch to UUID for the Stack primary key.
For the migrate upgrade, existing integer keys remain and any subsequent stack
will be assigned a uuid.
For a migrate downgrade, it should work fine if there have been no stacks added
since ugrade. Added stacks will have their IDs 'truncated' back to an integer
which will require some manual fixup after downgrade.
Steve Baker [Thu, 8 Nov 2012 19:43:23 +0000 (08:43 +1300)]
Add a list_stacks RPC call.
This differs from the old show_stack(None) by not resolving stack data.
heat list does not display any of the resolved stack data. Resolving outputs
can be especially slow since FnGetAtt may block while it calls out
to another service (such as with the quantum resources).
Without this change, running heat list on a single Quantum.template takes 1.8s
vs 0.7s.
In the future, list_stacks can be made to support paging of results.
Steve Baker [Thu, 8 Nov 2012 02:49:19 +0000 (15:49 +1300)]
Move client connection out of resources.py.
Client connection references are currently cached at the resource instance
level, which doesn't seem very useful.
This change moves the client connection and caching to clients.py, then puts a
Clients instance in a Stack. This means that (for example) all requests to nova
in one stack will come from the same client instance.
Jeff Peeler [Wed, 7 Nov 2012 20:53:45 +0000 (15:53 -0500)]
Fix cloud-init runcmd to be exec friendly
Can't use colon builtin apparently, or you'll get this:
/var/lib/cloud/instance/scripts/runcmd: line 2:
{setenforce 0 > /dev/null 2>&1 ||:: No such file or directory
Added cloud-init debug output to get the above, copied from:
http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/doc/examples/cloud-config-chef.txt
Change-Id: I341cf73bc9a0f843d7ab8c99a9d15e1d514654e7 Signed-off-by: Jeff Peeler <jpeeler@redhat.com>
Jenkins [Tue, 6 Nov 2012 22:54:01 +0000 (22:54 +0000)]
Merge "Make Boolean property a bool type. Since json has a native bool type, allow bool or string as the property value. Validating a Boolean type value will now convert a string to a bool."
Steve Baker [Tue, 6 Nov 2012 02:38:53 +0000 (15:38 +1300)]
Make Boolean property a bool type.
Since json has a native bool type, allow bool or string as the property value.
Validating a Boolean type value will now convert a string to a bool.
Zane Bitter [Tue, 30 Oct 2012 20:50:00 +0000 (21:50 +0100)]
Handle list properties that do not contain objects
The previous implementation of schema verfication on properties required
that the schema for the contents of a property list always be a map. Now
this is specified explicitly, so that in theory a property could also be a
list of Strings or Integers.
Zane Bitter [Mon, 5 Nov 2012 13:37:36 +0000 (14:37 +0100)]
Avoid modifying the Properties of a Load Balancer
Properties are defined by the template, and should not be modified. In this
case it was just as a convenience, since the value does not actually need
to be persisted beyond even the current call.
Steven Hardy [Fri, 2 Nov 2012 08:57:52 +0000 (08:57 +0000)]
heat templates : Align AutoScaling template with cfntools
Updated cfntools require authentication for cfn-push-stats,
so the AutoScaling template needs the user/key and boto.cfg
additions, same as in the HA templates, otherwise cfn-push-stats,
and hence autoscaling doesn't work
Change-Id: Ib3ef4a932bb656f29e25ef745409f5fe3e82c356 Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Wed, 31 Oct 2012 19:18:43 +0000 (20:18 +0100)]
Use new Parameters class for validation
The Stack.validate() method is no longer used for the validate_template
feature (since it requires the parameter values in order to parse the whole
template), so move the code for outputting parameter metadata to where it
is actually used.
Zane Bitter [Wed, 31 Oct 2012 19:18:43 +0000 (20:18 +0100)]
Separate Parameters implementation from Properties
There are only 3 types allowed for Parameters (String, Number and
CommaDelimitedList), but we are currently allowing more due to a shared
implementation with Properties (which is an internal implementation
detail). This creates a separate implementation for Parameters with only
the allowed types.
Steven Hardy [Wed, 31 Oct 2012 16:28:19 +0000 (16:28 +0000)]
heat-keystone-setup : fix error on folsom first-install
When running heat-keystone-setup for the first time after (re)installing
openstack folsom, it fails, because the user-role-list is running *as* the
heat user, not reading the roles assigned to the heat user, which fails
because on a new install the heat user does not have the admin role.
Using the credentials from the environment means we run the command as
admin, but --user_id selects the roles for the heat user.
Change-Id: Ib2733e63f664d75be1e2e3bd43038bbd1dbebde8 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 25 Oct 2012 13:40:47 +0000 (14:40 +0100)]
heat metadata : Remove all non-waitcondition related logic
Remove all logic except that required by cfn-signal, since both
cfn-hup and cfn-push-stats have been ported to use the CFN and
Cloudwatch APIs respectively
Change-Id: I087349ff3ab901c880a248bd124396a1383c0a5e Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 25 Oct 2012 13:30:31 +0000 (14:30 +0100)]
heat metadata : remove metadata_url logic
Remove logic where the heat-metadata server registers a
URL on startup with the engine. The instance metadata is
now served via the CFN api, so we just have a config-file
option specifying the URL of the CFN API. We don't want to
preserve the "register on startup" logic, because we need the
engine to have access to this information even if it is
restarted independent of some other service (avoid reliance on
services coming up in a particular order)
Change-Id: I690170977227ec96451d2a2fd25f7e507370b604 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 25 Oct 2012 10:33:20 +0000 (11:33 +0100)]
heat engine : add template-defined users to keystone role
Add all keystone users created by the User resource type
to a special keystone role, which can be used later for
defining RBAC policy for these users, and also works around
a keystone bug (1060959) on Folsom
Fixes #279
Change-Id: I94931e427ed51f4332bcb506220925b7ce8097bc Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 23 Oct 2012 20:59:38 +0000 (21:59 +0100)]
heat engine : Allow instance users to view their own details
So that cfn-hup can read instance metadata via the DescribeStackResource
API call, we need non-admin "instance users" to be allowed to read their
own AccessKey resource details (since it can-be/is referenced in the
instance resource metadata). The change in this patch should allow non-admin
users to read *only their own* secret AccessKey, and leave existing admin-user
visibility of the AccessKey resources unchanged.
Change-Id: Ic26d614d8e30104fbb354a67d3376b5d995ae8cc Signed-off-by: Steven Hardy <shardy@redhat.com>
Keystone user-role-add syntax is not the same on essex
and folsom, so try both formats so we can work with either
Removes potentially unreliable approach to detecting keystone
version, and also avoids error on folsom when the user already
has the specified role
Fixes #272
Change-Id: Iece52223a29069a1fd517018cc49613be6fac318 Signed-off-by: Steven Hardy <shardy@redhat.com>
Folsom version of keystoneclient orders the columns for
keystone user-list differently, so we need to detect the
new format to extract the correct field
Fixes #273
Change-Id: I46f653dd3a8f7b5a68648fbd72671f95b386a547 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 18 Oct 2012 16:13:02 +0000 (17:13 +0100)]
heat engine : kill running greenthreads on stack_delete
Add logic to track running eventlet greenthreads and kill
them when we start a stack_delete. This should avoid errors
where long-running greenthreads end up referencing stacks which
have subsequently been deleted.
Fixes #261
Ref #223
Change-Id: I0d10b6f2dad0efa1caec18a67a3cc66cc693ea24 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 17 Oct 2012 13:38:08 +0000 (14:38 +0100)]
heat engine : Store all resource states to DB
Resources should be committed to the DB on transisiton
to CREATE_IN_PROGRESS state, otherwise resources
which take a long time to go from CREATE_IN_PROGRESS to
CREATE_COMPLETE (e.g WaitConditions) are invisible while
in the CREATE_IN_PROGRESS state to all except the thread
creating them.
Change-Id: If1563505e854c216c0f6a5ce84b613e1ccb74386 Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Mon, 22 Oct 2012 09:24:59 +0000 (11:24 +0200)]
Change the service user to match devstack
The user which authenticates keystone tokens should be the "heat" user in
the "service" tenant. This changes the default configuration to do this, as
devstack already does.
Zane Bitter [Mon, 22 Oct 2012 09:20:07 +0000 (11:20 +0200)]
Pass the correct tenant for the service user
Previously, the service user (which authenticates tokens passes to the
engine by the APIs) was paired with the tenant of the end user to do
authentication, which worked only when they were in the same tenant. This
should not be the case, since the service user should only have an admin
role in the "service" tenant.
Steven Hardy [Fri, 19 Oct 2012 15:12:15 +0000 (16:12 +0100)]
heat engine : remove unused EC2 style auth from engine
We handle EC2 style auth at the heat-api-cfn level, so EC2
style authenticated requests simply pass us an auth_token in
the context, so remove this duplicate/dead code.
Ref #268
Change-Id: I17708cb6ef4b0eb4989d47c116b6211f0d419dcb Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Fri, 19 Oct 2012 14:15:13 +0000 (16:15 +0200)]
Identify stacks using tenant UUIDs
Tenant names may come and go, but UUIDs are universally unique. Therefore,
ownership of the stack should be keyed on the tenant_id, not the tenant
name.
Steven Hardy [Wed, 17 Oct 2012 12:37:57 +0000 (13:37 +0100)]
heat engine : Make wait-condition poll interval better
Remove rising-rate sleep-time logic and replace with a bounded
poll interval derived from the timeout - this should avoid ramping
up to a really long interval and delaying stack complete status
Fixes #264
Change-Id: Id53b87a988299708c29fc853f2801f527fd825dd Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Tue, 16 Oct 2012 14:31:59 +0000 (16:31 +0200)]
Handle upgrades in heat-keystone-setup
Handle upgrades of Heat by removing any outdated endpoints that exist in
keystone and adding any existing "heat" service user to an admin role in
the service tenant.
Code Review / openstack-build / heat-build.git / log