The _get_bound_arq_resources() in the compute manager [1] calls Cyborg
up to 3 times: once to get the accelerator request (ARQ) UUIDs for the
instance, and then once or twice to get all ARQs with completed bindings.
The first call can be eliminated by passing the ARQs from the conductor
to the compute manager as an additional parameter in
build_and_run_instance(). This requires a bump in compute rpcapi version.
[1] https://review.opendev.org/#/c/631244/54/nova/compute/manager.py@2652
Blueprint: nova-cyborg-interaction
Change-Id: I26395d57bd4ba55276b7514baa808f9888639e11
This adds new defaults roles in os-agents API policies. This policy
is default to system admin role. Policy rules are made more granular
to adopt the new defaults.
Partial implement blueprint policy-defaults-refresh
Change-Id: I9b094ecd3c5ff4f56ecfafb72c2a660b4146035f
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for os-instance-usage-audit-log
policies which is empty dict because policy rule is system scoped rather
than project, so the token scope check deals with the required
target checking.
Partial implement blueprint policy-defaults-refresh
Change-Id: I5584b9bb192dc32c60ba5a83d3bd2de293bbbd27
This adds new defaults roles in os-instance-usage-audit-log
API policies. This policy is default to SYSTEM_READER role.
Policy rules are made more granular to adopt the new defaults.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I749300f949d9c46e79accbf847b3edb6864ff41b
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin or server owner
- policy check fail with context having non-admin and not server owner
As discussed in policy-defaults-refresh, to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing ips policies.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ib39d8e1603998daf0a94decbdc728767d3e240f3
os-ips API policy is default to admin_or_owner[1] but API
is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/715477
This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Closes-bug: #1869396
[1] https://github.com/openstack/nova/blob/eaf08c0b7b8250408e5d10c6471f2e3155cc0edb/nova/policies/ips.py#L27
Change-Id: Ie7bcb6537f90813cc5b23d69c886037d25b15a42
This adds a new microversion to expose the instance action
event details in the
GET /servers/{server_id}/os-instance-actions/{request_id} API.
With the new microversion the "details" key is always returned
with each event dict but the value may be null because of old
records or events that did not fail.
The details are not constrained by policy like the traceback
field since the details are like a fault message on the server
resource when the server is in ERROR status and the fault
message is likewise not constraint by policy unlike the fault
details which is a traceback like the event traceback field.
This commit add a SYSTEM_READER ('rule: system_reader_api') role
to the Show Server Action Details API. With this default policy,
events fault details can be displayed. And also add some nova and
non-nova exception functional tests for os-instance-actions API.
Co-Authored-By: Brin Zhang <zhangbailin@inspur.com>
Implements blueprint action-event-fault-details
Change-Id: I6fe4dd265b0030ce12f92771b255a3d795f03d01
Unlike x86, AArch64 doesn't have a default model.
Usually when using libvirt driver, set cpu mode to custom, nova
will call libvirt to return the default models. But for aarch64,
the support CPU models varies according to machine type.
AArch64 use "virt" as the default machine type. In Qemu it support
several models, and we should choose "max" as the by default one.
Closes-Bug: #1864588
Change-Id: Ib2df50bda991a659fe10ef1dd9e7ab56800c34fb
Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.
For Example, if any policy with default rule as admin only then
test should verify:
- policy check pass with context having admin or server owner
- policy check fail with context having non-admin and not server owner
As discussed in policy-defaults-refresh, to change the policies
with new default roles and scope_type, we need to have the enough
testing coverage of existing policy behavior.
When we will add the scope_type in policies or new default roles,
then these test coverage will be extended to adopt the new changes
and also make sure we do not break the existing behavior.
This commit covers the testing coverage of existing instance usage audit
log policies.
Partial implement blueprint policy-defaults-refresh
Change-Id: I4a8b935829edb1d7fd7efb0291d71d3a9d2b7abd
Previously virDomainBlockRebase [1] was used by swap_volume to switch
between volumes presented to the compute host as block devices or files.
As outlined in the virDomainBlockCopy [2] documentation this command is
actually a superset of virDomainBlockRebase in our case:
> This command is a superset of the older virDomainBlockRebase() when used
> with the VIR_DOMAIN_BLOCK_REBASE_COPY flag, and offers better control
> over the destination format, the ability to copy to a destination that
> is not a local file, and the possibility of additional tuning
> parameters.
As such we can switch to virDomainBlockCopy and expand support for
swap_volume outside of just host block devices and files.
To allow swap_volume to support RBD volumes we also need the domain to
use the recently introduced -blockdev support within libvirt >= 6.0.0
and QEMU >= 4.2.0. New MIN_LIBVIRT_BLOCKDEV and MIN_QEMU_BLOCKDEV
version constants are introduced and used to determine when to switch to
the virDomainBlockCopy method of moving between volumes.
[1] https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainBlockRebase
[2] https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainBlockCopy
Closes-Bug: #1868996
Change-Id: I8e8035dcf508f5215bba9b7575c5c6abfe41da31
. Do not delete accelerator requests in stop code paths.
. In the start code path, get the list of accelerator requests from
Cyborg in the compute manager 'power_on'.
. Pass accel_info (said list) to the virt driver power_on.
. In libvirt driver, pass that accel_info to driver power_on.
Change-Id: I8c94504b87aa4450d163fe2b33f6aa0eb5dae5ff
Blueprint: nova-cyborg-interaction
This patch series now works for many VM operations with libvirt:
* Creation, deletion of VM instances.
* Pause/unpause
The following works but is a no-op:
* Lock/unlock
Hard reboots are taken up in a later patch in this series.
Soft reboots work for accelerators unless some unrelated failure
forces a hard reboot in the libvirt driver.
Suspend is not supported yet. It would fail with this error:
libvirtError: Requested operation is not valid:
domain has assigned non-USB host devices
Shelve is not supported yet.
Live migration is not intended to be supported with accelerators now.
Change-Id: Icb95890d8f16cad1f7dc18487a48def2f7c9aec2
Blueprint: nova-cyborg-interaction
Add a table-driven prefilter to transform image metadata into required
traits. This requires a new config option to make the filter optional.
Change-Id: I257ff81e23cdae6f2b62ec3d071b8f8f32d97781
Implements: blueprint image-metadata-prefiltering
Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
This change extends parsing of domain capability XML to discover the
supported storage and video models. To do this, we alter the behavior of
'_get_storage_bus_traits' to prefer the data from the domain
capabilities API for 'qemu' and 'kvm' virt types, only falling back to
generating the storage traits statically for other virt types.
In addition, we extend the libvirt driver with '_get_video_model_traits'
and '_get_vif_model_traits' functions to generate sets of video models
and VIF models respectively that are supported by this host.
Finally, we start caching the static driver traits in a property to
avoid the need to recalculating them every time 'update_provider_tree' is
called. This is okay since these things will not change during runtime
unless libvirt or QEMU are upgraded, in which case the user really
should be restarting consumers of libvirt such as nova anyway.
Change-Id: I0bdf9ccf7bf3fb1f3136c1e4267b9c99732908d5
Partially-Implements: blueprint image-metadata-prefiltering
Zuul