We can determine exact names of these RPs using the compute node name,
independently from how nova is configured. So we can easily purge
these PRs.
Change-Id: I0a18e3a3750137061e04765f2feaf4889c6f5606
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
As a follow-up of change Iad51c32d0f64ef52513bd2f2b517c91f29c63787 ,
add a functional test scenario to ensure that new instances can be
created even when a cluster has both a compute node with old SEV RP and
the other with reshaped SEV RP, to simulate the real world upgrade
scenario in existing cluster with SEV feature enabled.
Change-Id: I2c576f8de05b69ab51743db53acf52bc2a35eb59
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This is the last piece to allow users to request AMD SEV-ES for memory
encryption instead of AMD SEV. The CPU feature for memory encryption
can now be requested via the hw:mem_encryption_model flavor extra spec
or via the hw_mem_encryption_model image property.
Implements: blueprint amd-sev-es-libvirt-support
Change-Id: Ifc9b86ad7db887cc22b2cd252fe8adc81fdc29c6
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
This is prep work to support launching instances with AMD SEV-ES memory
encryption and adds the object field to select the CPU feature to
encrypt and protect memory data of instances.
Partially-Implements: blueprint amd-sev-es-libvirt-support
Change-Id: I71fde5438d4e22c9e2566f8a684c5a965a7f3dd3
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
Detect AMD SEV-ES support by kernel/qemu/libvirt and generate a nested
RP for ASID slots for SEV-ES under the compute node RP.
Deprecate the [libvirt] num_memory_encryption_guests option because
the option is effective only for SEV, and now the maximum numbers for
SEV/SEV-ES guests can be detected by domain capabilities presented by
libvirt.
Note that creating an instance with memory encryption enabled now
requires AMD SEV trait, because these instances can't run with SEV-ES
slots, which are added by this change.
Partially-Implements: blueprint amd-sev-es-libvirt-support
Change-Id: I5968e75325b989225ed1fc6921257751ae227a0b
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
If a service runs in threading mode nova.utils.cooperative_yield is noop
as yielding is only necessary for eventlet.
Change-Id: I72a52262f5c501f77d23ed56cbcd1a9c2be72fa7
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
The nova test hardcoded to run the RPC servers in the test with eventlet
executor. We change that to be dynamic based on how the tests was
started it can use eventlet or threading.
This makes some of the so far hanging RPC dependent unit tests passing.
Change-Id: I5012122fe66d41459b68202e750391a1939d70d9
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
The py312-threading tox target will run the currently working unit tests
with threading mode. We have an exclude list, those tests are
failing or hanging. Also the current test list might still have unstable
tests.
This also adds a non voting zuul job to run the new target.
Change-Id: Ibf41fede996fbf2ebaf6ae83df8cfde35acb2b7e
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
The end goals is to be able to run at least some of the unit tests
without eventlet. But there are things preventing that for now.
We need to make sure that the oslo.sevice backed is not initialized to
eventlet by any early import code before our monkey_patch module can do
the selective backed selection based on the env variable.
The nova.tests.unit module had some import time code execution that is
forcing imports that initialize the oslo.service backend too early,
way before nova would do it in normal execution. We could remove
objects.register_all() from nova/tests/unit/__init__.py as it seems
tests are passing without it. Still that would not be enough so I
eventually decide to keep it.
The other issue is that the unit test discovery imports all modules
under nova.tests.unit and that eventually imports oslo.messaging and
that also forces oslo.service backend selection.
So we injected an early call to our smart monkey_patch module to preempt
that. This does not change the imported modules as monkey_patch module
imported anyhow via nova.test module. Just changed the order to allow
oslo.service backend selection explicitly.
After this patch the unit test can be run via
OS_NOVA_DISABLE_EVENTLET_PATCHING=true tox -e py312
Most of the test will pass but there are a bunch of test timing out or
hanging.
Change-Id: I210cb6a30deaee779d55f88f0f57584c65b0dc05
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
This patch refines our logging, doc, and release notes about the native
threading mode of scheduler, api, and metadata services to ask for
pre-prod testing before enabled in production.
Change-Id: I04bbb3d7e4664a0cab8b30f4c34ee71774536353
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
This is the preparation work to extend memory encryption support to
support AMD SEV-ES, and migrates the MEM_ENCRYPTION_CONTEXT resources
to the separate child resource provider, so that slots for different
memory encryption mechanism can be modeled.
Partially-Implements: blueprint amd-sev-es-libvirt-support
Change-Id: Iad51c32d0f64ef52513bd2f2b517c91f29c63787
Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
Now that master is on Flamingo, which is a non-SLURP release, we need
to bump our minimum supported version to the previous SLURP release,
which is now Epoxy (and no longer Caracal).
Change-Id: Ia7d0c1bdc9890f3789791fd5bc57101dc128a9e8
Signed-off-by: Sylvain Bauza <sbauza@redhat.com>
Work around an issue with oneOf, noted inline. We also add a new check
in the API microversion handling to always fail microversion checks in a
legacy API request context. Without this, we see failures due to tests
that set microversion headers *and* legacy request context.
Change-Id: Ibf2344bcc8c4b1c025f0e665553d09d47e9c29d3
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This necessitates adding some missing return values for various mocks.
Combined, this brings our tests closer to reality and will be needed
once we add response schemas for these.
Change-Id: I1ff23082d257f98e4f63b84b287a3c374a62bf0b
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
These all belong in separate files. Make it so.
We also rename the volume_attachment schema file to volume_attachments,
to better link it to the actual API code, and tweak an error message to
fix some capitalization.
Change-Id: Iffefc263bbf19d18137207c0432c16fdb3c513f9
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This change tightens the validation around the attachment
update API to ensure that it can only be called if the source
volume has a non empty migration status.
That means it will only accept a request to swap the volume if
it is the result of a cinder volume migration.
This change is being made to prevent the instance domain
XML from getting out of sync with the nova BDM records
and cinder connection info. In the future support for direct
swap volume actions can be re-added if and only if the
nova libvirt driver is updated to correctly modify the domain.
The libvirt driver is the only driver that supported this API
outside of a cinder orchestrated swap volume.
By allowing the domain XML and BDMs to get out of sync
if an admin later live-migrates the VM the host path will not be
modified for the destination host. Normally this results in a live
migration failure which often prompts the admin to cold migrate instead.
however if the source device path exists on the destination the migration
will proceed. This can lead to 2 VMs using the same host block device.
At best this will cause a crash or data corruption.
At worst it will allow one guest to access the data of another.
Prior to this change there was an explicit warning in nova API ref
stating that humans should never call this API because it can lead
to this situation. Now it considered a hard error due to the
security implications.
Closes-Bug: #2112187
Depends-on: https://review.opendev.org/c/openstack/tempest/+/957753
Change-Id: I439338bd2f27ccd65a436d18c8cbc9c3127ee612
Signed-off-by: Sean Mooney <work@seanmooney.info>
It turns out that nova-api and nova-metadata only depend on spawning
threads via scatter-gather. The scatter-gather already supports both
eventlet and threading mode so we can switch these services.
Our WSGI services (nova-api, nova-metadata) are not relying on
oslo.service to fork worker processes, but expect the web server to
handle that (uwsgi, apache mod_wsgi). This means we don't need to handle
any forking issues as no nova code runs before the fork.
Change-Id: Id3a339c605dfc730bdb7994c3ca45baafeb5af80
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
This commit refactors _verify_response in ApiSampleTestBase
to print the paths to the relevent template or sample on test
failure. It also moves the validation that the sample and template
agree after the verification that the template and response match.
Functionally the test is the same but now it's simpler to read and
debug as there is a cleaner separation between the two phases
of the verification and less state and context
to absorb as a result.
Change-Id: Ifc2552b6c0f7b667d24639d8aa685028120432ec
Signed-off-by: Sean Mooney <work@seanmooney.info>
nova stopped supporting custom image properties many years
ago with the introduction of ovo.
when the image property show feature was added it incorrectly
filtered the instance_system_metadata table for the image prefix
but didnt restrict the responce to only standard image properties
This change adds that filtering and fixes minor issues with the
responce schema validation.
Related-Bug: #2098384
Change-Id: I11a8783b02f35b7dfc964bf49f1a8a0a2469abc3
Signed-off-by: Sean Mooney <work@seanmooney.info>
At the service startup nova need to initialize either the eventlet or
the threading backend of oslo.service. So this patch reuses the existing
logic behind OS_NOVA_DISABLE_EVENTLET_PATCHING.
When OS_NOVA_DISABLE_EVENTLET_PATCHING env variable is set to true the
service will select the threading backend otherwise the eventlet
backend.
Also to avoid later monkey patch calls to invalidated the selection if
the threading backend is selected then the monkey_patch code is
poisoned.
This patch also makes sure that oslo.messaging also initialized with the
matching executor backend.
As this is the last step to make nova-scheduler run in threading mode
this patch adds a release notes as well.
Change-Id: I6e2e6a43df78d23580b5e7402352a5036100ab36
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
Zuul