Steve Baker [Fri, 9 Nov 2012 02:45:06 +0000 (15:45 +1300)]
Switch to UUID for the Stack primary key.
For the migrate upgrade, existing integer keys remain and any subsequent stack
will be assigned a uuid.
For a migrate downgrade, it should work fine if there have been no stacks added
since ugrade. Added stacks will have their IDs 'truncated' back to an integer
which will require some manual fixup after downgrade.
Steve Baker [Thu, 8 Nov 2012 02:49:19 +0000 (15:49 +1300)]
Move client connection out of resources.py.
Client connection references are currently cached at the resource instance
level, which doesn't seem very useful.
This change moves the client connection and caching to clients.py, then puts a
Clients instance in a Stack. This means that (for example) all requests to nova
in one stack will come from the same client instance.
Jeff Peeler [Wed, 7 Nov 2012 20:53:45 +0000 (15:53 -0500)]
Fix cloud-init runcmd to be exec friendly
Can't use colon builtin apparently, or you'll get this:
/var/lib/cloud/instance/scripts/runcmd: line 2:
{setenforce 0 > /dev/null 2>&1 ||:: No such file or directory
Added cloud-init debug output to get the above, copied from:
http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/doc/examples/cloud-config-chef.txt
Change-Id: I341cf73bc9a0f843d7ab8c99a9d15e1d514654e7 Signed-off-by: Jeff Peeler <jpeeler@redhat.com>
Jenkins [Tue, 6 Nov 2012 22:54:01 +0000 (22:54 +0000)]
Merge "Make Boolean property a bool type. Since json has a native bool type, allow bool or string as the property value. Validating a Boolean type value will now convert a string to a bool."
Steve Baker [Tue, 6 Nov 2012 02:38:53 +0000 (15:38 +1300)]
Make Boolean property a bool type.
Since json has a native bool type, allow bool or string as the property value.
Validating a Boolean type value will now convert a string to a bool.
Zane Bitter [Tue, 30 Oct 2012 20:50:00 +0000 (21:50 +0100)]
Handle list properties that do not contain objects
The previous implementation of schema verfication on properties required
that the schema for the contents of a property list always be a map. Now
this is specified explicitly, so that in theory a property could also be a
list of Strings or Integers.
Zane Bitter [Mon, 5 Nov 2012 13:37:36 +0000 (14:37 +0100)]
Avoid modifying the Properties of a Load Balancer
Properties are defined by the template, and should not be modified. In this
case it was just as a convenience, since the value does not actually need
to be persisted beyond even the current call.
Steven Hardy [Fri, 2 Nov 2012 08:57:52 +0000 (08:57 +0000)]
heat templates : Align AutoScaling template with cfntools
Updated cfntools require authentication for cfn-push-stats,
so the AutoScaling template needs the user/key and boto.cfg
additions, same as in the HA templates, otherwise cfn-push-stats,
and hence autoscaling doesn't work
Change-Id: Ib3ef4a932bb656f29e25ef745409f5fe3e82c356 Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Wed, 31 Oct 2012 19:18:43 +0000 (20:18 +0100)]
Use new Parameters class for validation
The Stack.validate() method is no longer used for the validate_template
feature (since it requires the parameter values in order to parse the whole
template), so move the code for outputting parameter metadata to where it
is actually used.
Zane Bitter [Wed, 31 Oct 2012 19:18:43 +0000 (20:18 +0100)]
Separate Parameters implementation from Properties
There are only 3 types allowed for Parameters (String, Number and
CommaDelimitedList), but we are currently allowing more due to a shared
implementation with Properties (which is an internal implementation
detail). This creates a separate implementation for Parameters with only
the allowed types.
Steven Hardy [Wed, 31 Oct 2012 16:28:19 +0000 (16:28 +0000)]
heat-keystone-setup : fix error on folsom first-install
When running heat-keystone-setup for the first time after (re)installing
openstack folsom, it fails, because the user-role-list is running *as* the
heat user, not reading the roles assigned to the heat user, which fails
because on a new install the heat user does not have the admin role.
Using the credentials from the environment means we run the command as
admin, but --user_id selects the roles for the heat user.
Change-Id: Ib2733e63f664d75be1e2e3bd43038bbd1dbebde8 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 25 Oct 2012 13:40:47 +0000 (14:40 +0100)]
heat metadata : Remove all non-waitcondition related logic
Remove all logic except that required by cfn-signal, since both
cfn-hup and cfn-push-stats have been ported to use the CFN and
Cloudwatch APIs respectively
Change-Id: I087349ff3ab901c880a248bd124396a1383c0a5e Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 25 Oct 2012 13:30:31 +0000 (14:30 +0100)]
heat metadata : remove metadata_url logic
Remove logic where the heat-metadata server registers a
URL on startup with the engine. The instance metadata is
now served via the CFN api, so we just have a config-file
option specifying the URL of the CFN API. We don't want to
preserve the "register on startup" logic, because we need the
engine to have access to this information even if it is
restarted independent of some other service (avoid reliance on
services coming up in a particular order)
Change-Id: I690170977227ec96451d2a2fd25f7e507370b604 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 25 Oct 2012 10:33:20 +0000 (11:33 +0100)]
heat engine : add template-defined users to keystone role
Add all keystone users created by the User resource type
to a special keystone role, which can be used later for
defining RBAC policy for these users, and also works around
a keystone bug (1060959) on Folsom
Fixes #279
Change-Id: I94931e427ed51f4332bcb506220925b7ce8097bc Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Tue, 23 Oct 2012 20:59:38 +0000 (21:59 +0100)]
heat engine : Allow instance users to view their own details
So that cfn-hup can read instance metadata via the DescribeStackResource
API call, we need non-admin "instance users" to be allowed to read their
own AccessKey resource details (since it can-be/is referenced in the
instance resource metadata). The change in this patch should allow non-admin
users to read *only their own* secret AccessKey, and leave existing admin-user
visibility of the AccessKey resources unchanged.
Change-Id: Ic26d614d8e30104fbb354a67d3376b5d995ae8cc Signed-off-by: Steven Hardy <shardy@redhat.com>
Keystone user-role-add syntax is not the same on essex
and folsom, so try both formats so we can work with either
Removes potentially unreliable approach to detecting keystone
version, and also avoids error on folsom when the user already
has the specified role
Fixes #272
Change-Id: Iece52223a29069a1fd517018cc49613be6fac318 Signed-off-by: Steven Hardy <shardy@redhat.com>
Folsom version of keystoneclient orders the columns for
keystone user-list differently, so we need to detect the
new format to extract the correct field
Fixes #273
Change-Id: I46f653dd3a8f7b5a68648fbd72671f95b386a547 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Thu, 18 Oct 2012 16:13:02 +0000 (17:13 +0100)]
heat engine : kill running greenthreads on stack_delete
Add logic to track running eventlet greenthreads and kill
them when we start a stack_delete. This should avoid errors
where long-running greenthreads end up referencing stacks which
have subsequently been deleted.
Fixes #261
Ref #223
Change-Id: I0d10b6f2dad0efa1caec18a67a3cc66cc693ea24 Signed-off-by: Steven Hardy <shardy@redhat.com>
Steven Hardy [Wed, 17 Oct 2012 13:38:08 +0000 (14:38 +0100)]
heat engine : Store all resource states to DB
Resources should be committed to the DB on transisiton
to CREATE_IN_PROGRESS state, otherwise resources
which take a long time to go from CREATE_IN_PROGRESS to
CREATE_COMPLETE (e.g WaitConditions) are invisible while
in the CREATE_IN_PROGRESS state to all except the thread
creating them.
Change-Id: If1563505e854c216c0f6a5ce84b613e1ccb74386 Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Mon, 22 Oct 2012 09:24:59 +0000 (11:24 +0200)]
Change the service user to match devstack
The user which authenticates keystone tokens should be the "heat" user in
the "service" tenant. This changes the default configuration to do this, as
devstack already does.
Zane Bitter [Mon, 22 Oct 2012 09:20:07 +0000 (11:20 +0200)]
Pass the correct tenant for the service user
Previously, the service user (which authenticates tokens passes to the
engine by the APIs) was paired with the tenant of the end user to do
authentication, which worked only when they were in the same tenant. This
should not be the case, since the service user should only have an admin
role in the "service" tenant.
Steven Hardy [Fri, 19 Oct 2012 15:12:15 +0000 (16:12 +0100)]
heat engine : remove unused EC2 style auth from engine
We handle EC2 style auth at the heat-api-cfn level, so EC2
style authenticated requests simply pass us an auth_token in
the context, so remove this duplicate/dead code.
Ref #268
Change-Id: I17708cb6ef4b0eb4989d47c116b6211f0d419dcb Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Fri, 19 Oct 2012 14:15:13 +0000 (16:15 +0200)]
Identify stacks using tenant UUIDs
Tenant names may come and go, but UUIDs are universally unique. Therefore,
ownership of the stack should be keyed on the tenant_id, not the tenant
name.
Steven Hardy [Wed, 17 Oct 2012 12:37:57 +0000 (13:37 +0100)]
heat engine : Make wait-condition poll interval better
Remove rising-rate sleep-time logic and replace with a bounded
poll interval derived from the timeout - this should avoid ramping
up to a really long interval and delaying stack complete status
Fixes #264
Change-Id: Id53b87a988299708c29fc853f2801f527fd825dd Signed-off-by: Steven Hardy <shardy@redhat.com>
Zane Bitter [Tue, 16 Oct 2012 14:31:59 +0000 (16:31 +0200)]
Handle upgrades in heat-keystone-setup
Handle upgrades of Heat by removing any outdated endpoints that exist in
keystone and adding any existing "heat" service user to an admin role in
the service tenant.
Zane Bitter [Mon, 15 Oct 2012 09:57:11 +0000 (11:57 +0200)]
Getting Started: Fix IP address determination on F17
The format of the output of ifconfig has changed between Fedora 16 and
Fedora 17, so starting the metadata server failed on the latter due to a
missing IP address.
The change makes the script work with either format, and also now fails
with an error if it breaks again.
Code Review / openstack-build / heat-build.git / log