This is the last piece to allow users to request AMD SEV-ES for memory
encryption instead of AMD SEV. The CPU feature for memory encryption
can now be requested via the hw:mem_encryption_model flavor extra spec
or via the hw_mem_encryption_model image property.
Implements: blueprint amd-sev-es-libvirt-support
Change-Id: Ifc9b86ad7db887cc22b2cd252fe8adc81fdc29c6
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This is prep work to support launching instances with AMD SEV-ES memory
encryption and adds the object field to select the CPU feature to
encrypt and protect memory data of instances.
Partially-Implements: blueprint amd-sev-es-libvirt-support
Change-Id: I71fde5438d4e22c9e2566f8a684c5a965a7f3dd3
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This is mostly uneventful save for us needing to fix our API ref, which
indicated that the 'OS-EXT-IMG-SIZE:size' field shown in the 'show' and
'detail' views was a string rather than an int. You can confirm this is
*not* the case like so:
>>> import openstack
>>> conn = openstack.connect()
>>> conn.conn.compute.get('https://example.com/compute/v2.1/images/detail').json()
(obviously replace 'https://example.com/' with a compute API host)
Change-Id: Ia318478dfdb50f8d57a74958b3555f6ad97351ec
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Keystone project manager role can be used for the project-level
management APIs. Nova introduced the manager role in policy
defaults.
To introduced the manager role, we need to make migrations
policies more granular. Adding the separate policies for host
related operation allow us to open the migration operations
to project manager role. Existing policy is checked if migration
without specifying host and new policy is checked if host is
specified. Same will be applied to list migrations, new policy
will control to return the host info.
Also, Adding doc and releasenotes.
Partial implement blueprint policy-manager-role-default
Change-Id: Ie7d135e4d24ac6d53c46a4c69ade0b0bda554e71
Signed-off-by: Ghanshyam Mann <gmaan@ghanshyammann.com>
Signed-off-by: ghanshyam <gmaan@ghanshyammann.com>
This patch adds just the objects and notifications required to
support an extra spec to configure a USB controller inside
the guest. This is useful for SPICE consoles using the native
protocol.
Change-Id: I791b16c5bf0e860a188783c863e95dc423998b0a
Signed-off-by: Michael Still <mikal@stillhq.com>
This patch adds just the objects and notifications required to
support an extra spec to configure a sound device inside
the guest. This is useful for SPICE consoles using the native
protocol.
Change-Id: I2faeda0fd0fb9c8894d69558a1ccaab8da9f6a1b
Signed-off-by: Michael Still <mikal@stillhq.com>
Either the vendor_id and product_id needs to be set or the
resource_class needs to be set in each alias. This is now validated when
the alias is parsed to avoid late failure during placement
allocation_candidates query.
Closes-Bug: #2111440
Change-Id: I7fd43b3d6faac8c4098b0983e8adc596414823a1
Document and the limitation of the PCI in Placement feature that it
does not support [pci]alias configuration where the name of the alias is
repeated. E.g.
[pci]
alias = { "name": "vf1", "product_id":"10ca", "vendor_id":"8086", "device_type":"type-VF"}
alias = { "name": "vf1", "product_id":"f000", "vendor_id":"8086", "device_type":"type-VF"}
This would mean the alias vf1 can be fulfilled from devices with product
id 10ca OR f000. However this OR relationship cannot be encoded to a
single Placement allocation query as Placement does not support
requesting alternative resource classes for a request[2].
This limitation was encoded in the original PCI in Placement
implementation[1] but we missed to mention it in the doc.
This is now fixed.
[1]https://github.com/openstack/nova/blob/0d484ce37d86e989c8abdf57aec5e334f68206ef/nova/objects/request_spec.py#L504-L528
[2]https://docs.openstack.org/api-ref/placement/#list-allocation-candidates
Related-Bug: #2102038
Change-Id: I9dd78b1498f870a4e4c3f26c23d42d105aec0350
In c12eebd4c6 we missed that there are
another set of config option that become unused now. So this is a follow
up patch to remove those as well.
Change-Id: Ie00805b5f72b118db134aeb8399ef4c72f434966
The doc is now clarifying that [filter_scheduler]pci_in_placement needs
to be set to nova-api, nova-scheduler, and nova-conductor config as
well.
Closes-Bug: #2112303
Change-Id: I3c7be2f109a97ef5cc4b2dc76cb7c58ef8c68afa
When I069879a333152bb849c248b3dcb56357a11d0324 merged in Caracal, we forgot
to add documentation for the SR-IOV GPU caveat fix.
Also, given the new max_instances option was dynamic, we can't even see it
in the configuration list, so actually none of our operators can know that we
fixed it and how to do it 🤦
Change-Id: I3402c28f76cc51dd8c003181f11e0820ce5d9b7d
Related-Bug: #2041519
This is an example NVMe cleaner script that can listen to notifications
from a per-compute topic and perform basic NVMe (or generic command)
cleaning as a result.
It also supports periodic cleaning, notification pooling (if desired,
but not recommended), and single-shot (i.e. cron) mode.
I ran this while hammering my devstack node in a tight loop of create/
delete with a PCI device. The creates would succeed and fail as the
cleaning took a few seconds per iteration, then recover, create again,
delete, clean, etc. Dozens of loops in a row with expected results.
Related to blueprint one-time-use-devices
Change-Id: Ie4e81d6319499a3bf12b60e0af4cdb291fca9503
These have been introduced at some point and now appear when running the
API samples test with GENERATE_SAMPLES=True. Add them.
Change-Id: Ic4b6b685f17e8d411776e20f239daa0736ae9a0b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Get rid of the whole API version switching madness and make our schema
generation _significantly_ simpler.
This looks a lot larger than it actually is. In most cases, this is
simply 's/wsgi.Controller.api_version/wsgi.api_version/'.
Change-Id: I180bfad84c38653709c216282099d9b3fb64c5a7
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This change bumps to the latest version of each
of our pre-commit hooks. Of note this add py3.13
support to autopep8.
Codespell was also updated and the new spelling
issues resolved.
Change-Id: I1aab019ffb0ee9366a7d26515bef1335d09044df
The tl;dr is to 1) avoid trying to disconnect volumes on the
destination if they were never connected in the first place and
2) avoid trying to disconnect volumes on the destination using block
device info for the source.
Details:
* Only remotely disconnect volumes on the destination if the failure
was not during pre_live_migration(). When pre_live_migration() fails,
its exception handling deletes the Cinder attachment that was created
before re-raising and returning from the RPC call. And the BDM
connection_info in the database is not guaranteed to reference the
destination because a failure could have happened after the Cinder
attachment was created but before the new connection_info was saved
back to the database. In this scenario, there is no way to reliably
disconnect volumes in the destination remotely from the source because
the destination connection_info needed to do it might not be
available.
* Due to the first point, this adds exception handling to disconnect
the volumes while still on the destination, while the destination
connection_info is still available instead of trying to do it
remotely from the source afterward.
* Do not pass Cinder volume block_device_info when calling
rollback_live_migration_on_destination() because volume BDM records
have already been rolled back to contain info for the source by
that point. Not passing volume block_device_info will prevent
driver.destroy() and subsequently driver.cleanup() from attempting to
disconnect volumes on the destination using connection_info for the
source.
Closes-Bug: #1899835
Change-Id: Ia62b99a16bfc802b8ba895c31780e9956aa74c2d
The nova debuger functionality was intended
to help debugging running process however it has
never been reliable due to our use of eventlet and is generally
not required when not using eventlet. I.e. you can just
run the nova console-scripts form a debugger or add pdb
statements as required.
As part of the eventlet removal the debugger functionality is
removed given its untested and undocumented.
Change-Id: I7bf88f06f3d1dbd2c7e342b27a21440a123c631d
We learned during recent installer development that triggering
GMR with apache/mod_wsgi API services via signals is hard due
to multiple reasons. We ended up using file based triggers instead of
signals. This patch document this approach.
Change-Id: I1fdbe6314ce4a1b173d01d3ebd9db07a0beb25a2
The previous patch[1] removed the entry points. As there is sizable
amount of doc change needed to remove all the references from the doc
to the removed entry points a separate patch, this, is created to do so.
[1] Ie758550c0b8fb02aeb398396961467d9f845fcc9
Change-Id: Ibe8e45e86912e747f07e5fabd5b1204341c1e606
This adds documentation to the PCI-passthrough doc in the admin guide,
explaining how to use one-time-use devices.
Keeping this separate so we can iterate on it separate from the code.
Related to blueprint one-time-use-devices
Change-Id: Iff91c0726bbb37c7a3ef885a73e3c3586feb6004
This adds support for devices that will be allocated to an instance
once and left in a reserved=total state. An external workflow can
put them back into allocatable state by dropping reserved back to
zero. Note this requires PCI-in-placement tracking for the affected
devices and it is only valid for type-PCI and type-PF devices.
Related to blueprint one-time-use-devices
Depends-On: https://review.opendev.org/c/openstack/requirements/+/946181
Co-Authored-By: Balazs Gibizer <gibi@redhat.com>
Change-Id: Idfe8a746a97d68cd4eae30afb7d22f4e3af80327
This patch adds the necessary documentation identified in:
- pci-passthrough: Explaining live migration and known issues.
- virtual-gpu: Updating the caveats section to clarify what to do
when VF devices are available instead of `mdev`.
The target goal of these series of patch is to enable VFIO devices
migration with kernel variant drivers.
Implements: blueprint migrate-vfio-devices-using-kernel-variant-drivers
Change-Id: I41271a8af5687fb1d18f9d0852492756e096720d
It was deprecated 5+ years ago[1].
Also remove the keystone_authtoken section from compute node because
these options are unused by nova-compute.
[1] 18de63deaa
Change-Id: Ie37a1593e101d76b003aeddef2294d52386b2050
Takashi Kajinami