This means authenticating as the Nova service user to Barbican,
so that the latter can make the secret owned by Nova. This requires
the [service_user] config section to be set.
An API block is also added to prevent resizes to change to or from
the ``deployment`` TPM secret security mode. This is because doing so
would require conversion of secret ownership to or from the user to the
Nova service user. The change is complicated and will be implemented
as a separate patch later in the series.
Resizing from ``deployment`` TPM secret security mode to ``deployment``
TPM secret security mode is allowed.
Related to blueprint vtpm-live-migration
Change-Id: I007f9993451d9197f53dee9a5fd29daa307ebe6b
Signed-off-by: melanie witt <melwittt@gmail.com>
When a unit test create a nova.service.Service() and calls start() on
it, nova starts an RPC server with the fake oslo_messaging
implementation. That implementation uses a thread / greenthread to poll
for messages. If the RPC server is not stopped directly or via
Service.stop() at the end of the test case then that poller thread is
remains running during any subsequent test. This can cause interference
between test case.
This patch adds a fixture that tracks the started poller threads and
fail the test case if the poller is still active at the end of the test
case. As a consequence a set of test cases needed fixes to remove the
leak.
Change-Id: I92dc4ad09c77fd0a9e0bb263d355d9b0204be790
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
Currently we have very similar service user authentication code
partially duplicated in the following areas:
* nova/image/glance.py
* nova/network/neutron.py
* nova/volume/cinder.py
* nova/api/metadata/vendordata_dynamic.py
This attempts to commonize and reuse code as much as possible from the
service_auth module in preparation of vTPM live migration patches.
Change-Id: I3a5c00e434eb6ce7956a717dffd11f38f19c5f7d
Signed-off-by: melanie witt <melwittt@gmail.com>
We also bump the other linters, although these don't change anything.
Change-Id: I07ddb8743804172a4e81a70b1ee4aa897e48dfca
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
We also replace the use of typing.Union and add missing parameters and
returns types for Callable types.
Change-Id: I75ed4d1cc4d84515910a5bd315f8626135258148
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
mypy doesn't know that we dynamically register these: give it a helping
hand.
Change-Id: I73321f67766b67e00038fd8de744f95128c3e6cb
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This avoids the need to duplicate our dependency list in multiple places
and allows us to take advantage of tox's dependency management
infrastructure, to ensure we always get the latest and greatest version
of a package allowed by upper-constraints. It also removes the slowest
pre-commit hook (by some distance), making pre-commit faster.
Change-Id: Ie241768231f180d5a672bf9f8fdc6a1eb8d7dfdb
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This changes the thread pool usage of the ComputeManager to go through
the concurrency mode aware util functions.
The concurrent live migration pool had a seemingly unlimited option
when configured with value 0, but in reality GreenThreadPool has a
default worker size of 1000. In reality it is almost never right to
have more than one live migration running concurrently. Also with
native threading having 1000 worker is just too costly. So we
decided to deprecate the value 0 and changed the implementation of
unlimited to mean 5 threads in native threading mode. We kept the 1000
greenthread in eventlet mode for backward compatibility.
The _sync_power_states periodic task also spawn tasks for each instance
to be synced. As it uses a shared data structure across these tasks
and the caller a lock is needed to avoid race conditions.
Also the default pool size is 1000 for these tasks in our configuration.
That would use a lot of memory on a busy host in native threading mode.
So we changed the default value from 1000 to 5.
Change-Id: I9567d5fabdf086b5d0493103d9f6bde4f66af387
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
This is a follow up for the release notes added in the commit
35207ee8b5 that changed the default mode
for the scheduler and the API services. At that time we missed to note
the upgrade impact of such change. So this patch extends the reno with
an upgrade note.
Change-Id: I280e7eb9c1da6eeaf50e96e8b19e296961f2651a
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
Python 3.14 tightened call semantics, and testtools 2.8.2 no longer
tolerates unittest-style kwargs, when Nova tests were mixing
testtools.TestCase with unittest. This patch fixes this by using
positional arguments for assertRaises.
Signed-off-by: Thomas Goirand <zigo@debian.org>
Change-Id: Ic589880d4759336ab6ceec5057eafe223f692caa
The threading Lock object cannot be copied so the ProviderTree cannot be
deep copied in threading mode. This patch adds custom pickling /
copying handlers to the ProviderTree class to ignore the lock from the
source and readd it in the destination object during pickling /
copying.
Note that ProviderTree uses a named lock which means all the instance of
the ProviderTree object in the same process uses a shared lock object.
The copy handlers ensures the same behavior during copying so the copy
will use the same shared lock as well.
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
Change-Id: I084e72ce81dd456d67c9046f37d1ccb01b9fa4ba
This has been on the TODO list for over 8 years. Time to resolve it.
Change-Id: Ic5367a1042ae5da974a25c135b58a1ebf22eb531
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Our event listener depends on devices having an alias set. We add an
early assertion to prove this is the case. In real-life, this will
always be the case since the devices we can detach - like interfaces and
disks - are among the lists of devices that libvirt will automatically
generate an alias for if the user (nova-compute, in this case) doesn't
provide their own [1]. However, many of our tests were not doing this so
we must update our LibvirtFixture in particular to start doing so.
[1] https://github.com/libvirt/libvirt/blob/v11.10.0/src/qemu/qemu_alias.c#L692-L786
Change-Id: Id98d8029af673ffa89d6472be98f90a6f0975511
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Rather than setting dunder attributes manually.
Change-Id: I71bf90f5deacb11cbf6e39dfe459edd5a03f3d75
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
There were libvirt disk attach / detach unit test cases that mocked
threading.Event.wait to speed up the test execution as the libvirt event
based device detach has a 20 seconds timeout.
However this mock is very wide. It effects all the threading.Event usage
during the test case. As we are switched to the native threaded backed
of oslo.service we got an LoopingCall implementation that relies on
threading.Event to signal when the call is finished. In these test cases
the wide mock broke this logic and the LoopingCall signalled "done" while
the actual call in the background was still running making that call
leaking out from the test case and therefore under the fixtures the test
case tore down after the test case finished. This caused that later the
call hit non mocked code paths like importing the real libvirt lib
instead of using our libvirt fixture causing late failures.
The fix is to remove the wide mock and instead change the detach timeout
in these test cases.
Later follow ups will check put protection in place to avoid
re-introducing this wide mock.
Closes-Bug: #2136815
Change-Id: I3f40d9dad6ef87e6fa4db0ea4065a77421e8c271
Signed-off-by: Balazs Gibizer <gibi@redhat.com>
Field is empty in the response of API GET /servers/detail if the
instance (hence instace_faults DB entry) is in nova cell DB.
Unlike that, for API /servers/:id fault is retrieved correctly no matter
in which nova cell the instance belongs.
Closes-Bug: #1856329
Change-Id: I1726f53cfeac0a67a5dacdddda2af2cc1db0af0f
Signed-off-by: Marius Leustean <marius.leustean@sap.com>
Introduce the new Host.supports_mem_encryption which tells whether
the host supports memory encryption. This allows us to centralize
and generalize the check logic for additional mechanisms such as
Arm CCA, planned to be added in the future.
Implements: blueprint generalize-sev-code
Change-Id: If020c71bd4962c6ca96e042592854e57d9a7dcce
Signed-off-by: Taketani Ryo <taketani.ryo@fujitsu.com>
Zuul