From 31980e436b73db18297a295969069cf00bd43754 Mon Sep 17 00:00:00 2001 From: Jan Hartkopf Date: Mon, 10 Oct 2022 10:40:38 +0200 Subject: [PATCH 01/74] Configure option backup_ceph_max_snapshots in Cinder backup Sets the config option backup_ceph_max_snapshots for the Cinder Ceph backup driver to the specified value. Depends-On: https://review.opendev.org/c/openstack/cinder/+/810457 Signed-off-by: Jan Hartkopf Change-Id: I9e12e395288db1fe59490b4075bb2d933ccd4d78 --- lib/cinder_backups/ceph | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/cinder_backups/ceph b/lib/cinder_backups/ceph index 4b180490d7..ea9b44fe8c 100644 --- a/lib/cinder_backups/ceph +++ b/lib/cinder_backups/ceph @@ -19,6 +19,7 @@ set +o xtrace # Defaults # -------- +CINDER_BAK_CEPH_MAX_SNAPSHOTS=${CINDER_BAK_CEPH_MAX_SNAPSHOTS:-0} CINDER_BAK_CEPH_POOL=${CINDER_BAK_CEPH_POOL:-backups} CINDER_BAK_CEPH_POOL_PG=${CINDER_BAK_CEPH_POOL_PG:-8} CINDER_BAK_CEPH_POOL_PGP=${CINDER_BAK_CEPH_POOL_PGP:-8} @@ -38,6 +39,7 @@ function configure_cinder_backup_ceph { iniset $CINDER_CONF DEFAULT backup_driver "cinder.backup.drivers.ceph.CephBackupDriver" iniset $CINDER_CONF DEFAULT backup_ceph_conf "$CEPH_CONF_FILE" + iniset $CINDER_CONF DEFAULT backup_ceph_max_snapshots "$CINDER_BAK_CEPH_MAX_SNAPSHOTS" iniset $CINDER_CONF DEFAULT backup_ceph_pool "$CINDER_BAK_CEPH_POOL" iniset $CINDER_CONF DEFAULT backup_ceph_user "$CINDER_BAK_CEPH_USER" iniset $CINDER_CONF DEFAULT backup_ceph_stripe_unit 0 From 7129f3a45e66060d19a250e31fd35156e45a8af8 Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Fri, 10 Jan 2025 11:02:35 -0500 Subject: [PATCH 02/74] Quiet regex SyntaxWarning in mlock_report Use a raw string to avoid SyntaxWarnings being issued by this script. Change-Id: I81557158013aa36fe27235c461486dfbc37c9f27 --- tools/mlock_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/mlock_report.py b/tools/mlock_report.py index 1b081bbe6f..8cbda15895 100644 --- a/tools/mlock_report.py +++ b/tools/mlock_report.py @@ -6,7 +6,7 @@ LCK_SUMMARY_REGEX = re.compile( - "^VmLck:\s+(?P[\d]+)\s+kB", re.MULTILINE) + r"^VmLck:\s+(?P[\d]+)\s+kB", re.MULTILINE) def main(): From c4340a64ee35b2b8b5395461b6702ef765786465 Mon Sep 17 00:00:00 2001 From: Gorka Eguileor Date: Fri, 8 Jul 2022 14:08:03 +0200 Subject: [PATCH 03/74] Add support for shared os_brick file lock path There can be problems with some os-brick connectors if nova and cinder run on the same host with different lock path locations, which we currently do, or if Cinder and Glance with cinder store run on the same host, and a recent os-brick change (Ic52338278eb5bb3d90ce582fe6b23f37eb5568c4) allows for an os-brick specific lock_path to facilitate these kind of deployment. This patch adds the ``lock_path`` configuration option in the ``[os_brick]`` section of the nova, cinder, and glance config files. If the os-brick, cinder, nova, or glance-store changes are not present then the new config option is be ignored in the respective service, and it will be used otherwise, so there's no need to make this patch dependent on any other since we won't be worse off than we are now. Change-Id: Ibe7da160460151734224863cddec5e0d549b4938 --- lib/cinder | 16 ++++++++++++++++ stack.sh | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/lib/cinder b/lib/cinder index b557d4b10b..2b565c9535 100644 --- a/lib/cinder +++ b/lib/cinder @@ -59,6 +59,7 @@ else fi CINDER_STATE_PATH=${CINDER_STATE_PATH:=$DATA_DIR/cinder} +OS_BRICK_LOCK_PATH=${OS_BRICK_LOCK_PATH:=$DATA_DIR/os_brick} CINDER_CONF_DIR=/etc/cinder CINDER_CONF=$CINDER_CONF_DIR/cinder.conf @@ -511,6 +512,21 @@ function init_cinder { mkdir -p $CINDER_STATE_PATH/volumes } + +function init_os_brick { + mkdir -p $OS_BRICK_LOCK_PATH + if is_service_enabled cinder; then + iniset $CINDER_CONF os_brick lock_path $OS_BRICK_LOCK_PATH + fi + if is_service_enabled nova; then + iniset $NOVA_CONF os_brick lock_path $OS_BRICK_LOCK_PATH + fi + if is_service_enabled glance; then + iniset $GLANCE_API_CONF os_brick lock_path $OS_BRICK_LOCK_PATH + iniset $GLANCE_CACHE_CONF os_brick lock_path $OS_BRICK_LOCK_PATH + fi +} + # install_cinder() - Collect source and prepare function install_cinder { git_clone $CINDER_REPO $CINDER_DIR $CINDER_BRANCH diff --git a/stack.sh b/stack.sh index 04b5f4ca6a..afca5250d5 100755 --- a/stack.sh +++ b/stack.sh @@ -1005,6 +1005,11 @@ if is_service_enabled tls-proxy; then fix_system_ca_bundle_path fi +if is_service_enabled cinder || [[ "$USE_CINDER_FOR_GLANCE" == "True" ]]; then + # os-brick setup required by glance, cinder, and nova + init_os_brick +fi + # Extras Install # -------------- From 7fedf7f78764542a05429a22e980de4a1486faa1 Mon Sep 17 00:00:00 2001 From: Ivan Anfimov Date: Wed, 7 May 2025 18:17:40 +0000 Subject: [PATCH 04/74] Remove temporary fix for problems with CSS styles Fixed by Horizon side: https://review.opendev.org/c/openstack/horizon/+/949036 Change-Id: I8acb029b0562381cdbe28f0ee32f3aed07de5784 --- files/apache-horizon.template | 1 - 1 file changed, 1 deletion(-) diff --git a/files/apache-horizon.template b/files/apache-horizon.template index 98d02e168e..da7a7d26c3 100644 --- a/files/apache-horizon.template +++ b/files/apache-horizon.template @@ -10,7 +10,6 @@ DocumentRoot %HORIZON_DIR%/.blackhole/ Alias %WEBROOT%/media %HORIZON_DIR%/openstack_dashboard/static Alias %WEBROOT%/static %HORIZON_DIR%/static - Alias /static %HORIZON_DIR%/static RedirectMatch "^/$" "%WEBROOT%/" From 46e14fb1f70e25aada290f6f5648800ec7a147b3 Mon Sep 17 00:00:00 2001 From: Jay Faulkner Date: Sun, 18 May 2025 16:59:13 -0700 Subject: [PATCH 05/74] Bubble up image download failures Currently, we're still returning 0 out of the upload_image method despite the download failing. This changes behavior such that if the image download fails, it returns an exit code of 1 to the caller to be handled (or fail early) accordingly. Change-Id: I901dc065b51946f363145ae888cca602946ceeea --- functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/functions b/functions index 42d08d7c4a..829fc86c55 100644 --- a/functions +++ b/functions @@ -147,7 +147,8 @@ function upload_image { if [[ $rc -ne 0 ]]; then if [[ "$attempt" -eq "$max_attempts" ]]; then echo "Not found: $image_url" - return + # Signal failure to download to the caller, so they can fail early + return 1 fi echo "Download failed, retrying in $attempt second, attempt: $attempt" sleep $attempt From 5d41cb1f51cccdbecf375cf84f9893b29f8c3ffc Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Tue, 20 May 2025 13:17:49 -0400 Subject: [PATCH 06/74] Silence SyntaxWarnings in outfilter.py Use raw strings for these regexes. Change-Id: If5d35fa527b464f34a0d2335e5c6b388be726a54 --- tools/outfilter.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/outfilter.py b/tools/outfilter.py index 55f9ee1487..c9907b072a 100644 --- a/tools/outfilter.py +++ b/tools/outfilter.py @@ -26,8 +26,8 @@ import re import sys -IGNORE_LINES = re.compile('(set \+o|xtrace)') -HAS_DATE = re.compile('^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3} \|') +IGNORE_LINES = re.compile(r'(set \+o|xtrace)') +HAS_DATE = re.compile(r'^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3} \|') def get_options(): From 0e8042deff33bffbab732f70a66ece162aa470f7 Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Tue, 29 Apr 2025 15:36:28 +0200 Subject: [PATCH 07/74] Add SYSTEMD_ENV_VARS dictionary This will allow to pass env variables from zuul job definitions to to systemd service files via the local conf. The first use case of this is to pass OS_NOVA_DISABLE_EVENTLET_PATCHING=true to nova services that already supports running in native threading mode instead of with Eventlet. During the Eventlet removal effort this will allow us to have separate jobs testing the same service in different concurrency mode. Change-Id: I675043e42006286bb7e1190ea9462fb8d8daa38c --- functions-common | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/functions-common b/functions-common index e265256ccf..db2367cef6 100644 --- a/functions-common +++ b/functions-common @@ -43,6 +43,9 @@ declare -A -g GITREPO declare -A -g GITBRANCH declare -A -g GITDIR +# Systemd service file environment variables per service +declare -A -g SYSTEMD_ENV_VARS + KILL_PATH="$(which kill)" # Save these variables to .stackenv @@ -1642,6 +1645,9 @@ function _run_under_systemd { user=$STACK_USER fi local env_vars="$5" + if [[ -v SYSTEMD_ENV_VARS[$service] ]]; then + env_vars="${SYSTEMD_ENV_VARS[$service]} $env_vars" + fi if [[ "$command" =~ "uwsgi" ]] ; then if [[ "$GLOBAL_VENV" == "True" ]] ; then cmd="$cmd --venv $DEVSTACK_VENV" From d2e309f0481f2e8577737bc2e5d6761a70b93dca Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 17 Jun 2025 21:15:16 +0900 Subject: [PATCH 08/74] Bump etcd to 3.25.x The etcd project maintains release branches for the current version and pevious release[1]. Because 3.26.0 was already released, 3.24.x is no longer supported. Bump it to the latest bug fix release of 3.25.x . Also, the binary for s390x has been restored upstream so add it back. [1] https://etcd.io/docs/v3.6/op-guide/versioning/ Change-Id: I108466c65bd1ebd1e42c75dfbe9b2173d04ba122 --- stackrc | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/stackrc b/stackrc index 0319fc8a50..817b445c7f 100644 --- a/stackrc +++ b/stackrc @@ -705,12 +705,11 @@ fi EXTRA_CACHE_URLS="" # etcd3 defaults -ETCD_VERSION=${ETCD_VERSION:-v3.4.27} -ETCD_SHA256_AMD64=${ETCD_SHA256_AMD64:-"a32d21e006252dbc3405b0645ba8468021ed41376974b573285927bf39b39eb9"} -ETCD_SHA256_ARM64=${ETCD_SHA256_ARM64:-"ed7e257c225b9b9545fac22246b97f4074a4b5109676e92dbaebfb9315b69cc0"} -ETCD_SHA256_PPC64=${ETCD_SHA256_PPC64:-"eb8825e0bc2cbaf9e55947f5ee373ebc9ca43b6a2ea5ced3b992c81855fff37e"} -# etcd v3.2.x and later doesn't have anything for s390x -ETCD_SHA256_S390X=${ETCD_SHA256_S390X:-""} +ETCD_VERSION=${ETCD_VERSION:-v3.5.21} +ETCD_SHA256_AMD64=${ETCD_SHA256_AMD64:-"adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c"} +ETCD_SHA256_ARM64=${ETCD_SHA256_ARM64:-"95bf6918623a097c0385b96f139d90248614485e781ec9bee4768dbb6c79c53f"} +ETCD_SHA256_PPC64=${ETCD_SHA256_PPC64:-"6fb6ecb3d1b331eb177dc610a8efad3aceb1f836d6aeb439ba0bfac5d5c2a38c"} +ETCD_SHA256_S390X=${ETCD_SHA256_S390X:-"a211a83961ba8a7e94f7d6343ad769e699db21a715ba4f3b68cf31ea28f9c951"} # Make sure etcd3 downloads the correct architecture if is_arch "x86_64"; then ETCD_ARCH="amd64" @@ -722,15 +721,8 @@ elif is_arch "ppc64le"; then ETCD_ARCH="ppc64le" ETCD_SHA256=${ETCD_SHA256:-$ETCD_SHA256_PPC64} elif is_arch "s390x"; then - # An etcd3 binary for s390x is not available on github like it is - # for other arches. Only continue if a custom download URL was - # provided. - if [[ -n "${ETCD_DOWNLOAD_URL}" ]]; then - ETCD_ARCH="s390x" - ETCD_SHA256=${ETCD_SHA256:-$ETCD_SHA256_S390X} - else - exit_distro_not_supported "etcd3. No custom ETCD_DOWNLOAD_URL provided." - fi + ETCD_ARCH="s390x" + ETCD_SHA256=${ETCD_SHA256:-$ETCD_SHA256_S390X} else exit_distro_not_supported "invalid hardware type - $ETCD_ARCH" fi From 5822439d95b02a7033f6333cda1dfafdc342b852 Mon Sep 17 00:00:00 2001 From: Jay Faulkner Date: Wed, 18 Jun 2025 08:20:50 -0700 Subject: [PATCH 09/74] Update base OS recommendation to 24.04 This is what all of OpenStack tests on now, it's likely a better choice for a default. Worth noting 22.04 doesn't work for latest-ironic (at least). Change-Id: Ibe4c1d4416dded4ac3280cb6ef423b0792b584ab --- doc/source/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/index.rst b/doc/source/index.rst index 70871ef876..a07bb84922 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -40,7 +40,7 @@ Start with a clean and minimal install of a Linux system. DevStack attempts to support the two latest LTS releases of Ubuntu, Rocky Linux 9 and openEuler. -If you do not have a preference, Ubuntu 22.04 (Jammy) is the +If you do not have a preference, Ubuntu 24.04 (Noble) is the most tested, and will probably go the smoothest. Add Stack User (optional) From a8aecbad4f7f4cd4b6ddc57b78844cede5325d4d Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 23 Nov 2024 21:50:13 +0900 Subject: [PATCH 10/74] Allow installing etcd3gw from source ... to enable forward testing in etcd3gw. Change-Id: I249243fc913a82c28d096ef48aacecd07f2c2694 --- lib/libraries | 9 +++++++-- stackrc | 4 ++++ tests/test_libs_from_pypi.sh | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/lib/libraries b/lib/libraries index fa418785dd..c3248f11b2 100755 --- a/lib/libraries +++ b/lib/libraries @@ -27,6 +27,7 @@ GITDIR["castellan"]=$DEST/castellan GITDIR["cliff"]=$DEST/cliff GITDIR["cursive"]=$DEST/cursive GITDIR["debtcollector"]=$DEST/debtcollector +GITDIR["etcd3gw"]=$DEST/etcd3gw GITDIR["futurist"]=$DEST/futurist GITDIR["openstacksdk"]=$DEST/openstacksdk GITDIR["os-client-config"]=$DEST/os-client-config @@ -131,8 +132,12 @@ function install_libs { # python client libraries we might need from git can go here _install_lib_from_source "python-barbicanclient" - # etcd (because tooz does not have a hard dependency on these) - pip_install etcd3gw + if use_library_from_git etcd3gw ; then + _install_lib_from_source "etcd3gw" + else + # etcd (because tooz does not have a hard dependency on these) + pip_install etcd3gw + fi } # Restore xtrace diff --git a/stackrc b/stackrc index c05d4e2d98..ddd623fc06 100644 --- a/stackrc +++ b/stackrc @@ -395,6 +395,10 @@ GITBRANCH["futurist"]=${FUTURIST_BRANCH:-$TARGET_BRANCH} GITREPO["debtcollector"]=${DEBTCOLLECTOR_REPO:-${GIT_BASE}/openstack/debtcollector.git} GITBRANCH["debtcollector"]=${DEBTCOLLECTOR_BRANCH:-$TARGET_BRANCH} +# etcd3gw library +GITREPO["etcd3gw"]=${ETCD3GW_REPO:-${GIT_BASE}/openstack/etcd3gw.git} +GITBRANCH["etcd3gw"]=${ETCD3GW_BRANCH:-$BRANCHLESS_TARGET_BRANCH} + # helpful state machines GITREPO["automaton"]=${AUTOMATON_REPO:-${GIT_BASE}/openstack/automaton.git} GITBRANCH["automaton"]=${AUTOMATON_BRANCH:-$TARGET_BRANCH} diff --git a/tests/test_libs_from_pypi.sh b/tests/test_libs_from_pypi.sh index 839e3a1328..9552c93c4f 100755 --- a/tests/test_libs_from_pypi.sh +++ b/tests/test_libs_from_pypi.sh @@ -45,7 +45,7 @@ ALL_LIBS+=" oslo.cache oslo.reports osprofiler cursive" ALL_LIBS+=" keystoneauth ironic-lib neutron-lib oslo.privsep" ALL_LIBS+=" diskimage-builder os-vif python-brick-cinderclient-ext" ALL_LIBS+=" castellan python-barbicanclient ovsdbapp os-ken os-resource-classes" -ALL_LIBS+=" oslo.limit" +ALL_LIBS+=" oslo.limit etcd3gw" # Generate the above list with # echo ${!GITREPO[@]} From 06633c6c3033cc92329e1849266f4f2ed33d2124 Mon Sep 17 00:00:00 2001 From: Artem Goncharov Date: Fri, 27 Jun 2025 15:05:51 +0200 Subject: [PATCH 11/74] Restart slapd after cleanup A bug in openldap mdb (memory database) causes it to crash in an attempt to delete nonexisting tree, which is exactly what we do in the cleanup. After the coredump it does not start automatically (what maybe make sense to change). The fix is merged in https://bugs.openldap.org/show_bug.cgi?id=10336 but we do not have this fix in Noble. For now try simply to restart the process. Change-Id: Iae597aae345d12a2c82f66342ff40ac0a387eddf Signed-off-by: Artem Goncharov --- lib/ldap | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/ldap b/lib/ldap index b0195db258..66c2afc4d5 100644 --- a/lib/ldap +++ b/lib/ldap @@ -82,6 +82,14 @@ function init_ldap { # Remove data but not schemas clear_ldap_state + if is_ubuntu; then + # a bug in OpenLDAP 2.6.7+ + # (https://bugs.openldap.org/show_bug.cgi?id=10336) causes slapd crash + # after deleting nonexisting tree. It is fixed upstream, but Ubuntu is + # still not having a fix in Noble. Try temporarily simly restarting the + # process. + sudo service $LDAP_SERVICE_NAME restart + fi # Add our top level ldap nodes if ldapsearch -x -w $LDAP_PASSWORD -D "$LDAP_MANAGER_DN" -H $LDAP_URL -b "$LDAP_BASE_DN" | grep -q "Success"; then From 47aa8d1744dad23c4ace34a7edbff78360fb0079 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 12 Jul 2025 00:25:42 +0900 Subject: [PATCH 12/74] Drop unused [service_user] auth_strategy The option does not actually exist. Change-Id: I659bba38ca038fa370a411ae43ca942b6390c779 Signed-off-by: Takashi Kajinami --- lib/cinder | 1 - lib/nova | 1 - 2 files changed, 2 deletions(-) diff --git a/lib/cinder b/lib/cinder index b557d4b10b..eb8a63dbfc 100644 --- a/lib/cinder +++ b/lib/cinder @@ -732,7 +732,6 @@ function configure_cinder_volume_upload { function init_cinder_service_user_conf { configure_keystone_authtoken_middleware $CINDER_CONF cinder service_user iniset $CINDER_CONF service_user send_service_user_token True - iniset $CINDER_CONF service_user auth_strategy keystone } # Restore xtrace diff --git a/lib/nova b/lib/nova index 810a3d9554..2357d87ee3 100644 --- a/lib/nova +++ b/lib/nova @@ -843,7 +843,6 @@ function init_nova_service_user_conf { iniset $NOVA_CONF service_user user_domain_name "$SERVICE_DOMAIN_NAME" iniset $NOVA_CONF service_user project_name "$SERVICE_PROJECT_NAME" iniset $NOVA_CONF service_user project_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF service_user auth_strategy keystone } function conductor_conf { From e221349e56414e1cb89c75311bf659bd869e16a7 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Mon, 14 Jul 2025 12:37:23 +0200 Subject: [PATCH 13/74] keystone: Set user_enabled_default for LDAP domain When using the LDAP identity backend, stack.sh fails during the create_keystone_accounts phase when trying to verify the newly created demo user. This is caused by a BadRequestException from the Keystone API with the error, 'enabled' is a required property. The error occurs because the default LDAP user object created by the DevStack scripts does not contain an attribute that Keystone can map to its mandatory enabled property. This change fixes the issue by adding user_enabled_emulation = True to the domain-specific LDAP configuration in the create_ldap_domain function. This tells Keystone to assume a user is enabled if the attribute is not explicitly defined in their LDAP entry, which resolves the schema incompatibility and allows the script to complete successfully. Signed-off-by: Grzegorz Grasza Change-Id: I15ddf0b88ee93615c318d4845a026ca1e25c3e69 --- lib/keystone | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/keystone b/lib/keystone index 8371045026..0311e24c67 100644 --- a/lib/keystone +++ b/lib/keystone @@ -608,6 +608,7 @@ function create_ldap_domain { iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_name_attribute "cn" iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_mail_attribute "mail" iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_id_attribute "uid" + iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user_enabled_emulation "True" iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap user "cn=Manager,dc=openstack,dc=org" iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap url "ldap://localhost" iniset $KEYSTONE_LDAP_DOMAIN_FILE ldap suffix $LDAP_BASE_DN From 9c180f2f060bfed65bc1b24c16010466b48dc0da Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Fri, 4 Jul 2025 11:40:38 -0700 Subject: [PATCH 14/74] Configure 'manager' role in tempest In this release, nova is implementing the manager role in policy[depends-on], and Tempest added (depends-on) a new config option to decide if new defaults are present in testing env. Setting the manager role availability in Tempest so that test can use manager role user to perform the required operation in nova. Depends-On: https://review.opendev.org/c/openstack/nova/+/953063 Depends-On: https://review.opendev.org/c/openstack/tempest/+/953265 Change-Id: I69e32c7de5a63df1c21979f748b77e512068eeec Signed-off-by: Ghanshyam Mann --- lib/tempest | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/tempest b/lib/tempest index c9486f6310..286cb56d41 100644 --- a/lib/tempest +++ b/lib/tempest @@ -524,6 +524,10 @@ function configure_tempest { iniset $TEMPEST_CONFIG compute-feature-enabled serial_console True fi + # NOTE(gmaan): Since 2025.2, 'manager' role is available in nova. + local nova_policy_roles="admin,manager,member,reader" + iniset $TEMPEST_CONFIG compute-feature-enabled nova_policy_roles $nova_policy_roles + # Network iniset $TEMPEST_CONFIG network project_networks_reachable false iniset $TEMPEST_CONFIG network public_network_id "$public_network_id" From 6180e73702cfef2011c32f315cde97128a4b7eec Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Thu, 26 Jun 2025 07:56:44 +0000 Subject: [PATCH 15/74] Replace the OVN Metadata agent with the OVN agent The OVN Metadata agent is replaced in any CI job with the OVN agent. This is an incremental step on the deprecation of the OVN Metadata agent. Related-Bug: #2112313 Signed-off-by: Rodolfo Alonso Hernandez Change-Id: I4e8d12762099c91d773c4f5e5699bc9fed43a9c9 --- .zuul.yaml | 4 ++-- lib/neutron_plugins/ovn_agent | 3 ++- stackrc | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 9552fa3b47..9f9c69c925 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -620,7 +620,7 @@ ovsdb-server: true # Neutron services q-svc: true - q-ovn-metadata-agent: true + q-ovn-agent: true # Swift services s-account: true s-container: true @@ -657,7 +657,7 @@ ovs-vswitchd: true ovsdb-server: true # Neutron services - q-ovn-metadata-agent: true + q-ovn-agent: true # Cinder services c-bak: true c-vol: true diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent index e58cd4fb38..b128fde2b6 100644 --- a/lib/neutron_plugins/ovn_agent +++ b/lib/neutron_plugins/ovn_agent @@ -96,8 +96,9 @@ OVN_META_CONF=$NEUTRON_CONF_DIR/neutron_ovn_metadata_agent.ini OVN_META_DATA_HOST=${OVN_META_DATA_HOST:-$(ipv6_unquote $SERVICE_HOST)} # OVN agent configuration +# The OVN agent is configured, by default, with the "metadata" extension. OVN_AGENT_CONF=$NEUTRON_CONF_DIR/plugins/ml2/ovn_agent.ini -OVN_AGENT_EXTENSIONS=${OVN_AGENT_EXTENSIONS:-} +OVN_AGENT_EXTENSIONS=${OVN_AGENT_EXTENSIONS:-metadata} # If True (default) the node will be considered a gateway node. ENABLE_CHASSIS_AS_GW=$(trueorfalse True ENABLE_CHASSIS_AS_GW) diff --git a/stackrc b/stackrc index 0319fc8a50..325af580ad 100644 --- a/stackrc +++ b/stackrc @@ -75,7 +75,7 @@ if ! isset ENABLED_SERVICES ; then # OVN ENABLED_SERVICES+=,ovn-controller,ovn-northd,ovs-vswitchd,ovsdb-server # Neutron - ENABLED_SERVICES+=,q-svc,q-ovn-metadata-agent + ENABLED_SERVICES+=,q-svc,q-ovn-agent # Dashboard ENABLED_SERVICES+=,horizon # Additional services From a8f98073b97a2485a7505ebe36dba9cad1e0a7e1 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Thu, 17 Jul 2025 10:20:27 +0000 Subject: [PATCH 16/74] Fix the nodeset "devstack-single-node-opensuse-15" The label "opensuse-15" is no longer available since [1]. Since there are pending references to this nodeset from older branches, use an empty node list for it to fix the zuul config until all references can be dropped. [1]https://review.opendev.org/c/openstack/project-config/+/955214 Signed-off-by: Rodolfo Alonso Hernandez Change-Id: I2f5105178482402aa108910d1bd1ec2f2c7c8933 --- .zuul.yaml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 9552fa3b47..693edffe6e 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -48,15 +48,10 @@ nodes: - controller +# TODO(frickler): drop this dummy nodeset once all references have been removed - nodeset: name: devstack-single-node-opensuse-15 - nodes: - - name: controller - label: opensuse-15 - groups: - - name: tempest - nodes: - - controller + nodes: [] - nodeset: name: devstack-single-node-debian-bookworm From bab34bbade0da8f6b7f3fd23628522ec24688807 Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Mon, 21 Jul 2025 14:47:30 +0200 Subject: [PATCH 17/74] Add Swift storage policy to extend testing Swift supports storage policies for a long time, making it possible to store specific objects on different devices[1]. This patch adds a second storage policy to support testing API features that rely on storage policies, eg. per-policy quotas[2]. There are no additional Swift devices created and the existing ones are re-used to keep the overhead to the minimum. [1] https://docs.openstack.org/swift/latest/overview_policies.html [2] https://github.com/openstack/swift/commit/cbba65ac Signed-off-by: Christian Schwede Change-Id: I6b1a35dbf1490b25e103f008eb058f406f0a24ea --- lib/swift | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/swift b/lib/swift index 862927437d..9532efb45c 100644 --- a/lib/swift +++ b/lib/swift @@ -477,6 +477,9 @@ function configure_swift { iniset ${SWIFT_CONF_DIR}/swift.conf swift-constraints max_header_size ${SWIFT_MAX_HEADER_SIZE} iniset ${SWIFT_CONF_DIR}/swift.conf swift-constraints max_file_size ${SWIFT_MAX_FILE_SIZE} + # Create an additional storage policy + iniset ${SWIFT_CONF_DIR}/swift.conf storage-policy:1 name silver + local node_number for node_number in ${SWIFT_REPLICAS_SEQ}; do local swift_node_config=${SWIFT_CONF_DIR}/object-server/${node_number}.conf @@ -713,6 +716,10 @@ function init_swift { $SWIFT_BIN_DIR/swift-ring-builder object.builder rebalance 42 $SWIFT_BIN_DIR/swift-ring-builder container.builder rebalance 42 $SWIFT_BIN_DIR/swift-ring-builder account.builder rebalance 42 + + # An additional storage policy requires an object ring as well. + # Re-using the previously created one to use the same devices. + cp object.ring.gz object-1.ring.gz } && popd >/dev/null } From bfa9e547a901df5dd74926385010421157b6fca7 Mon Sep 17 00:00:00 2001 From: Ghanshyam Maan Date: Sat, 26 Jul 2025 00:58:51 +0000 Subject: [PATCH 18/74] Avoid setting iso image in tempest config Tempest use image_ref and image_ref_alt as their base image to run test against and perform ssh etc. Most of the iso image require ssh to be enabled explicitly so avoid setting them as image_ref and image_ref_alt unless it is explicitly requested. One example that how setting iso image in tempest can fail tests- https://review.opendev.org/c/openstack/tempest/+/954404 Needed-By: https://review.opendev.org/c/openstack/whitebox-tempest-plugin/+/955950 Change-Id: Ic385a702758d9d38880ec92cfdce2528766fc95d Signed-off-by: Ghanshyam Maan --- lib/tempest | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/tempest b/lib/tempest index c9486f6310..cac2633324 100644 --- a/lib/tempest +++ b/lib/tempest @@ -105,6 +105,8 @@ TEMPEST_CONCURRENCY=${TEMPEST_CONCURRENCY:-$(nproc)} TEMPEST_FLAVOR_RAM=${TEMPEST_FLAVOR_RAM:-192} TEMPEST_FLAVOR_ALT_RAM=${TEMPEST_FLAVOR_ALT_RAM:-256} +TEMPEST_USE_ISO_IMAGE=$(trueorfalse False TEMPEST_USE_ISO_IMAGE) + # Functions # --------- @@ -161,12 +163,20 @@ function get_active_images { # start with a fresh array in case we are called multiple times img_array=() - while read -r IMAGE_NAME IMAGE_UUID; do + # NOTE(gmaan): Most of the iso image require ssh to be enabled explicitly + # and if we set those iso images in image_ref and image_ref_alt that can + # cause test to fail because many tests using image_ref and image_ref_alt + # to boot server also perform ssh. We skip to set iso image in tempest + # unless it is requested via TEMPEST_USE_ISO_IMAGE. + while read -r IMAGE_NAME IMAGE_UUID DISK_FORMAT; do + if [[ "$DISK_FORMAT" == "iso" ]] && [[ "$TEMPEST_USE_ISO_IMAGE" == False ]]; then + continue + fi if [ "$IMAGE_NAME" = "$DEFAULT_IMAGE_NAME" ]; then img_id="$IMAGE_UUID" fi img_array+=($IMAGE_UUID) - done < <(openstack --os-cloud devstack-admin image list --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2 }') + done < <(openstack --os-cloud devstack-admin image list --long --property status=active | awk -F'|' '!/^(+--)|ID|aki|ari/ { print $3,$2,$4 }') } function poll_glance_images { From 5c338f47d57fe849215d6b9f5c1f4eb53c193ab1 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 4 Aug 2025 23:31:17 +0900 Subject: [PATCH 19/74] Fix uninialized os_VENDOR ... to fix the wrong libvirt group name detected. Closes-Bug: #2119496 Change-Id: I2988fcb5010f333eab5a88b83ff14aab1cb15ebd Signed-off-by: Takashi Kajinami --- stackrc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/stackrc b/stackrc index 0319fc8a50..44bc6b321d 100644 --- a/stackrc +++ b/stackrc @@ -615,6 +615,11 @@ case "$VIRT_DRIVER" in LIBVIRT_TYPE=${LIBVIRT_TYPE:-kvm} LIBVIRT_CPU_MODE=${LIBVIRT_CPU_MODE:-custom} LIBVIRT_CPU_MODEL=${LIBVIRT_CPU_MODEL:-Nehalem} + + if [[ -z "$os_VENDOR" ]]; then + GetOSVersion + fi + if [[ "$os_VENDOR" =~ (Debian|Ubuntu) ]]; then # The groups change with newer libvirt. Older Ubuntu used # 'libvirtd', but now uses libvirt like Debian. Do a quick check From 90b0a6760ba95e8b2fa4a43dda1d0eeb56c00f2d Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 5 Aug 2025 12:55:21 +0900 Subject: [PATCH 20/74] Drop old libvirt group detection for Ubuntu/Debian The "libvirtd" group was used in quite old Ubuntu such as Xenial, and the "libvirt" group is used instead in recent versions. Change-Id: I2df747d54d3cb395c245ecc2aa24dcbf395e7a46 Signed-off-by: Takashi Kajinami --- stackrc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/stackrc b/stackrc index 44bc6b321d..811a285d19 100644 --- a/stackrc +++ b/stackrc @@ -621,11 +621,7 @@ case "$VIRT_DRIVER" in fi if [[ "$os_VENDOR" =~ (Debian|Ubuntu) ]]; then - # The groups change with newer libvirt. Older Ubuntu used - # 'libvirtd', but now uses libvirt like Debian. Do a quick check - # to see if libvirtd group already exists to handle grenade's case. - LIBVIRT_GROUP=$(cut -d ':' -f 1 /etc/group | grep 'libvirtd$' || true) - LIBVIRT_GROUP=${LIBVIRT_GROUP:-libvirt} + LIBVIRT_GROUP=libvirt else LIBVIRT_GROUP=libvirtd fi From ec96b1a067684bf729f4dbd84dce9db02171b234 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Din=C3=A7er=20=C3=87elik?= Date: Wed, 6 Aug 2025 12:27:15 +0300 Subject: [PATCH 21/74] Fix default settings for Ubuntu aarch64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes-Bug: #2080957 Change-Id: I441897937253f8d44144fa7f5f4622f42bf74a5f Signed-off-by: Dinçer Çelik --- lib/nova_plugins/functions-libvirt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt index 35840539da..c0713f9953 100644 --- a/lib/nova_plugins/functions-libvirt +++ b/lib/nova_plugins/functions-libvirt @@ -71,7 +71,7 @@ function install_libvirt { if is_ubuntu; then install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev python3-libvirt systemd-coredump if is_arch "aarch64"; then - install_package qemu-efi + install_package qemu-efi-aarch64 fi #pip_install_gr elif is_fedora; then From 4f065ca80e4589513ca639cb39d3899943698b41 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Tue, 13 May 2025 14:56:44 +0100 Subject: [PATCH 22/74] Replace use of fgrep It is deprecated. Change-Id: Iad071865361d51c148fc157d715bdf517ec5b94b Signed-off-by: Stephen Finucane --- stack.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stack.sh b/stack.sh index 04b5f4ca6a..a06c7be9a7 100755 --- a/stack.sh +++ b/stack.sh @@ -356,7 +356,7 @@ async_init # Certain services such as rabbitmq require that the local hostname resolves # correctly. Make sure it exists in /etc/hosts so that is always true. LOCAL_HOSTNAME=`hostname -s` -if ! fgrep -qwe "$LOCAL_HOSTNAME" /etc/hosts; then +if ! grep -Fqwe "$LOCAL_HOSTNAME" /etc/hosts; then sudo sed -i "s/\(^127.0.0.1.*\)/\1 $LOCAL_HOSTNAME/" /etc/hosts fi From 67fa02fc5fd6a8786baff61695a578338462b3d3 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Wed, 6 Aug 2025 10:53:32 +0100 Subject: [PATCH 23/74] Remove requirement on system oslo.utils This was only working because the noVNC package on Ubuntu pulls in oslo.utils. Change-Id: I3733df3e2667f16082b3ff57d39cf086d81fbe02 Signed-off-by: Stephen Finucane --- tools/verify-ipv6-address.py | 41 +++++++++++++++++++++++++++ tools/verify-ipv6-only-deployments.sh | 24 ++++++---------- 2 files changed, 49 insertions(+), 16 deletions(-) create mode 100644 tools/verify-ipv6-address.py diff --git a/tools/verify-ipv6-address.py b/tools/verify-ipv6-address.py new file mode 100644 index 0000000000..dc18fa6d8a --- /dev/null +++ b/tools/verify-ipv6-address.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 + +import argparse +import ipaddress +import sys + +def main(): + parser = argparse.ArgumentParser( + description="Check if a given string is a valid IPv6 address.", + formatter_class=argparse.RawTextHelpFormatter, + ) + parser.add_argument( + "address", + help=( + "The IPv6 address string to validate.\n" + "Examples:\n" + " 2001:0db8:85a3:0000:0000:8a2e:0370:7334\n" + " 2001:db8::1\n" + " ::1\n" + " fe80::1%eth0 (scope IDs are handled)" + ), + ) + args = parser.parse_args() + + try: + # try to create a IPv6Address: if we fail to parse or get an + # IPv4Address then die + ip_obj = ipaddress.ip_address(args.address.strip('[]')) + if isinstance(ip_obj, ipaddress.IPv6Address): + sys.exit(0) + else: + sys.exit(1) + except ValueError: + sys.exit(1) + except Exception as e: + print(f"An unexpected error occurred during validation: {e}", file=sys.stderr) + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/tools/verify-ipv6-only-deployments.sh b/tools/verify-ipv6-only-deployments.sh index 0f0cba8afe..a1acecbb3f 100755 --- a/tools/verify-ipv6-only-deployments.sh +++ b/tools/verify-ipv6-only-deployments.sh @@ -33,28 +33,23 @@ function verify_devstack_ipv6_setting { echo $TUNNEL_IP_VERSION "TUNNEL_IP_VERSION is not set to 6 so TUNNEL_ENDPOINT_IP cannot be an IPv6 address." exit 1 fi - is_service_host_ipv6=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_service_host'"))') - if [[ "$is_service_host_ipv6" != "True" ]]; then + if ! python3 ${TOP_DIR}/tools/verify-ipv6-address.py "$_service_host"; then echo $SERVICE_HOST "SERVICE_HOST is not IPv6 which means devstack cannot deploy services on IPv6 addresses." exit 1 fi - is_host_ipv6=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_host_ipv6'"))') - if [[ "$is_host_ipv6" != "True" ]]; then + if ! python3 ${TOP_DIR}/tools/verify-ipv6-address.py "$_host_ipv6"; then echo $HOST_IPV6 "HOST_IPV6 is not IPv6 which means devstack cannot deploy services on IPv6 addresses." exit 1 fi - is_service_listen_address=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_service_listen_address'"))') - if [[ "$is_service_listen_address" != "True" ]]; then + if ! python3 ${TOP_DIR}/tools/verify-ipv6-address.py "$_service_listen_address"; then echo $SERVICE_LISTEN_ADDRESS "SERVICE_LISTEN_ADDRESS is not IPv6 which means devstack cannot deploy services on IPv6 addresses." exit 1 fi - is_service_local_host=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_service_local_host'"))') - if [[ "$is_service_local_host" != "True" ]]; then + if ! python3 ${TOP_DIR}/tools/verify-ipv6-address.py "$_service_local_host"; then echo $SERVICE_LOCAL_HOST "SERVICE_LOCAL_HOST is not IPv6 which means devstack cannot deploy services on IPv6 addresses." exit 1 fi - is_tunnel_endpoint_ip=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$_tunnel_endpoint_ip'"))') - if [[ "$is_tunnel_endpoint_ip" != "True" ]]; then + if ! python3 ${TOP_DIR}/tools/verify-ipv6-address.py "$_tunnel_endpoint_ip"; then echo $TUNNEL_ENDPOINT_IP "TUNNEL_ENDPOINT_IP is not IPv6 which means devstack will not deploy with an IPv6 endpoint address." exit 1 fi @@ -63,8 +58,7 @@ function verify_devstack_ipv6_setting { } function sanity_check_system_ipv6_enabled { - system_ipv6_enabled=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_ipv6_enabled())') - if [[ $system_ipv6_enabled != "True" ]]; then + if [ ! -f "/proc/sys/net/ipv6/conf/default/disable_ipv6" ] || [ "$(cat /proc/sys/net/ipv6/conf/default/disable_ipv6)" -ne "0" ]; then echo "IPv6 is disabled in system" exit 1 fi @@ -78,10 +72,8 @@ function verify_service_listen_address_is_ipv6 { for endpoint in ${endpoints}; do local endpoint_address='' endpoint_address=$(echo "$endpoint" | awk -F/ '{print $3}' | awk -F] '{print $1}') - endpoint_address=$(echo $endpoint_address | tr -d []) - local is_endpoint_ipv6='' - is_endpoint_ipv6=$(python3 -c 'import oslo_utils.netutils as nutils; print(nutils.is_valid_ipv6("'$endpoint_address'"))') - if [[ "$is_endpoint_ipv6" != "True" ]]; then + endpoint_address=$(echo $endpoint_address | tr -d '[]') + if ! python3 ${TOP_DIR}/tools/verify-ipv6-address.py "$endpoint_address"; then all_ipv6=False echo $endpoint ": This is not an IPv6 endpoint which means corresponding service is not listening on an IPv6 address." continue From b6bf0b126b46042341cc3d47a92ad9b0d9b9a523 Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Tue, 5 Aug 2025 16:44:26 +0000 Subject: [PATCH 24/74] Use novnc from source by default This change restores the default devstack behavior in the zuul jobs by removing the override of NOVNC_FROM_PACKAGE from devstack-base. When installed locally, devstack defaults to installing novnc from git. As reported in bug #2109592, Ubuntu and possibly other distros have a packaging bug where the python3-novnc package 1) exists and 2) depends on `oslo.config` and, as a result, `oslo.utils`. The reason python3-novnc existing is a bug is that novnc has not had any Python deliverable since the 0.6.0 release around 2016. So this package is no longer used and is effectively empty since novnc fully moved to using JavaScript. For unrelated reasons, devstack creates the global venv with --site-packages to install `libvirt-python`, which also means that any other Python dependencies installed at the system level also infect the devstack venv. In the past, this was not a problem, but as of epoxy, Nova requires a newer version of oslo than Ubuntu provides in the distro package. This is where the python3-novnc package and its incorrect dependency on oslo breaks CI. This is not seen locally, as devstack uses novnc from git. This change makes CI do that also. Closes-Bug: #2109592 Change-Id: I8f018e1e57e3f54997d2cf55b1b3aa728e82899b Signed-off-by: Sean Mooney --- .zuul.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index b42c800068..eee450a6ad 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -352,6 +352,12 @@ nodes (everything but the controller). required-projects: - opendev.org/openstack/devstack + # this is a workaround for a packaging bug in ubuntu + # remove when https://bugs.launchpad.net/nova/+bug/2109592 + # is resolved and oslo.config is not a dep of the novnc deb + # via the defunct python3-novnc package. + - novnc/novnc + roles: - zuul: opendev.org/openstack/openstack-zuul-jobs vars: @@ -369,7 +375,6 @@ LOG_COLOR: false VERBOSE: true VERBOSE_NO_TIMESTAMP: true - NOVNC_FROM_PACKAGE: true ERROR_ON_CLONE: true # Gate jobs can't deal with nested virt. Disable it by default. LIBVIRT_TYPE: '{{ devstack_libvirt_type | default("qemu") }}' @@ -442,7 +447,6 @@ LOG_COLOR: false VERBOSE: true VERBOSE_NO_TIMESTAMP: true - NOVNC_FROM_PACKAGE: true ERROR_ON_CLONE: true LIBVIRT_TYPE: qemu devstack_services: From 3b3aab52646e7a7ed737716efbfbe7fbef170911 Mon Sep 17 00:00:00 2001 From: Joel Capitao Date: Fri, 8 Nov 2024 16:11:06 +0000 Subject: [PATCH 25/74] Support CentOS Stream 10 This patch includes changes required to run devstack on CentOS Stream 10 which has been already published in official repos by CentOS team [1]: - Add RDO deps repository for CS10. - remove xinetd package from installation for swift. Note that rsync-daemon is installed which should work fine. - Use python3-distro to identify the distro - Add devstack-single-node-centos-10-stream nodeset - Add devstack-platform-centos-10-stream job to the check pipeline. Closes https://issues.redhat.com/browse/RDO-379 [1] https://mirror.stream.centos.org/10-stream/ Change-Id: I33a6c5530482c28a24f2043cd4195e7bcd46427d Signed-off-by: Cyril Roelandt Signed-off-by: Sean Mooney --- .zuul.yaml | 50 ++++++++++++++++++++++++++++++++++++++++++++ files/rpms/general | 8 ++++--- files/rpms/n-cpu | 2 +- files/rpms/nova | 2 +- files/rpms/swift | 2 +- functions-common | 11 +++++----- stack.sh | 14 +++++++++---- tools/install_pip.sh | 2 +- 8 files changed, 74 insertions(+), 17 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index eee450a6ad..3deab35e87 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -38,6 +38,16 @@ nodes: - controller +- nodeset: + name: devstack-single-node-centos-10-stream + nodes: + - name: controller + label: centos-10-stream-8GB + groups: + - name: tempest + nodes: + - controller + - nodeset: name: devstack-single-node-centos-9-stream nodes: @@ -86,6 +96,36 @@ nodes: - controller +- nodeset: + name: openstack-two-node-centos-10-stream + nodes: + - name: controller + label: centos-10-stream-8GB + - name: compute1 + label: centos-10-stream-8GB + groups: + # Node where tests are executed and test results collected + - name: tempest + nodes: + - controller + # Nodes running the compute service + - name: compute + nodes: + - controller + - compute1 + # Nodes that are not the controller + - name: subnode + nodes: + - compute1 + # Switch node for multinode networking setup + - name: switch + nodes: + - controller + # Peer nodes for multinode networking setup + - name: peers + nodes: + - compute1 + - nodeset: name: openstack-two-node-centos-9-stream nodes: @@ -729,6 +769,14 @@ # we often have to rush things through devstack to stabilise the gate, # and these platforms don't have the round-the-clock support to avoid # becoming blockers in that situation. +- job: + name: devstack-platform-centos-10-stream + parent: tempest-full-py3 + description: CentOS 10 Stream platform test + nodeset: devstack-single-node-centos-10-stream + timeout: 9000 + voting: false + - job: name: devstack-platform-centos-9-stream parent: tempest-full-py3 @@ -911,6 +959,7 @@ - devstack - devstack-ipv6 - devstack-enforce-scope + - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm - devstack-platform-rocky-blue-onyx @@ -994,6 +1043,7 @@ - devstack-no-tls-proxy periodic-weekly: jobs: + - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm - devstack-platform-rocky-blue-onyx diff --git a/files/rpms/general b/files/rpms/general index 8a5755cc37..6f4572c708 100644 --- a/files/rpms/general +++ b/files/rpms/general @@ -10,9 +10,10 @@ glibc-langpack-en # dist:rhel9 graphviz # needed only for docs httpd httpd-devel -iptables-nft # dist:rhel9 +iptables-nft # dist:rhel9,rhel10 iptables-services -java-1.8.0-openjdk-headless +java-1.8.0-openjdk-headless # not:rhel10 +java-21-openjdk-headless # dist:rhel10 libffi-devel libjpeg-turbo-devel # Pillow 3.0.0 libxml2-devel # lxml @@ -23,7 +24,8 @@ net-tools openssh-server openssl openssl-devel # to rebuild pyOpenSSL if needed -pcre-devel # for python-pcre +pcre2-devel # dist:rhel10 for python-pcre2 +pcre-devel # not:rhel10 for python-pcre pkgconfig postgresql-devel # psycopg2 psmisc diff --git a/files/rpms/n-cpu b/files/rpms/n-cpu index 7ce5a72d6b..5683862ee0 100644 --- a/files/rpms/n-cpu +++ b/files/rpms/n-cpu @@ -1,6 +1,6 @@ cryptsetup dosfstools -genisoimage # not:rhel9 +genisoimage # not:rhel9,rhel10 iscsi-initiator-utils libosinfo lvm2 diff --git a/files/rpms/nova b/files/rpms/nova index e0f13b854a..3ed2943c1d 100644 --- a/files/rpms/nova +++ b/files/rpms/nova @@ -1,7 +1,7 @@ conntrack-tools curl ebtables -genisoimage # not:rhel9 required for config_drive +genisoimage # not:rhel9,rhel10 required for config_drive iptables iputils kernel-modules # not:openEuler-22.03 diff --git a/files/rpms/swift b/files/rpms/swift index 49a1833dc4..cf614335c1 100644 --- a/files/rpms/swift +++ b/files/rpms/swift @@ -4,4 +4,4 @@ memcached rsync-daemon sqlite xfsprogs -xinetd # not:f36,rhel9 +xinetd # not:f36,rhel9,rhel10 diff --git a/functions-common b/functions-common index db2367cef6..85ee294afa 100644 --- a/functions-common +++ b/functions-common @@ -423,7 +423,7 @@ function _ensure_lsb_release { elif [[ -x $(command -v zypper 2>/dev/null) ]]; then sudo zypper -n install lsb-release elif [[ -x $(command -v dnf 2>/dev/null) ]]; then - sudo dnf install -y redhat-lsb-core || sudo dnf install -y openeuler-lsb + sudo dnf install -y python3-distro || sudo dnf install -y openeuler-lsb else die $LINENO "Unable to find or auto-install lsb_release" fi @@ -436,9 +436,9 @@ function _ensure_lsb_release { # - os_VENDOR # - os_PACKAGE function GetOSVersion { - # CentOS Stream 9 and RHEL 9 do not provide lsb_release + # CentOS Stream 9 or later and RHEL 9 or later do not provide lsb_release source /etc/os-release - if [[ "${ID}${VERSION}" == "centos9" ]] || [[ "${ID}${VERSION}" =~ "rhel9" ]]; then + if [[ "${ID}${VERSION}" =~ "centos" ]] || [[ "${ID}${VERSION}" =~ "rhel" ]]; then os_RELEASE=${VERSION_ID} os_CODENAME="n/a" os_VENDOR=$(echo $NAME | tr -d '[:space:]') @@ -485,9 +485,8 @@ function GetDistro { "$os_VENDOR" =~ (OracleServer) || \ "$os_VENDOR" =~ (Rocky) || \ "$os_VENDOR" =~ (Virtuozzo) ]]; then - # Drop the . release as we assume it's compatible - # XXX re-evaluate when we get RHEL10 - DISTRO="rhel${os_RELEASE::1}" + MAJOR_VERSION=$(echo $os_RELEASE | cut -d. -f1) + DISTRO="rhel${MAJOR_VERSION}" elif [[ "$os_VENDOR" =~ (openEuler) ]]; then DISTRO="openEuler-$os_RELEASE" else diff --git a/stack.sh b/stack.sh index 04b5f4ca6a..2e130aec58 100755 --- a/stack.sh +++ b/stack.sh @@ -230,7 +230,7 @@ write_devstack_version # Warn users who aren't on an explicitly supported distro, but allow them to # override check and attempt installation with ``FORCE=yes ./stack`` -SUPPORTED_DISTROS="bookworm|jammy|noble|rhel9" +SUPPORTED_DISTROS="bookworm|jammy|noble|rhel9|rhel10" if [[ ! ${DISTRO} =~ $SUPPORTED_DISTROS ]]; then echo "WARNING: this script has not been tested on $DISTRO" @@ -302,16 +302,17 @@ function _install_epel { } function _install_rdo { - if [[ $DISTRO == "rhel9" ]]; then + if [[ $DISTRO =~ "rhel" ]]; then + VERSION=${DISTRO:4:2} rdo_release=${TARGET_BRANCH#*/} if [[ "$TARGET_BRANCH" == "master" ]]; then # adding delorean-deps repo to provide current master rpms - sudo wget https://trunk.rdoproject.org/centos9-master/delorean-deps.repo -O /etc/yum.repos.d/delorean-deps.repo + sudo wget https://trunk.rdoproject.org/centos${VERSION}-master/delorean-deps.repo -O /etc/yum.repos.d/delorean-deps.repo else if sudo dnf provides centos-release-openstack-${rdo_release} >/dev/null 2>&1; then sudo dnf -y install centos-release-openstack-${rdo_release} else - sudo wget https://trunk.rdoproject.org/centos9-${rdo_release}/delorean-deps.repo -O /etc/yum.repos.d/delorean-deps.repo + sudo wget https://trunk.rdoproject.org/centos${VERSION}-${rdo_release}/delorean-deps.repo -O /etc/yum.repos.d/delorean-deps.repo fi fi fi @@ -408,6 +409,11 @@ elif [[ $DISTRO == "rhel9" ]]; then if is_package_installed curl-minimal; then sudo dnf swap -y curl-minimal curl fi +elif [[ $DISTRO == "rhel10" ]]; then + # for CentOS Stream 10 repository + sudo dnf config-manager --set-enabled crb + # rabbitmq and other packages are provided by RDO repositories. + _install_rdo elif [[ $DISTRO == "openEuler-22.03" ]]; then # There are some problem in openEuler. We should fix it first. Some required # package/action runs before fixup script. So we can't fix there. diff --git a/tools/install_pip.sh b/tools/install_pip.sh index 91b180c06f..79f97c5f7a 100755 --- a/tools/install_pip.sh +++ b/tools/install_pip.sh @@ -127,7 +127,7 @@ if [[ -n $PYPI_ALTERNATIVE_URL ]]; then configure_pypi_alternative_url fi -if is_fedora && [[ ${DISTRO} == f* || ${DISTRO} == rhel9 ]]; then +if is_fedora && [[ ${DISTRO} == f* || ${DISTRO} == rhel* ]]; then # get-pip.py will not install over the python3-pip package in # Fedora 34 any more. # https://bugzilla.redhat.com/show_bug.cgi?id=1988935 From 9c295d0da30b8e4d0809623e886dc9aaf6f52c25 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Thu, 7 Aug 2025 10:53:59 +0100 Subject: [PATCH 26/74] Remove dead checks for Python 3.6 Change-Id: I9fab7209955ebdfda0f309aa0160749bd0f962e6 Signed-off-by: Stephen Finucane --- tools/install_pip.sh | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/tools/install_pip.sh b/tools/install_pip.sh index 79f97c5f7a..027693fc0a 100755 --- a/tools/install_pip.sh +++ b/tools/install_pip.sh @@ -38,7 +38,6 @@ FILES=$TOP_DIR/files # [1] https://opendev.org/openstack/project-config/src/branch/master/nodepool/elements/cache-devstack/source-repository-pip PIP_GET_PIP_URL=${PIP_GET_PIP_URL:-"https://bootstrap.pypa.io/get-pip.py"} -PIP_GET_PIP36_URL=${PIP_GET_PIP36_URL:-"https://bootstrap.pypa.io/pip/3.6/get-pip.py"} GetDistro echo "Distro: $DISTRO" @@ -57,14 +56,8 @@ function get_versions { function install_get_pip { - if [[ "$PYTHON3_VERSION" = "3.6" ]]; then - _pip_url=$PIP_GET_PIP36_URL - _local_pip="$FILES/$(basename $_pip_url)-py36" - else - _pip_url=$PIP_GET_PIP_URL - _local_pip="$FILES/$(basename $_pip_url)" - fi - + _pip_url=$PIP_GET_PIP_URL + _local_pip="$FILES/$(basename $_pip_url)" # If get-pip.py isn't python, delete it. This was probably an # outage on the server. From fdc41d76abf353b6a9b206bf92c6b9adb90b253a Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Thu, 7 Aug 2025 10:54:45 +0100 Subject: [PATCH 27/74] Remove dead checks for Fedora 36 It is EOL. Change-Id: I609cfce8a98f9933380ddbc719ed22e6fcda4785 Signed-off-by: Stephen Finucane --- files/rpms/swift | 1 - lib/apache | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/files/rpms/swift b/files/rpms/swift index cf614335c1..c3921a47d4 100644 --- a/files/rpms/swift +++ b/files/rpms/swift @@ -4,4 +4,3 @@ memcached rsync-daemon sqlite xfsprogs -xinetd # not:f36,rhel9,rhel10 diff --git a/lib/apache b/lib/apache index 449d2e70d4..c49da711e1 100644 --- a/lib/apache +++ b/lib/apache @@ -89,7 +89,7 @@ function install_apache_uwsgi { # didn't fix Python 3.10 compatibility before release. Should be # fixed in uwsgi 4.9.0; can remove this when packages available # or we drop this release - elif is_fedora && ! is_openeuler && ! [[ $DISTRO =~ f36|rhel9 ]]; then + elif is_fedora && ! is_openeuler && ! [[ $DISTRO =~ rhel9 ]]; then # Note httpd comes with mod_proxy_uwsgi and it is loaded by # default; the mod_proxy_uwsgi package actually conflicts now. # See: From 1a74605eb4c30e28a99edd2e824c2ce38d6315ad Mon Sep 17 00:00:00 2001 From: Douglas Mendizabal Date: Fri, 8 Aug 2025 10:44:41 -0400 Subject: [PATCH 28/74] Fix iniset to escape backslash characters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch fixes an issue in iniset where backslash (\) characters are removed from the config value. This patch ensures that backslash characters (\) are escaped in addition to the ampersand (&) character that was already being escaped. Closes-Bug: #2120180 Signed-off-by: Douglas Mendizábal Change-Id: Ica53ed42269931d151daf815d2e2c10c1f9e29a8 --- inc/ini-config | 6 ++++-- tests/test_ini_config.sh | 15 ++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/inc/ini-config b/inc/ini-config index f65e42d3a5..920d4775fa 100644 --- a/inc/ini-config +++ b/inc/ini-config @@ -189,8 +189,10 @@ function iniset { local option=$3 local value=$4 - # Escape the ampersand character (&) - value=$(echo $value | sed -e 's/&/\\&/g') + # Escape the ampersand (&) and backslash (\) characters for sed + # Order of substitution matters: we escape backslashes first before + # adding more backslashes to escape ampersands + value=$(echo $value | sed -e 's/\\/\\\\/g' -e 's/&/\\&/g') if [[ -z $section || -z $option ]]; then $xtrace diff --git a/tests/test_ini_config.sh b/tests/test_ini_config.sh index 6367cde441..fd3896d6ba 100755 --- a/tests/test_ini_config.sh +++ b/tests/test_ini_config.sh @@ -47,6 +47,9 @@ multi = foo2 [fff] ampersand = +[ggg] +backslash = + [key_with_spaces] rgw special key = something @@ -88,7 +91,7 @@ fi # test iniget_sections VAL=$(iniget_sections "${TEST_INI}") -assert_equal "$VAL" "default aaa bbb ccc ddd eee fff key_with_spaces \ +assert_equal "$VAL" "default aaa bbb ccc ddd eee fff ggg key_with_spaces \ del_separate_options del_same_option del_missing_option \ del_missing_option_multi del_no_options" @@ -134,6 +137,16 @@ done VAL=$(iniget ${TEST_INI} fff ampersand) assert_equal "$VAL" "&y" "iniset ampersands in option" +# Test with backslash in value +iniset ${TEST_INI} ggg backslash 'foo\bar' +VAL=$(iniget ${TEST_INI} ggg backslash) +assert_equal "$VAL" 'foo\bar' "iniset backslash in value" + +# Test with both ampersand and backslash +iniset ${TEST_INI} ggg backslash 'foo\bar&baz' +VAL=$(iniget ${TEST_INI} ggg backslash) +assert_equal "$VAL" 'foo\bar&baz' "iniset ampersand and backslash in value" + # test empty option if ini_has_option ${SUDO_ARG} ${TEST_INI} ddd empty; then passed "ini_has_option: ddd.empty present" From 34689f587966f9fd512a03c85762bd79dd4a4e9d Mon Sep 17 00:00:00 2001 From: Ghanshyam Maan Date: Wed, 27 Aug 2025 02:40:21 +0000 Subject: [PATCH 29/74] Configure nova 'service' role in tempest In this release, nova is implementing the service role in policy[depends-on], and Tempest being branchless needs to decide if service defaults are present in testing release/ env (Needed-By). Setting the service role availability in Tempest so that from this release onward, tests can use service role user to perform the required operation in nova. Depends-On: https://review.opendev.org/c/openstack/nova/+/957578 Needed-By: https://review.opendev.org/c/openstack/tempest/+/892639 Change-Id: I463cb85f3fcb9f2fdd7aa4a0a5f2ae49782e3fc1 Signed-off-by: Ghanshyam Maan --- lib/tempest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tempest b/lib/tempest index 53851209d2..1ebe9c5f1f 100644 --- a/lib/tempest +++ b/lib/tempest @@ -535,7 +535,7 @@ function configure_tempest { fi # NOTE(gmaan): Since 2025.2, 'manager' role is available in nova. - local nova_policy_roles="admin,manager,member,reader" + local nova_policy_roles="admin,manager,member,reader,service" iniset $TEMPEST_CONFIG compute-feature-enabled nova_policy_roles $nova_policy_roles # Network From 2aae15c93f4383c0a38dff276700c762e56a7134 Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Tue, 6 May 2025 08:54:39 +0200 Subject: [PATCH 30/74] Use profile rbd for Ceph authx for cinder-backup Use the RBD profile instead of setting explicit permissions. Change-Id: Idc2258e3b69df3df57894c17018a2a35043c8fa9 Signed-off-by: Tobias Urdin --- lib/cinder_backups/ceph | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cinder_backups/ceph b/lib/cinder_backups/ceph index 4b180490d7..c46b90c5b9 100644 --- a/lib/cinder_backups/ceph +++ b/lib/cinder_backups/ceph @@ -32,7 +32,7 @@ function configure_cinder_backup_ceph { if [[ "$REMOTE_CEPH" = "False" && "$CEPH_REPLICAS" -ne 1 ]]; then sudo ceph -c ${CEPH_CONF_FILE} osd pool set ${CINDER_BAK_CEPH_POOL} crush_ruleset ${RULE_ID} fi - sudo ceph -c ${CEPH_CONF_FILE} auth get-or-create client.${CINDER_BAK_CEPH_USER} mon "allow r" osd "allow class-read object_prefix rbd_children, allow rwx pool=${CINDER_BAK_CEPH_POOL}, allow rwx pool=${CINDER_CEPH_POOL}" | sudo tee ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring + sudo ceph -c ${CEPH_CONF_FILE} auth get-or-create client.${CINDER_BAK_CEPH_USER} mon "profile rbd" osd "profile rbd pool=${CINDER_BAK_CEPH_POOL}, profile rbd pool=${CINDER_CEPH_POOL}" | sudo tee ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring sudo chown $(whoami):$(whoami) ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring fi From 2d7ff93390ca3c0f47a8b37c5f4912de69ab5b2f Mon Sep 17 00:00:00 2001 From: Jan Jasek Date: Mon, 1 Sep 2025 12:08:48 +0200 Subject: [PATCH 31/74] Remove debian-bullseye nodeset Horizon no longer use debian-bullseye nodeset Change-Id: I78094a9dd7e51641dfb9b1a851b46744184df702 Signed-off-by: Jan Jasek --- .zuul.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 3deab35e87..7bfd3e33b6 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -73,19 +73,6 @@ nodes: - controller -# Note(sean-k-mooney): this is still used by horizon for -# horizon-integration-tests, horizon-integration-pytest and -# horizon-ui-pytest, remove when horizon is updated. -- nodeset: - name: devstack-single-node-debian-bullseye - nodes: - - name: controller - label: debian-bullseye - groups: - - name: tempest - nodes: - - controller - - nodeset: name: devstack-single-node-rockylinux-9 nodes: From f6d8dab0e885b8de8c0f44388d538da7d4f9b7ec Mon Sep 17 00:00:00 2001 From: Saikumar Pulluri Date: Thu, 4 Sep 2025 08:48:42 -0400 Subject: [PATCH 32/74] Add service type to keystone authtoken middleware Configuring devstack's configure_keystone_authtoken_middleware to set service_type as an additional option. Needed-By: https://review.opendev.org/c/openstack/barbican/+/958845 Needed-By: https://review.opendev.org/c/openstack/manila/+/955393 Change-Id: I140c8392465965d68f52489b5e5bf3e47ae979be Signed-off-by: Saikumar Pulluri --- lib/keystone | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/keystone b/lib/keystone index 0311e24c67..241909cb9d 100644 --- a/lib/keystone +++ b/lib/keystone @@ -432,6 +432,7 @@ function configure_keystone_authtoken_middleware { local conf_file=$1 local admin_user=$2 local section=${3:-keystone_authtoken} + local service_type=$4 iniset $conf_file $section auth_type password iniset $conf_file $section interface public @@ -444,6 +445,9 @@ function configure_keystone_authtoken_middleware { iniset $conf_file $section cafile $SSL_BUNDLE_FILE iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS + if [[ -n "$service_type" ]]; then + iniset $conf_file $section service_type $service_type + fi } # configure_auth_token_middleware conf_file admin_user IGNORED [section] From 2145b0a0031977ef2809a3eaa9abe6937e4777e6 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 10 Sep 2025 10:24:17 +0200 Subject: [PATCH 33/74] Add Rocky Linux Red Quartz singlenode job (10) Change-Id: Iaad9eb034348d559809108d254601d51719ff3e0 Signed-off-by: Michal Nasiadka --- .zuul.yaml | 21 +++++++++++++++++++++ functions-common | 11 ++++------- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 3deab35e87..0a81dd82c2 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -96,6 +96,16 @@ nodes: - controller +- nodeset: + name: devstack-single-node-rockylinux-10 + nodes: + - name: controller + label: rockylinux-10-8GB + groups: + - name: tempest + nodes: + - controller + - nodeset: name: openstack-two-node-centos-10-stream nodes: @@ -815,6 +825,16 @@ # TODO(ykarel) Remove this when moving to rocky10 PYTHON3_VERSION: 3.11 +- job: + name: devstack-platform-rocky-red-quartz + parent: tempest-full-py3 + description: Rocky Linux Red Quartz platform test + nodeset: devstack-single-node-rockylinux-10 + timeout: 9000 + voting: false + vars: + configure_swap_size: 4096 + - job: name: devstack-platform-ubuntu-jammy parent: tempest-full-py3 @@ -963,6 +983,7 @@ - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm - devstack-platform-rocky-blue-onyx + - devstack-platform-rocky-red-quartz - devstack-platform-ubuntu-noble-ovn-source - devstack-platform-ubuntu-noble-ovs - devstack-platform-ubuntu-jammy diff --git a/functions-common b/functions-common index 85ee294afa..37c1862c28 100644 --- a/functions-common +++ b/functions-common @@ -438,13 +438,10 @@ function _ensure_lsb_release { function GetOSVersion { # CentOS Stream 9 or later and RHEL 9 or later do not provide lsb_release source /etc/os-release - if [[ "${ID}${VERSION}" =~ "centos" ]] || [[ "${ID}${VERSION}" =~ "rhel" ]]; then + if [[ "${ID}" =~ (centos|rocky|rhel) ]]; then os_RELEASE=${VERSION_ID} - os_CODENAME="n/a" + os_CODENAME=$(echo $VERSION | grep -oP '(?<=[(])[^)]*') os_VENDOR=$(echo $NAME | tr -d '[:space:]') - elif [[ "${ID}${VERSION}" =~ "rocky9" ]]; then - os_VENDOR="Rocky" - os_RELEASE=${VERSION_ID} else _ensure_lsb_release @@ -483,7 +480,7 @@ function GetDistro { "$os_VENDOR" =~ (AlmaLinux) || \ "$os_VENDOR" =~ (Scientific) || \ "$os_VENDOR" =~ (OracleServer) || \ - "$os_VENDOR" =~ (Rocky) || \ + "$os_VENDOR" =~ (RockyLinux) || \ "$os_VENDOR" =~ (Virtuozzo) ]]; then MAJOR_VERSION=$(echo $os_RELEASE | cut -d. -f1) DISTRO="rhel${MAJOR_VERSION}" @@ -544,7 +541,7 @@ function is_fedora { [ "$os_VENDOR" = "RedHatEnterpriseServer" ] || \ [ "$os_VENDOR" = "RedHatEnterprise" ] || \ [ "$os_VENDOR" = "RedHatEnterpriseLinux" ] || \ - [ "$os_VENDOR" = "Rocky" ] || \ + [ "$os_VENDOR" = "RockyLinux" ] || \ [ "$os_VENDOR" = "CentOS" ] || [ "$os_VENDOR" = "CentOSStream" ] || \ [ "$os_VENDOR" = "AlmaLinux" ] || \ [ "$os_VENDOR" = "OracleServer" ] || [ "$os_VENDOR" = "Virtuozzo" ] From 1aa22aa6d4b8dac710b50b6aabd3ce9ce8280a98 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Tue, 6 May 2025 17:28:37 +0100 Subject: [PATCH 34/74] lib/glance: Remove support for deploying in standalone mode Change-Id: Ia70accd3e04bf9bea7fa50c18541fc71cff75f5f Signed-off-by: Stephen Finucane Depends-on: https://review.opendev.org/c/openstack/glance/+/933614 --- lib/glance | 52 ++++++++++++---------------------------------------- 1 file changed, 12 insertions(+), 40 deletions(-) diff --git a/lib/glance b/lib/glance index b596b53271..4dade5142d 100644 --- a/lib/glance +++ b/lib/glance @@ -83,13 +83,6 @@ GLANCE_DEFAULT_BACKEND=${GLANCE_DEFAULT_BACKEND:-fast} GLANCE_CACHE_DIR=${GLANCE_CACHE_DIR:=$DATA_DIR/glance/cache} GLANCE_CACHE_DRIVER=${GLANCE_CACHE_DRIVER:-centralized_db} -# Full Glance functionality requires running in standalone mode. If we are -# not in uwsgi mode, then we are standalone, otherwise allow separate control. -if [[ "$WSGI_MODE" != "uwsgi" ]]; then - GLANCE_STANDALONE=True -fi -GLANCE_STANDALONE=${GLANCE_STANDALONE:-False} - # File path for each store specified in GLANCE_MULTIPLE_FILE_STORES, the store # identifier will be appended to this path at runtime. If GLANCE_MULTIPLE_FILE_STORES # has fast,cheap specified then filepath will be generated like $DATA_DIR/glance/fast @@ -139,14 +132,7 @@ GLANCE_UWSGI_CONF=$GLANCE_CONF_DIR/glance-uwsgi.ini # Glance default limit for Devstack GLANCE_LIMIT_IMAGE_SIZE_TOTAL=${GLANCE_LIMIT_IMAGE_SIZE_TOTAL:-2000} -# If wsgi mode is uwsgi run glance under uwsgi, else default to eventlet -# TODO(mtreinish): Remove the eventlet path here and in all the similar -# conditionals below after the Pike release -if [[ "$WSGI_MODE" == "uwsgi" ]]; then - GLANCE_URL="$GLANCE_SERVICE_PROTOCOL://$GLANCE_SERVICE_HOST/image" -else - GLANCE_URL="$GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT" -fi +GLANCE_URL="$GLANCE_SERVICE_PROTOCOL://$GLANCE_SERVICE_HOST/image" # Functions # --------- @@ -451,12 +437,11 @@ function configure_glance { iniset $GLANCE_CACHE_CONF glance_store filesystem_store_datadir $GLANCE_IMAGE_DIR/ # Set default configuration options for the glance-image-import - iniset $GLANCE_IMAGE_IMPORT_CONF image_import_opts image_import_plugins [] + iniset $GLANCE_IMAGE_IMPORT_CONF image_import_opts image_import_plugins "[]" iniset $GLANCE_IMAGE_IMPORT_CONF inject_metadata_properties ignore_user_roles admin iniset $GLANCE_IMAGE_IMPORT_CONF inject_metadata_properties inject cp -p $GLANCE_DIR/etc/schema-image.json $GLANCE_SCHEMA_JSON - cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR if is_service_enabled tls-proxy; then @@ -467,19 +452,15 @@ function configure_glance { iniset $GLANCE_CACHE_CONF DEFAULT cinder_endpoint_template "https://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v3/%(project_id)s" fi - if [[ "$GLANCE_STANDALONE" == False ]]; then - write_local_uwsgi_http_config "$GLANCE_UWSGI_CONF" "$GLANCE_UWSGI" "/image" "glance-api" - # Grab our uwsgi listen address and use that to fill out our - # worker_self_reference_url config - iniset $GLANCE_API_CONF DEFAULT worker_self_reference_url \ - $(awk '-F= ' '/^http-socket/ { print "http://"$2}' $GLANCE_UWSGI_CONF) - else - write_local_proxy_http_config glance "http://$GLANCE_SERVICE_HOST:$GLANCE_SERVICE_PORT_INT" "/image" - iniset $GLANCE_API_CONF DEFAULT bind_host $GLANCE_SERVICE_LISTEN_ADDRESS - iniset $GLANCE_API_CONF DEFAULT bind_port $GLANCE_SERVICE_PORT_INT - iniset $GLANCE_API_CONF DEFAULT workers "$API_WORKERS" - iniset $GLANCE_API_CONF DEFAULT worker_self_reference_url $GLANCE_URL - fi + write_local_uwsgi_http_config "$GLANCE_UWSGI_CONF" "$GLANCE_UWSGI" "/image" "glance-api" + + # Grab our uwsgi listen address and use that to fill out our + # worker_self_reference_url config + iniset $GLANCE_API_CONF DEFAULT worker_self_reference_url $(awk '-F= ' '/^http-socket/ { print "http://"$2}' $GLANCE_UWSGI_CONF) + + # Configure the Python binary used for "import" plugins. If unset, these + # will attempt the uwsgi binary instead. + iniset $GLANCE_API_CONF wsgi python_interpreter $PYTHON if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then iniset $GLANCE_API_CONF oslo_policy enforce_scope true @@ -664,17 +645,8 @@ function start_glance_remote_clone { # start_glance() - Start running processes function start_glance { local service_protocol=$GLANCE_SERVICE_PROTOCOL - if is_service_enabled tls-proxy; then - if [[ "$WSGI_MODE" != "uwsgi" ]]; then - start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT - fi - fi - if [[ "$GLANCE_STANDALONE" == False ]]; then - run_process g-api "$(which uwsgi) --procname-prefix glance-api --ini $GLANCE_UWSGI_CONF" - else - run_process g-api "$GLANCE_BIN_DIR/glance-api --config-dir=$GLANCE_CONF_DIR" - fi + run_process g-api "$(which uwsgi) --procname-prefix glance-api --ini $GLANCE_UWSGI_CONF" if is_service_enabled g-api-r; then echo "Starting the g-api-r clone service..." From 2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6 Mon Sep 17 00:00:00 2001 From: Ghanshyam Maan Date: Thu, 28 Aug 2025 03:39:25 +0000 Subject: [PATCH 35/74] Configure glance user in cinder conf Cinder talk to glance for new image location APIs which are default to 'service' role[1]. That needs cinder to have the glance service user configured. We need to assign admin role also to service user so that it can access images from glance. Needed-By: https://review.opendev.org/c/openstack/glance/+/958715 [1] https://review.opendev.org/c/openstack/glance/+/958715 Change-Id: I52d118672c053b9d6890bc6289bf12dcf5d7dce3 Signed-off-by: Ghanshyam Maan --- lib/cinder | 3 +++ lib/glance | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/cinder b/lib/cinder index eb8a63dbfc..aef6854062 100644 --- a/lib/cinder +++ b/lib/cinder @@ -419,6 +419,9 @@ function configure_cinder { iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE fi + # Set glance credentials (used for location APIs) + configure_keystone_authtoken_middleware $CINDER_CONF glance glance + # Set nova credentials (used for os-assisted-snapshots) configure_keystone_authtoken_middleware $CINDER_CONF nova nova iniset $CINDER_CONF nova region_name "$REGION_NAME" diff --git a/lib/glance b/lib/glance index b596b53271..31a9ae9745 100644 --- a/lib/glance +++ b/lib/glance @@ -503,7 +503,9 @@ function configure_glance { function create_glance_accounts { if is_service_enabled g-api; then - create_service_user "glance" + # When cinder talk to glance service APIs user needs service + # role for RBAC checks and admin role for cinder to access images. + create_service_user "glance" "admin" # required for swift access if is_service_enabled s-proxy; then From f09da620cb5973f9a77233a700b06612462678e5 Mon Sep 17 00:00:00 2001 From: Yatin Karel Date: Mon, 15 Sep 2025 17:16:50 +0530 Subject: [PATCH 36/74] Restore os_CODENAME for old rhel distros With [1] fips based jobs which runs on 9-stream started to fail as os_CODENAME not applicable on those. This patch adds fallback as before. Moving fips jobs to 10-stream/rocky requires some more work due to [2] [1] https://review.opendev.org/c/openstack/devstack/+/960342 [2] https://fedoraproject.org/wiki/Changes/RemoveFipsModeSetup Change-Id: I6d7ba4f5698e9b4837b29662b0b7f883b3c5de35 Signed-off-by: Yatin Karel --- functions-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functions-common b/functions-common index 37c1862c28..0ae51e3df1 100644 --- a/functions-common +++ b/functions-common @@ -440,7 +440,7 @@ function GetOSVersion { source /etc/os-release if [[ "${ID}" =~ (centos|rocky|rhel) ]]; then os_RELEASE=${VERSION_ID} - os_CODENAME=$(echo $VERSION | grep -oP '(?<=[(])[^)]*') + os_CODENAME=$(echo $VERSION | grep -oP '(?<=[(])[^)]*' || echo 'n/a') os_VENDOR=$(echo $NAME | tr -d '[:space:]') else _ensure_lsb_release From f72801c1081e9f63bb1a98a66950d65ee8cf6ecb Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Mon, 15 Sep 2025 12:54:09 +0100 Subject: [PATCH 37/74] lib/neutron: Prepare for move of api-paste, rootwrap conf Change-Id: I70ba357f9af668fb7a7cb737d13fe24e572eb0ff Signed-off-by: Stephen Finucane --- lib/neutron | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/neutron b/lib/neutron index ea2d8e728a..dec15fb782 100644 --- a/lib/neutron +++ b/lib/neutron @@ -996,7 +996,13 @@ function _configure_neutron_plugin_agent { # It is called when q-svc is enabled. function _configure_neutron_service { Q_API_PASTE_FILE=$NEUTRON_CONF_DIR/api-paste.ini - cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE + if test -r $NEUTRON_DIR/etc/neutron/api-paste.ini; then + cp $NEUTRON_DIR/etc/neutron/api-paste.ini $Q_API_PASTE_FILE + else + # TODO(stephenfin): Remove this branch once [1] merges + # [1] https://review.opendev.org/c/openstack/neutron/+/961130 + cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE + fi # Update either configuration file with plugin iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS @@ -1076,6 +1082,8 @@ function _neutron_setup_rootwrap { if test -r $NEUTRON_DIR/etc/neutron/rootwrap.conf; then sudo install -o root -g root -m 644 $NEUTRON_DIR/etc/neutron/rootwrap.conf $Q_RR_CONF_FILE else + # TODO(stephenfin): Remove this branch once [1] merges + # [1] https://review.opendev.org/c/openstack/neutron/+/961130 sudo install -o root -g root -m 644 $NEUTRON_DIR/etc/rootwrap.conf $Q_RR_CONF_FILE fi sudo sed -e "s:^filters_path=.*$:filters_path=$Q_CONF_ROOTWRAP_D:" -i $Q_RR_CONF_FILE From e4cb49c690677b437d817ad8c736edcb96b674e3 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 21 Sep 2025 03:12:55 +0900 Subject: [PATCH 38/74] Remove option for apache < 2.4 apache 2.4 was released long time ago and is now available in recent operating systems. Change-Id: If367869e8490159f31c7d6c0207e182dd7ecb164 Signed-off-by: Takashi Kajinami --- files/apache-cinder-api.template | 12 ++---------- files/apache-horizon.template | 14 ++------------ files/apache-nova-api.template | 4 +--- files/apache-nova-metadata.template | 4 +--- 4 files changed, 6 insertions(+), 28 deletions(-) diff --git a/files/apache-cinder-api.template b/files/apache-cinder-api.template index e1246f11b6..e401803abc 100644 --- a/files/apache-cinder-api.template +++ b/files/apache-cinder-api.template @@ -6,21 +6,13 @@ Listen %PUBLICPORT% WSGIScriptAlias / %CINDER_BIN_DIR%/cinder-wsgi WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%{cu}t %M" - + ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/%APACHE_NAME%/c-api.log %SSLENGINE% %SSLCERTFILE% %SSLKEYFILE% - = 2.4> - Require all granted - - - Order allow,deny - Allow from all - + Require all granted diff --git a/files/apache-horizon.template b/files/apache-horizon.template index da7a7d26c3..c6c55ecf27 100644 --- a/files/apache-horizon.template +++ b/files/apache-horizon.template @@ -21,19 +21,9 @@ Options Indexes FollowSymLinks MultiViews AllowOverride None - # Apache 2.4 uses mod_authz_host for access control now (instead of - # "Allow") - - Order allow,deny - Allow from all - - = 2.4> - Require all granted - + Require all granted - = 2.4> - ErrorLogFormat "%{cu}t %M" - + ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/%APACHE_NAME%/horizon_error.log LogLevel warn CustomLog /var/log/%APACHE_NAME%/horizon_access.log combined diff --git a/files/apache-nova-api.template b/files/apache-nova-api.template index bcf406edf3..66fcf73cf2 100644 --- a/files/apache-nova-api.template +++ b/files/apache-nova-api.template @@ -6,9 +6,7 @@ Listen %PUBLICPORT% WSGIScriptAlias / %PUBLICWSGI% WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%M" - + ErrorLogFormat "%M" ErrorLog /var/log/%APACHE_NAME%/nova-api.log %SSLENGINE% %SSLCERTFILE% diff --git a/files/apache-nova-metadata.template b/files/apache-nova-metadata.template index 6231c1ced8..64be03166e 100644 --- a/files/apache-nova-metadata.template +++ b/files/apache-nova-metadata.template @@ -6,9 +6,7 @@ Listen %PUBLICPORT% WSGIScriptAlias / %PUBLICWSGI% WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%M" - + ErrorLogFormat "%M" ErrorLog /var/log/%APACHE_NAME%/nova-metadata.log %SSLENGINE% %SSLCERTFILE% From a3e37c86cab4ec43a4a6d1c1386abf12bc034db7 Mon Sep 17 00:00:00 2001 From: Ghanshyam Maan Date: Mon, 22 Sep 2025 06:04:42 +0000 Subject: [PATCH 39/74] Update DEVSTACK_SERIES to 2026.1 stable/2025.2 branch has been created now and current master is for 2026.1 Change-Id: Ibec78664417207ca7784c548ab15c1c6ef0e0663 Signed-off-by: Ghanshyam Maan --- stackrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stackrc b/stackrc index 1e306cc685..93f8b1cd6d 100644 --- a/stackrc +++ b/stackrc @@ -252,7 +252,7 @@ REQUIREMENTS_DIR=${REQUIREMENTS_DIR:-$DEST/requirements} # Setting the variable to 'ALL' will activate the download for all # libraries. -DEVSTACK_SERIES="2025.2" +DEVSTACK_SERIES="2026.1" ############## # From 093bc57518a72b63a59389df63491d476069fc5c Mon Sep 17 00:00:00 2001 From: Ghanshyam Maan Date: Mon, 22 Sep 2025 06:56:25 +0000 Subject: [PATCH 40/74] Cap stable/2025.2 network, swift, volume api_extensions for tempest This commit cap the network, volume and swift extensions on Tempest's config option api_extensions. In 2025.2, no new extension in neutron. and no new extensions in swift and cinder. Change-Id: I1f9a2f53fa1e513f58d7dd8706d57f2481ab3d47 Signed-off-by: Ghanshyam Maan --- lib/tempest | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/lib/tempest b/lib/tempest index 1ebe9c5f1f..892e7fd72a 100644 --- a/lib/tempest +++ b/lib/tempest @@ -805,7 +805,48 @@ function configure_tempest { DISABLE_NETWORK_API_EXTENSIONS+=", l3_agent_scheduler" fi - local network_api_extensions=${NETWORK_API_EXTENSIONS:-"all"} + DEFAULT_NET_EXT="address-scope,agent,allowed-address-pairs,auto-allocated-topology" + DEFAULT_NET_EXT+=",availability_zone,binding,default-subnetpools,dhcp_agent_scheduler" + DEFAULT_NET_EXT+=",dvr,ext-gw-mode,external-net,extra_dhcp_opt,extraroute,flavors" + DEFAULT_NET_EXT+=",l3-flavors,l3-ha,l3_agent_scheduler,multi-provider,net-mtu" + DEFAULT_NET_EXT+=",network-ip-availability,network_availability_zone,pagination" + DEFAULT_NET_EXT+=",port-security,project-id,provider,quotas,quota_details,rbac-policies" + DEFAULT_NET_EXT+=",revision-if-match,router,router_availability_zone,security-group,service-type,sorting" + DEFAULT_NET_EXT+=",standard-attr-description,standard-attr-revisions,standard-attr-tag,standard-attr-timestamp" + DEFAULT_NET_EXT+=",subnet-service-types,subnet_allocation,net-mtu-writable,ip-substring-filtering" + DEFAULT_NET_EXT+=",availability_zone_filter,filter-validation,empty-string-filtering,port-mac-address-regenerate" + DEFAULT_NET_EXT+=",port-security-groups-filtering,fip-port-details,binding-extended" + DEFAULT_NET_EXT+=",subnet_onboard,l3-port-ip-change-not-allowed,agent-resources-synced" + DEFAULT_NET_EXT+=",floatingip-pools,rbac-security-groups,subnetpool-prefix-ops,router-admin-state-down-before-update" + DEFAULT_NET_EXT+=",rbac-subnetpool,tag-ports-during-bulk-creation,stateful-security-group,address-group,extraroute-atomic" + DEFAULT_NET_EXT+=",port-numa-affinity-policy,rbac-address-scope,security-groups-remote-address-group,trunk,trunk-details" + DEFAULT_NET_EXT+=",rbac-address-group,port-device-profile" + DEFAULT_NET_EXT+=",multiple-external-gateways,qos-pps-minimum,l3-ext-ndp-proxy,rbac-bgpvpn" + DEFAULT_NET_EXT+=",qos-pps,ecmp_routes,bgp,floating-ip-port-forwarding-port-ranges" + # New in Yoga + DEFAULT_NET_EXT+=",security-groups-shared-filtering,security-groups-normalized-cidr,quota-check-limit" + DEFAULT_NET_EXT+=",port-resource-request-groups" + # New in Zed + DEFAULT_NET_EXT+=",port-mac-override,floating-ip-port-forwarding-detail,network-cascade-delete" + # New in 2023.1 + DEFAULT_NET_EXT+=",port-hints,floating-ip-distributed" + # New in 2023.2 + DEFAULT_NET_EXT+=",port-hint-ovs-tx-steering,enable-default-route-bfd" + DEFAULT_NET_EXT+=",enable-default-route-ecmp,standard-attr-fwaas-v2" + DEFAULT_NET_EXT+=",allowed-address-pairs-atomic,network_ha" + DEFAULT_NET_EXT+=",security-groups-rules-belongs-to-default-sg" + DEFAULT_NET_EXT+=",port-hardware-offload-type" + # New in 2024.1 + DEFAULT_NET_EXT+=",vpn-aes-ccm-gcm,tap-mirror,subnet-external-network" + DEFAULT_NET_EXT+=",port-numa-affinity-policy-socket" + # New in 2024.2 + DEFAULT_NET_EXT+=",tag-creation,quota-check-limit-default,port-trusted-vif" + DEFAULT_NET_EXT+=",uplink-status-propagation-updatable" + # New in 2025.1 + DEFAULT_NET_EXT+=",qing,vpn-aes-ctr" + # New in 2025.2: None + local network_api_extensions=${NETWORK_API_EXTENSIONS:-$DEFAULT_NET_EXT} + if [[ ! -z "$DISABLE_NETWORK_API_EXTENSIONS" ]]; then # Enabled extensions are either the ones explicitly specified or those available on the API endpoint network_api_extensions=${NETWORK_API_EXTENSIONS:-$(iniget $tmp_cfg_file network-feature-enabled api_extensions | tr -d " ")} @@ -817,7 +858,10 @@ function configure_tempest { fi iniset $TEMPEST_CONFIG network-feature-enabled api_extensions $network_api_extensions # Swift API Extensions - local object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-"all"} + DEFAULT_SWIFT_OPT="account_quotas,bulk_delete,bulk_upload,container_quotas" + DEFAULT_SWIFT_OPT+=",container_sync,crossdomain,formpost,ratelimit,slo" + DEFAULT_SWIFT_OPT+=",staticweb,tempauth,tempurl,versioned_writes" + local object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-$DEFAULT_SWIFT_OPT} if [[ ! -z "$DISABLE_OBJECT_STORAGE_API_EXTENSIONS" ]]; then # Enabled extensions are either the ones explicitly specified or those available on the API endpoint object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-$(iniget $tmp_cfg_file object-storage-feature-enabled discoverable_apis | tr -d " ")} @@ -826,7 +870,18 @@ function configure_tempest { fi iniset $TEMPEST_CONFIG object-storage-feature-enabled discoverable_apis $object_storage_api_extensions # Cinder API Extensions - local volume_api_extensions=${VOLUME_API_EXTENSIONS:-"all"} + DEFAULT_VOL_EXT="OS-SCH-HNT,backups,capabilities,cgsnapshots,consistencygroups" + DEFAULT_VOL_EXT+=",encryption,os-admin-actions,os-availability-zone" + DEFAULT_VOL_EXT+=",os-extended-services,os-extended-snapshot-attributes" + DEFAULT_VOL_EXT+=",os-hosts,os-quota-class-sets,os-quota-sets" + DEFAULT_VOL_EXT+=",os-services,os-snapshot-actions,os-snapshot-manage" + DEFAULT_VOL_EXT+=",os-snapshot-unmanage,os-types-extra-specs,os-types-manage" + DEFAULT_VOL_EXT+=",os-used-limits,os-vol-host-attr,os-vol-image-meta" + DEFAULT_VOL_EXT+=",os-vol-mig-status-attr,os-vol-tenant-attr,os-volume-actions" + DEFAULT_VOL_EXT+=",os-volume-encryption-metadata,os-volume-manage" + DEFAULT_VOL_EXT+=",os-volume-transfer,os-volume-type-access" + DEFAULT_VOL_EXT+=",os-volume-unmanage,qos-specs,scheduler-stats" + local volume_api_extensions=${VOLUME_API_EXTENSIONS:-$DEFAULT_VOL_EXT} if [[ ! -z "$DISABLE_VOLUME_API_EXTENSIONS" ]]; then # Enabled extensions are either the ones explicitly specified or those available on the API endpoint volume_api_extensions=${VOLUME_API_EXTENSIONS:-$(iniget $tmp_cfg_file volume-feature-enabled api_extensions | tr -d " ")} From a8fc640b674a744e887e641ca9addc85ac46e480 Mon Sep 17 00:00:00 2001 From: Fernando Ferraz Date: Fri, 19 Sep 2025 12:10:50 -0300 Subject: [PATCH 41/74] Avoid timeout in capture-system-logs due to df command The `df` command can stall indefinitely on stale NFS mounts, causing the playbook to time out. This leads to the entire job failing with POST_FAILURE status, discarding controller logs and impacting troubleshooting. This patch changes `capture-system-logs` to run `df` with a 60s timeout to prevent hangs from stale NFS mounts. If 'df' times out, the mount output may help debug which NFS share is unresponsive. Change-Id: Ife3945802c93bd77d60b60e433ea09aade38a522 Signed-off-by: Fernando Ferraz --- .zuul.yaml | 1 + roles/capture-system-logs/tasks/main.yaml | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.zuul.yaml b/.zuul.yaml index 3b0e5dbde0..d81da3d8f5 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -446,6 +446,7 @@ /etc/sudoers.d: logs '{{ stage_dir }}/iptables.txt': logs '{{ stage_dir }}/df.txt': logs + '{{ stage_dir }}/mount.txt': logs '{{ stage_dir }}/pip2-freeze.txt': logs '{{ stage_dir }}/pip3-freeze.txt': logs '{{ stage_dir }}/dpkg-l.txt': logs diff --git a/roles/capture-system-logs/tasks/main.yaml b/roles/capture-system-logs/tasks/main.yaml index 77b5ec5098..4b5ec4836b 100644 --- a/roles/capture-system-logs/tasks/main.yaml +++ b/roles/capture-system-logs/tasks/main.yaml @@ -4,7 +4,13 @@ executable: /bin/bash cmd: | sudo iptables-save > {{ stage_dir }}/iptables.txt - df -h > {{ stage_dir }}/df.txt + + # NOTE(sfernand): Run 'df' with a 60s timeout to prevent hangs from + # stale NFS mounts. + timeout -s 9 60s df -h > {{ stage_dir }}/df.txt || true + # If 'df' times out, the mount output helps debug which NFS share + # is unresponsive. + mount > {{ stage_dir }}/mount.txt for py_ver in 2 3; do if [[ `which python${py_ver}` ]]; then From f8b3c902bef911938e03d4fc4f13fc9851a843f5 Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Thu, 25 Sep 2025 19:39:26 +0200 Subject: [PATCH 42/74] [nova-fake-virt]Restore compute restartability Since the stable-compute-uuid nova feature the compute nodes created via VIRT_DRIVER=fake cannot be restarted as these computes are not writing the compute_id file to disk at first startup. Therefore any subsequent restart will fail as nova-compute will refuse to start due to the missing compute_id file but having a service already in the DB. After this patch fake-virt uses a variant of the fake virt driver that actually writes compute_id file to disk. To allow multiple fake computes running on the same machine each compute now has a separate state_path created so each can store a separate compute_id file. Signed-off-by: Balazs Gibizer Change-Id: I813cab3c89554d1e319b2b3e5c3affd8ec5d887e --- lib/nova | 9 +++++++++ lib/nova_plugins/hypervisor-fake | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/nova b/lib/nova index 2357d87ee3..b289ec6d6d 100644 --- a/lib/nova +++ b/lib/nova @@ -1085,6 +1085,15 @@ function start_nova_compute { # gets its own configuration and own log file. local fake_conf="${NOVA_FAKE_CONF}-${i}" iniset $fake_conf DEFAULT host "${HOSTNAME}${i}" + # Ensure that each fake compute has its own state path so that it + # can have its own compute_id file + local state_path + state_path="$NOVA_STATE_PATH/${HOSTNAME}${i}" + COMPUTE_ID=$(uuidgen) + sudo mkdir -p "$state_path" + iniset $fake_conf DEFAULT state_path "$state_path" + # use the generated UUID as the stable compute node UUID + echo "$COMPUTE_ID" | sudo tee "$state_path/compute_id" run_process "n-cpu-${i}" "$NOVA_BIN_DIR/nova-compute --config-file $NOVA_CPU_CONF --config-file $fake_conf" done else diff --git a/lib/nova_plugins/hypervisor-fake b/lib/nova_plugins/hypervisor-fake index 87ee49fa4b..39cb45ca67 100644 --- a/lib/nova_plugins/hypervisor-fake +++ b/lib/nova_plugins/hypervisor-fake @@ -36,7 +36,7 @@ function cleanup_nova_hypervisor { # configure_nova_hypervisor - Set config files, create data dirs, etc function configure_nova_hypervisor { - iniset $NOVA_CONF DEFAULT compute_driver "fake.FakeDriver" + iniset $NOVA_CONF DEFAULT compute_driver "fake.FakeDriverWithoutFakeNodes" # Disable arbitrary limits iniset $NOVA_CONF quota driver nova.quota.NoopQuotaDriver } From 581d0a1d607538ffea0f41548fae25b4c6529cff Mon Sep 17 00:00:00 2001 From: Yatin Karel Date: Mon, 29 Sep 2025 17:03:48 +0530 Subject: [PATCH 43/74] [subnode setup] Fail the playbook when any node setup fails Currently on the multinode jobs, job continue to run even if devstack setup fails on any of the subnode and then fails later when required conditions are not met. This patch changes it to fail if any of the node setup fails using any_errors_fatal: true. Change-Id: I2acd8a1fe0802ee1880df2ef794f8e7d7478b67b Signed-off-by: Yatin Karel --- roles/orchestrate-devstack/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/orchestrate-devstack/tasks/main.yaml b/roles/orchestrate-devstack/tasks/main.yaml index 2b8ae01a62..b8ee7e35a7 100644 --- a/roles/orchestrate-devstack/tasks/main.yaml +++ b/roles/orchestrate-devstack/tasks/main.yaml @@ -4,6 +4,7 @@ when: inventory_hostname == 'controller' - name: Setup devstack on sub-nodes + any_errors_fatal: true block: - name: Distribute the build sshkey for the user "stack" From b20eaa6e142f2716eb1b85ed8eabd5bd71515a02 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Fri, 3 Oct 2025 09:40:46 +0200 Subject: [PATCH 44/74] Add AlmaLinux 10 platform job AlmaLinux 10 has been introduced in OpenDev to increase hardware coverage - it supports x86-64-v2 (compared to v3 required by CentOS Stream 10 and Rocky Linux 10) Change-Id: I5c91f2166bfce51cadef9c22a22a6031223604c7 Signed-off-by: Michal Nasiadka --- .zuul.yaml | 33 ++++++++++++++++++++++++++++----- functions-common | 2 +- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 3b0e5dbde0..927945d8f0 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -39,10 +39,10 @@ - controller - nodeset: - name: devstack-single-node-centos-10-stream + name: devstack-single-node-almalinux-10 nodes: - name: controller - label: centos-10-stream-8GB + label: almalinux-10-8GB groups: - name: tempest nodes: @@ -58,10 +58,15 @@ nodes: - controller -# TODO(frickler): drop this dummy nodeset once all references have been removed - nodeset: - name: devstack-single-node-opensuse-15 - nodes: [] + name: devstack-single-node-centos-10-stream + nodes: + - name: controller + label: centos-10-stream-8GB + groups: + - name: tempest + nodes: + - controller - nodeset: name: devstack-single-node-debian-bookworm @@ -73,6 +78,11 @@ nodes: - controller +# TODO(frickler): drop this dummy nodeset once all references have been removed +- nodeset: + name: devstack-single-node-opensuse-15 + nodes: [] + - nodeset: name: devstack-single-node-rockylinux-9 nodes: @@ -766,6 +776,16 @@ # we often have to rush things through devstack to stabilise the gate, # and these platforms don't have the round-the-clock support to avoid # becoming blockers in that situation. +- job: + name: devstack-platform-almalinux-purple-lion + parent: tempest-full-py3 + description: AlmaLinux 10 platform test + nodeset: devstack-single-node-almalinux-10 + timeout: 9000 + voting: false + vars: + configure_swap_size: 4096 + - job: name: devstack-platform-centos-10-stream parent: tempest-full-py3 @@ -966,6 +986,7 @@ - devstack - devstack-ipv6 - devstack-enforce-scope + - devstack-platform-almalinux-purple-lion - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm @@ -1051,10 +1072,12 @@ - devstack-no-tls-proxy periodic-weekly: jobs: + - devstack-platform-almalinux-purple-lion - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm - devstack-platform-rocky-blue-onyx + - devstack-platform-rocky-red-quartz - devstack-platform-ubuntu-noble-ovn-source - devstack-platform-ubuntu-noble-ovs - devstack-platform-ubuntu-jammy diff --git a/functions-common b/functions-common index 0ae51e3df1..c2042c4fef 100644 --- a/functions-common +++ b/functions-common @@ -438,7 +438,7 @@ function _ensure_lsb_release { function GetOSVersion { # CentOS Stream 9 or later and RHEL 9 or later do not provide lsb_release source /etc/os-release - if [[ "${ID}" =~ (centos|rocky|rhel) ]]; then + if [[ "${ID}" =~ (almalinux|centos|rocky|rhel) ]]; then os_RELEASE=${VERSION_ID} os_CODENAME=$(echo $VERSION | grep -oP '(?<=[(])[^)]*' || echo 'n/a') os_VENDOR=$(echo $NAME | tr -d '[:space:]') From fe4d1e605935c61286d9bea14c2e432a079363d6 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 12 Jul 2025 00:36:21 +0900 Subject: [PATCH 45/74] Create dedicated function to manage only keystoneauth options Using the common function to configure keystoneauth middleware leaves some options not actually used for service-to-service communication. Create a dedicated function, which configures only options loaded by keystoneauth library, to drop unnecessary options. Change-Id: Idafdd4a3925d09f155d8ec651786ccbcd6a5f2e4 Signed-off-by: Takashi Kajinami --- lib/cinder | 13 ++----------- lib/keystone | 28 +++++++++++++++++++--------- lib/neutron | 13 +++---------- lib/nova | 34 ++++------------------------------ 4 files changed, 28 insertions(+), 60 deletions(-) diff --git a/lib/cinder b/lib/cinder index aef6854062..aafd837c95 100644 --- a/lib/cinder +++ b/lib/cinder @@ -303,15 +303,6 @@ function configure_cinder { cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI - inicomment $CINDER_API_PASTE_INI filter:authtoken auth_host - inicomment $CINDER_API_PASTE_INI filter:authtoken auth_port - inicomment $CINDER_API_PASTE_INI filter:authtoken auth_protocol - inicomment $CINDER_API_PASTE_INI filter:authtoken cafile - inicomment $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name - inicomment $CINDER_API_PASTE_INI filter:authtoken admin_user - inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password - inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir - configure_keystone_authtoken_middleware $CINDER_CONF cinder iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL @@ -423,7 +414,7 @@ function configure_cinder { configure_keystone_authtoken_middleware $CINDER_CONF glance glance # Set nova credentials (used for os-assisted-snapshots) - configure_keystone_authtoken_middleware $CINDER_CONF nova nova + configure_keystoneauth $CINDER_CONF nova nova iniset $CINDER_CONF nova region_name "$REGION_NAME" iniset $CINDER_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT" @@ -733,8 +724,8 @@ function configure_cinder_volume_upload { } function init_cinder_service_user_conf { - configure_keystone_authtoken_middleware $CINDER_CONF cinder service_user iniset $CINDER_CONF service_user send_service_user_token True + configure_keystoneauth $CINDER_CONF cinder service_user } # Restore xtrace diff --git a/lib/keystone b/lib/keystone index 241909cb9d..4a2d7a9f6c 100644 --- a/lib/keystone +++ b/lib/keystone @@ -421,18 +421,13 @@ function create_service_user { fi } -# Configure a service to use the auth token middleware. -# -# configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section] +# Configure options for keystoneauth # -# section defaults to keystone_authtoken, which is where auth_token looks in -# the .conf file. If the paste config file is used (api-paste.ini) then -# provide the section name for the auth_token filter. -function configure_keystone_authtoken_middleware { +# configure_keystoneauth conf_file admin_user section +function configure_keystoneauth { local conf_file=$1 local admin_user=$2 - local section=${3:-keystone_authtoken} - local service_type=$4 + local section=$3 iniset $conf_file $section auth_type password iniset $conf_file $section interface public @@ -442,7 +437,22 @@ function configure_keystone_authtoken_middleware { iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME" iniset $conf_file $section project_name $SERVICE_PROJECT_NAME iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME" +} + +# Configure a service to use the auth token middleware. +# +# configure_keystone_authtoken_middleware conf_file admin_user [section] +# +# section defaults to keystone_authtoken, which is where auth_token looks in +# the .conf file. If the paste config file is used (api-paste.ini) then +# provide the section name for the auth_token filter. +function configure_keystone_authtoken_middleware { + local conf_file=$1 + local admin_user=$2 + local section=${3:-keystone_authtoken} + local service_type=$4 + configure_keystoneauth $conf_file $admin_user $section iniset $conf_file $section cafile $SSL_BUNDLE_FILE iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS if [[ -n "$service_type" ]]; then diff --git a/lib/neutron b/lib/neutron index ea2d8e728a..44cd249fa1 100644 --- a/lib/neutron +++ b/lib/neutron @@ -460,14 +460,7 @@ function configure_neutron_nova { function create_nova_conf_neutron { local conf=${1:-$NOVA_CONF} - iniset $conf neutron auth_type "password" - iniset $conf neutron auth_url "$KEYSTONE_SERVICE_URI" - iniset $conf neutron username nova - iniset $conf neutron password "$SERVICE_PASSWORD" - iniset $conf neutron user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf neutron project_name "$SERVICE_PROJECT_NAME" - iniset $conf neutron project_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf neutron auth_strategy "$Q_AUTH_STRATEGY" + configure_keystoneauth $conf nova neutron iniset $conf neutron region_name "$REGION_NAME" # optionally set options in nova_conf @@ -1011,10 +1004,10 @@ function _configure_neutron_service { iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_status_changes $Q_NOTIFY_NOVA_PORT_STATUS_CHANGES iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_data_changes $Q_NOTIFY_NOVA_PORT_DATA_CHANGES - configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova + configure_keystoneauth $NEUTRON_CONF nova nova # Configuration for placement client - configure_keystone_authtoken_middleware $NEUTRON_CONF placement placement + configure_keystoneauth $NEUTRON_CONF placement placement # Configure plugin neutron_plugin_configure_service diff --git a/lib/nova b/lib/nova index 2357d87ee3..a7222cec81 100644 --- a/lib/nova +++ b/lib/nova @@ -628,32 +628,19 @@ function create_nova_conf { function configure_placement_nova_compute { # Use the provided config file path or default to $NOVA_CONF. local conf=${1:-$NOVA_CONF} - iniset $conf placement auth_type "password" - iniset $conf placement auth_url "$KEYSTONE_SERVICE_URI" - iniset $conf placement username nova - iniset $conf placement password "$SERVICE_PASSWORD" - iniset $conf placement user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf placement project_name "$SERVICE_TENANT_NAME" - iniset $conf placement project_domain_name "$SERVICE_DOMAIN_NAME" - iniset $conf placement region_name "$REGION_NAME" + configure_keystoneauth $conf nova placement } # Configure access to cinder. function configure_cinder_access { iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" - iniset $NOVA_CONF cinder auth_type "password" - iniset $NOVA_CONF cinder auth_url "$KEYSTONE_SERVICE_URI" # NOTE(mriedem): This looks a bit weird but we use the nova user here # since it has the admin role and the cinder user does not. This is # similar to using the nova user in init_nova_service_user_conf. We need # to use a user with the admin role for background tasks in nova to # be able to GET block-storage API resources owned by another project # since cinder has low-level "is_admin" checks in its DB API. - iniset $NOVA_CONF cinder username nova - iniset $NOVA_CONF cinder password "$SERVICE_PASSWORD" - iniset $NOVA_CONF cinder user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF cinder project_name "$SERVICE_TENANT_NAME" - iniset $NOVA_CONF cinder project_domain_name "$SERVICE_DOMAIN_NAME" + configure_keystoneauth $conf nova cinder if is_service_enabled tls-proxy; then CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776} @@ -663,14 +650,7 @@ function configure_cinder_access { # Configure access to manila. function configure_manila_access { - iniset $NOVA_CONF manila os_region_name "$REGION_NAME" - iniset $NOVA_CONF manila auth_type "password" - iniset $NOVA_CONF manila auth_url "$KEYSTONE_SERVICE_URI" - iniset $NOVA_CONF manila username nova - iniset $NOVA_CONF manila password "$SERVICE_PASSWORD" - iniset $NOVA_CONF manila user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF manila project_name "$SERVICE_TENANT_NAME" - iniset $NOVA_CONF manila project_domain_name "$SERVICE_DOMAIN_NAME" + configure_keystoneauth $conf nova manila } function configure_console_compute { @@ -836,13 +816,7 @@ function configure_nova_unified_limits { function init_nova_service_user_conf { iniset $NOVA_CONF service_user send_service_user_token True - iniset $NOVA_CONF service_user auth_type password - iniset $NOVA_CONF service_user auth_url "$KEYSTONE_SERVICE_URI" - iniset $NOVA_CONF service_user username nova - iniset $NOVA_CONF service_user password "$SERVICE_PASSWORD" - iniset $NOVA_CONF service_user user_domain_name "$SERVICE_DOMAIN_NAME" - iniset $NOVA_CONF service_user project_name "$SERVICE_PROJECT_NAME" - iniset $NOVA_CONF service_user project_domain_name "$SERVICE_DOMAIN_NAME" + configure_keystoneauth $NOVA_CONF nova service_user } function conductor_conf { From 5a32609b04aa3df31a128c73cc052d41457db390 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 15 Jul 2025 00:22:18 +0900 Subject: [PATCH 46/74] Add www_authenticate_uri ... to suppress the following warning from keystonemiddleware. Configuring www_authenticate_uri to point to the public identity endpoint is required; clients may not be able to authenticate against an admin endpoint Change-Id: I3f1a6b2c5d2e7d3dce6fd1ee6694f8146ae06437 Signed-off-by: Takashi Kajinami --- lib/keystone | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/keystone b/lib/keystone index 4a2d7a9f6c..7e7cd2526b 100644 --- a/lib/keystone +++ b/lib/keystone @@ -453,6 +453,7 @@ function configure_keystone_authtoken_middleware { local service_type=$4 configure_keystoneauth $conf_file $admin_user $section + iniset $conf_file $section www_authenticate_uri $KEYSTONE_SERVICE_URI iniset $conf_file $section cafile $SSL_BUNDLE_FILE iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS if [[ -n "$service_type" ]]; then From 8060e12a7bddf16179098e611f7052291eafa1e3 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 12 Oct 2025 13:41:57 +0900 Subject: [PATCH 47/74] Drop logic for CentOS (Stream) 8 Change-Id: I528652ced464fadd565e16e89a7e0ef826d42611 Signed-off-by: Takashi Kajinami --- files/rpms/n-cpu | 3 +-- files/rpms/nova | 3 +-- lib/neutron_plugins/ovn_agent | 3 --- stack.sh | 31 +------------------------------ tools/fixup_stuff.sh | 13 ------------- 5 files changed, 3 insertions(+), 50 deletions(-) diff --git a/files/rpms/n-cpu b/files/rpms/n-cpu index 5683862ee0..3d50f3a062 100644 --- a/files/rpms/n-cpu +++ b/files/rpms/n-cpu @@ -1,10 +1,9 @@ cryptsetup dosfstools -genisoimage # not:rhel9,rhel10 iscsi-initiator-utils libosinfo lvm2 sg3_utils # Stuff for diablo volumes sysfsutils -xorriso # not:rhel8 +xorriso diff --git a/files/rpms/nova b/files/rpms/nova index 3ed2943c1d..c323224279 100644 --- a/files/rpms/nova +++ b/files/rpms/nova @@ -1,7 +1,7 @@ conntrack-tools curl ebtables -genisoimage # not:rhel9,rhel10 required for config_drive +genisoimage iptables iputils kernel-modules # not:openEuler-22.03 @@ -11,4 +11,3 @@ polkit rabbitmq-server # NOPRIME sqlite sudo -xorriso # not:rhel8 diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent index b128fde2b6..e346f4d1cd 100644 --- a/lib/neutron_plugins/ovn_agent +++ b/lib/neutron_plugins/ovn_agent @@ -407,9 +407,6 @@ function install_ovn { sudo mkdir -p $OVS_PREFIX/var/log/ovn sudo chown $(whoami) $OVS_PREFIX/var/log/ovn else - # Load fixup_ovn_centos - source ${TOP_DIR}/tools/fixup_stuff.sh - fixup_ovn_centos install_package $(get_packages openvswitch) install_package $(get_packages ovn) fi diff --git a/stack.sh b/stack.sh index c8be7fa216..67c7a74de9 100755 --- a/stack.sh +++ b/stack.sh @@ -366,36 +366,7 @@ fi # to speed things up SKIP_EPEL_INSTALL=$(trueorfalse False SKIP_EPEL_INSTALL) -if [[ $DISTRO == "rhel8" ]]; then - # If we have /etc/ci/mirror_info.sh assume we're on a OpenStack CI - # node, where EPEL is installed (but disabled) and already - # pointing at our internal mirror - if [[ -f /etc/ci/mirror_info.sh ]]; then - SKIP_EPEL_INSTALL=True - sudo dnf config-manager --set-enabled epel - fi - - # PowerTools repo provides libyaml-devel required by devstack itself and - # EPEL packages assume that the PowerTools repository is enable. - sudo dnf config-manager --set-enabled PowerTools - - # CentOS 8.3 changed the repository name to lower case. - sudo dnf config-manager --set-enabled powertools - - if [[ ${SKIP_EPEL_INSTALL} != True ]]; then - _install_epel - fi - # Along with EPEL, CentOS (and a-likes) require some packages only - # available in RDO repositories (e.g. OVS, or later versions of - # kvm) to run. - _install_rdo - - # NOTE(cgoncalves): workaround RHBZ#1154272 - # dnf fails for non-privileged users when expired_repos.json doesn't exist. - # RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1154272 - # Patch: https://github.com/rpm-software-management/dnf/pull/1448 - echo "[]" | sudo tee /var/cache/dnf/expired_repos.json -elif [[ $DISTRO == "rhel9" ]]; then +if [[ $DISTRO == "rhel9" ]]; then # for CentOS Stream 9 repository sudo dnf config-manager --set-enabled crb # for RHEL 9 repository diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh index faea44f1e0..fbac5ad2f1 100755 --- a/tools/fixup_stuff.sh +++ b/tools/fixup_stuff.sh @@ -89,19 +89,6 @@ EOF if is_package_installed python3-setuptools; then sudo dnf reinstall -y python3-setuptools fi - # Workaround CentOS 8-stream iputils and systemd Bug - # https://bugzilla.redhat.com/show_bug.cgi?id=2037807 - if [[ $os_VENDOR == "CentOSStream" && $os_RELEASE -eq 8 ]]; then - sudo sysctl -w net.ipv4.ping_group_range='0 2147483647' - fi -} - -function fixup_ovn_centos { - if [[ $os_VENDOR != "CentOS" ]]; then - return - fi - # OVN packages are part of this release for CentOS - yum_install centos-release-openstack-victoria } function fixup_ubuntu { From 84652d3cb8022f20cbcfaef747306c95763b8039 Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Wed, 22 Jan 2025 17:00:59 +0100 Subject: [PATCH 48/74] Follow up for creating parent dir for config files The commit Ia5fcfe6c63f5cc40b11f7e1f3be244d7897f26f6 wanted to enable config file creation even if its parent dir not exists. But missed that the caller of merge_config_file, merge_config_group already checks for hte missing directory. So creating the missing dir in merge_config_file is too late. This patch moves the dir creation to the caller. Change-Id: Ied0f321f31bf8888dce71cc18749f35dde303390 Signed-off-by: Balazs Gibizer --- inc/meta-config | 13 ++++++++----- tests/test_meta_config.sh | 24 +++++++++++++++++++----- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/inc/meta-config b/inc/meta-config index b9d9649e4b..1215bb8307 100644 --- a/inc/meta-config +++ b/inc/meta-config @@ -90,7 +90,6 @@ function merge_config_file { local real_configfile real_configfile=$(eval echo $configfile) if [ ! -f $real_configfile ]; then - mkdir -p $(dirname $real_configfile) || die $LINENO "could not create the directory of $real_configfile ($configfile)" touch $real_configfile || die $LINENO "could not create config file $real_configfile ($configfile)" fi @@ -186,11 +185,15 @@ function merge_config_group { break fi dir=$(dirname $realconfigfile) - if [[ -d $dir ]]; then - merge_config_file $localfile $group $configfile - else - die $LINENO "bogus config file specification $configfile ($configfile=$realconfigfile, $dir is not a directory)" + + test -e $dir && ! test -d $dir && die $LINENO "bogus config file specification $configfile ($configfile=$realconfigfile, $dir exists but it is not a directory)" + + if ! [[ -e $dir ]] ; then + sudo mkdir -p $dir || die $LINENO "could not create the directory of $real_configfile ($configfile)" + sudo chown ${STACK_USER} $dir fi + + merge_config_file $localfile $group $configfile done done } diff --git a/tests/test_meta_config.sh b/tests/test_meta_config.sh index 087aaf468b..30479f245a 100755 --- a/tests/test_meta_config.sh +++ b/tests/test_meta_config.sh @@ -137,6 +137,9 @@ foo=bar [some] random=config +[[test12|run_tests.sh/test.conf]] +foo=bar + [[test-multi-sections|test-multi-sections.conf]] [sec-1] cfg_item1 = abcd @@ -389,13 +392,12 @@ EXPECT_VAL=0 check_result "$VAL" "$EXPECT_VAL" set -e -echo -n "merge_config_group test10 not directory: " +echo -n "merge_config_group test10 create directory: " set +e -# function is expected to fail and exit, running it -# in a subprocess to let this script proceed -(merge_config_group test.conf test10) +STACK_USER=$(id -u -n) +merge_config_group test.conf test10 VAL=$? -EXPECT_VAL=255 +EXPECT_VAL=0 check_result "$VAL" "$EXPECT_VAL" set -e @@ -414,9 +416,21 @@ random = config non = sense' check_result "$VAL" "$EXPECT_VAL" +echo -n "merge_config_group test12 directory as file: " +set +e +# function is expected to fail and exit, running it +# in a subprocess to let this script proceed +(merge_config_group test.conf test12) +VAL=$? +EXPECT_VAL=255 +check_result "$VAL" "$EXPECT_VAL" +set -e + rm -f test.conf test1c.conf test2a.conf \ test-space.conf test-equals.conf test-strip.conf \ test-colon.conf test-env.conf test-multiline.conf \ test-multi-sections.conf test-same.conf rm -rf test-etc +rm -rf does-not-exist-dir + From eee708742af669833d6a85d4c7289accb49c18a2 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Fri, 31 Oct 2025 17:09:11 +0000 Subject: [PATCH 49/74] Remove use of pkg_resources Change-Id: I5d0697f39bab0a5ff956c3cc41c26ffe601ef6b9 Signed-off-by: Stephen Finucane --- inc/python | 3 +-- tools/fixup_stuff.sh | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/inc/python b/inc/python index cd90ac82c6..3969c1fa82 100644 --- a/inc/python +++ b/inc/python @@ -273,8 +273,7 @@ function use_library_from_git { function lib_installed_from_git { local name=$1 local safe_name - safe_name=$(python -c "from pkg_resources import safe_name; \ - print(safe_name('${name}'))") + safe_name=$(python -c "from packaging import canonicalize_name; print(canonicalize_name('${name}'))") # Note "pip freeze" doesn't always work here, because it tries to # be smart about finding the remote of the git repo the package # was installed from. This doesn't work with zuul which clones diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh index faea44f1e0..d8283b2591 100755 --- a/tools/fixup_stuff.sh +++ b/tools/fixup_stuff.sh @@ -84,7 +84,7 @@ EOF # python3-setuptools RPM are deleted, it breaks some tools such as semanage # (used in diskimage-builder) that use the -s flag of the python # interpreter, enforcing the use of the packages from /usr/lib. - # Importing setuptools/pkg_resources in a such environment fails. + # Importing setuptools in a such environment fails. # Enforce the package re-installation to fix those applications. if is_package_installed python3-setuptools; then sudo dnf reinstall -y python3-setuptools From df74bcda897ad9fc4a2f2c1f7a17ee8a4689c217 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 6 Nov 2025 13:53:00 +0900 Subject: [PATCH 50/74] Install OVMF package OVMF package is required to enable UEFI boot support. Change-Id: Ib1c3ab57740488a3ab8650ef033e1e6ec398f108 Signed-off-by: Takashi Kajinami --- lib/nova_plugins/functions-libvirt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt index c0713f9953..7175931384 100644 --- a/lib/nova_plugins/functions-libvirt +++ b/lib/nova_plugins/functions-libvirt @@ -70,6 +70,7 @@ function install_libvirt { if is_ubuntu; then install_package qemu-system libvirt-clients libvirt-daemon-system libvirt-dev python3-libvirt systemd-coredump + install_package ovmf if is_arch "aarch64"; then install_package qemu-efi-aarch64 fi @@ -94,6 +95,7 @@ function install_libvirt { # pre-installed these install_package $qemu_package install_package libvirt libvirt-devel + install_package edk2-ovmf if [[ $DISTRO =~ rhel9 ]]; then pip_install_gr libvirt-python From 1c86258e6b0ccf95e6119d3a6271afa38e05d0a3 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Thu, 2 Oct 2025 17:48:03 +0100 Subject: [PATCH 51/74] Enable response validation in Keystone Unlike other projects, Keystone was previously enabling validation for all responses. This is a bad idea (TM). Quoting from the Keystone docs for the new '[api] response_validation' option added in [1]: 'warn' is the current recommendation for production environments. If you find it necessary to enable the 'ignore' option, please report the issues you are seeing to the Keystone team so we can improve our schemas. 'error' should not be used in a production environment. This is because schema validation happens *after* the response body has been generated, meaning any side effects will still happen and the call may be non-idempotent despite the user receiving a HTTP 500 error. DevStack is not used for production environments and is instead the test harness used for the bulk of our integration testing. We *do* want failed response validation to result in an error, since it will highlight bugs in our schemas. Thus, we should override the default value for this option. [1] https://review.opendev.org/c/openstack/keystone/+/962851 Change-Id: I9fc2c5dce9511165ad2c1ab18db5eb439d357d9b Signed-off-by: Stephen Finucane Related-bug: #2126676 --- lib/keystone | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/keystone b/lib/keystone index 241909cb9d..840103b9f4 100644 --- a/lib/keystone +++ b/lib/keystone @@ -195,6 +195,10 @@ function configure_keystone { iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND iniset $KEYSTONE_CONF cache memcache_servers $MEMCACHE_SERVERS + # Enable errors if response validation fails. We want this enabled in CI + # and development contexts to highlights bugs in our response schemas. + iniset $KEYSTONE_CONF api response_validation error + iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications local service_port=$KEYSTONE_SERVICE_PORT From 3566a15b8eeebb0dfc36e47f87129b108d2980e1 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Thu, 2 Oct 2025 17:46:42 +0100 Subject: [PATCH 52/74] Enable response validation in Nova Per inline description Change-Id: I85c959461e4e96b69d252e06fc697a1c61488411 Signed-off-by: Stephen Finucane --- lib/nova | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/nova b/lib/nova index b289ec6d6d..460b4adc85 100644 --- a/lib/nova +++ b/lib/nova @@ -453,6 +453,10 @@ function create_nova_conf { iniset $NOVA_CONF DEFAULT metadata_listen "$NOVA_SERVICE_LISTEN_ADDRESS" iniset $NOVA_CONF DEFAULT shutdown_timeout $NOVA_SHUTDOWN_TIMEOUT + # Enable errors if response validation fails. We want this enabled in CI + # and development contexts to highlights bugs in our response schemas. + iniset $NOVA_CONF api response_validation error + iniset $NOVA_CONF key_manager backend nova.keymgr.conf_key_mgr.ConfKeyManager iniset $NOVA_CONF DEFAULT report_interval $NOVA_SERVICE_REPORT_INTERVAL From a041a7fc66453958ce1d34421330fd27393bbd65 Mon Sep 17 00:00:00 2001 From: Ghanshyam Maan Date: Thu, 6 Nov 2025 18:39:36 +0000 Subject: [PATCH 53/74] Re-add the ironic job in gate Ironic job ironic-tempest-bios-ipmi-direct-tinyipa has been renamed to ironic-tempest-bios-ipmi-direct - https://review.opendev.org/c/openstack/ironic/+/950192 Zuul did not give any error or warning when this jobs was ignored to run and it went unnotice until I manually checked the gate jobs. Change-Id: I9b6bb94456ccfd17c2e38cdaa772aef372d169d0 Signed-off-by: Ghanshyam Maan --- .zuul.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 927945d8f0..a751c70a6a 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -998,7 +998,7 @@ - devstack-multinode - devstack-unit-tests - openstack-tox-bashate - - ironic-tempest-bios-ipmi-direct-tinyipa + - ironic-tempest-bios-ipmi-direct - swift-dsvm-functional - grenade: irrelevant-files: *common-irrelevant-files @@ -1031,7 +1031,7 @@ - openstack-tox-bashate - neutron-ovs-grenade-multinode: irrelevant-files: *common-irrelevant-files - - ironic-tempest-bios-ipmi-direct-tinyipa + - ironic-tempest-bios-ipmi-direct - swift-dsvm-functional - grenade: irrelevant-files: *common-irrelevant-files From f8ebb4939c46eed2f69bece7a7d9c8ff31b61353 Mon Sep 17 00:00:00 2001 From: "Dr. Jens Harbott" Date: Thu, 10 Jul 2025 21:15:21 +0200 Subject: [PATCH 54/74] Add support for trixie and platform job Dropping libapache2-mod-proxy-uwsgi package for debuntu, which is no longer needed for Jammy, Bookworm and beyond. libpcre3-dev is removed form the set of packages pre installed for debian systems. This change adds both single and two node nodesets for trixie. Signed-off-by: Dr. Jens Harbott Signed-off-by: Sean Mooney Change-Id: Ib056d2ad64b31657ea8ef9359fed78e589b01b88 --- .zuul.yaml | 51 +++++++++++++++++++++++++++++++++++++++++++++ files/debs/general | 2 -- lib/apache | 2 +- lib/databases/mysql | 14 +++++++++++-- stack.sh | 3 +-- 5 files changed, 65 insertions(+), 7 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 927945d8f0..357c085fe9 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -68,6 +68,16 @@ nodes: - controller +- nodeset: + name: devstack-single-node-debian-trixie + nodes: + - name: controller + label: debian-trixie-8GB + groups: + - name: tempest + nodes: + - controller + - nodeset: name: devstack-single-node-debian-bookworm nodes: @@ -383,6 +393,36 @@ nodes: - compute1 +- nodeset: + name: devstack-two-node-debian-trixie + nodes: + - name: controller + label: debian-trixie-8GB + - name: compute1 + label: debian-trixie-8GB + groups: + # Node where tests are executed and test results collected + - name: tempest + nodes: + - controller + # Nodes running the compute service + - name: compute + nodes: + - controller + - compute1 + # Nodes that are not the controller + - name: subnode + nodes: + - compute1 + # Switch node for multinode networking setup + - name: switch + nodes: + - controller + # Peer nodes for multinode networking setup + - name: peers + nodes: + - compute1 + - job: name: devstack-base parent: openstack-multinode-fips @@ -806,6 +846,15 @@ timeout: 9000 voting: false +- job: + name: devstack-platform-debian-trixie + parent: tempest-full-py3 + description: Debian Trixie platform test + nodeset: devstack-single-node-debian-trixie + timeout: 9000 + vars: + configure_swap_size: 4096 + - job: name: devstack-platform-debian-bookworm parent: tempest-full-py3 @@ -990,6 +1039,7 @@ - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm + - devstack-platform-debian-trixie - devstack-platform-rocky-blue-onyx - devstack-platform-rocky-red-quartz - devstack-platform-ubuntu-noble-ovn-source @@ -1021,6 +1071,7 @@ - devstack - devstack-ipv6 - devstack-platform-debian-bookworm + - devstack-platform-debian-trixie - devstack-platform-ubuntu-noble # NOTE(danms): Disabled due to instability, see comment in the job # definition above. diff --git a/files/debs/general b/files/debs/general index 364f3cc6e2..1e63e4f582 100644 --- a/files/debs/general +++ b/files/debs/general @@ -11,10 +11,8 @@ gettext # used for compiling message catalogs git graphviz # needed for docs iputils-ping -libapache2-mod-proxy-uwsgi libffi-dev # for pyOpenSSL libjpeg-dev # Pillow 3.0.0 -libpcre3-dev # for python-pcre libpq-dev # psycopg2 libssl-dev # for pyOpenSSL libsystemd-dev # for systemd-python diff --git a/lib/apache b/lib/apache index c49da711e1..b3379a7cde 100644 --- a/lib/apache +++ b/lib/apache @@ -82,7 +82,7 @@ function install_apache_uwsgi { fi if is_ubuntu; then - local pkg_list="uwsgi uwsgi-plugin-python3 libapache2-mod-proxy-uwsgi" + local pkg_list="uwsgi uwsgi-plugin-python3" install_package ${pkg_list} # NOTE(ianw) 2022-02-03 : Fedora 35 needs to skip this and fall # into the install-from-source because the upstream packages diff --git a/lib/databases/mysql b/lib/databases/mysql index 629014c1d8..a47580ca3d 100644 --- a/lib/databases/mysql +++ b/lib/databases/mysql @@ -20,7 +20,7 @@ if [[ -z "$MYSQL_SERVICE_NAME" ]]; then MYSQL_SERVICE_NAME=mysql if is_fedora && ! is_oraclelinux; then MYSQL_SERVICE_NAME=mariadb - elif [[ "$DISTRO" =~ bookworm|bullseye ]]; then + elif [[ "$DISTRO" =~ trixie|bookworm|bullseye ]]; then MYSQL_SERVICE_NAME=mariadb fi fi @@ -107,7 +107,7 @@ function configure_database_mysql { # for Ubuntu 22.04+ because the authorization model change in # version 10.4 of mariadb. See # https://mariadb.org/authentication-in-mariadb-10-4/ - if ! (is_ubuntu && [[ ! "$DISTRO" =~ bookworm|bullseye ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]); then + if ! (is_ubuntu && [[ ! "$DISTRO" =~ trixie|bookworm|bullseye ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]); then sudo mysqladmin -u root password $DATABASE_PASSWORD || true fi @@ -119,6 +119,16 @@ function configure_database_mysql { local cmd_args="-uroot -p$DATABASE_PASSWORD -h$SERVICE_LOCAL_HOST " fi + # Workaround for mariadb > 11.6.2, + # see https://bugs.launchpad.net/nova/+bug/2116186/comments/3 + min_db_ver="11.6.2" + db_version=$(sudo mysql ${cmd_args} -e "select version();" -sN | cut -d '-' -f 1) + max_db_ver=$(printf '%s\n' ${min_db_ver} ${db_version} | sort -V | tail -n 1) + if [[ "${min_db_ver}" != "${max_db_ver}" ]]; then + iniset -sudo $my_conf mysqld innodb_snapshot_isolation OFF + restart_service $MYSQL_SERVICE_NAME + fi + # In mariadb e.g. on Ubuntu socket plugin is used for authentication # as root so it works only as sudo. To restore old "mysql like" behaviour, # we need to change auth plugin for root user diff --git a/stack.sh b/stack.sh index a7f6a5e903..5ef98eb7b7 100755 --- a/stack.sh +++ b/stack.sh @@ -1,6 +1,5 @@ #!/usr/bin/env bash - # ``stack.sh`` is an opinionated OpenStack developer installation. It # installs and configures various combinations of **Cinder**, **Glance**, # **Horizon**, **Keystone**, **Nova**, **Neutron**, and **Swift** @@ -230,7 +229,7 @@ write_devstack_version # Warn users who aren't on an explicitly supported distro, but allow them to # override check and attempt installation with ``FORCE=yes ./stack`` -SUPPORTED_DISTROS="bookworm|jammy|noble|rhel9|rhel10" +SUPPORTED_DISTROS="trixie|bookworm|jammy|noble|rhel9|rhel10" if [[ ! ${DISTRO} =~ $SUPPORTED_DISTROS ]]; then echo "WARNING: this script has not been tested on $DISTRO" From 9a0db4f4999e2aa5923ed32452f1d2e41ae4ea55 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Wed, 16 Jul 2025 11:38:12 +0000 Subject: [PATCH 55/74] [Neutron] Add TARGET_ENABLE_OVN_AGENT variable to enable OVN agent The new flag ``TARGET_ENABLE_OVN_AGENT`` will be disabled by default. If enabled: * The OVN agent will be enabled, regardless of not being configured. * The OVN Metadata agent will be disabled, regardless of being configured. This variable will be used, initially, in the grenade jobs. It will be used to test the migration from the OVN Metadata agent to the OVN agent. This variable will be removed in 2026.2, along with the OVN Metadata agent, that is set as deprecated and marked for removal. Related-Bug: #2112313 Signed-off-by: Rodolfo Alonso Hernandez Change-Id: I8f91e1cb8543da489f495b8cf5196e606a0f5eea --- lib/neutron_plugins/ovn_agent | 44 ++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent index b128fde2b6..0e87b473e9 100644 --- a/lib/neutron_plugins/ovn_agent +++ b/lib/neutron_plugins/ovn_agent @@ -99,6 +99,13 @@ OVN_META_DATA_HOST=${OVN_META_DATA_HOST:-$(ipv6_unquote $SERVICE_HOST)} # The OVN agent is configured, by default, with the "metadata" extension. OVN_AGENT_CONF=$NEUTRON_CONF_DIR/plugins/ml2/ovn_agent.ini OVN_AGENT_EXTENSIONS=${OVN_AGENT_EXTENSIONS:-metadata} +# The variable TARGET_ENABLE_OVN_AGENT, if True, overrides the OVN Metadata +# agent service (q-ovn-metadata-agent neutron-ovn-metadata-agent) and the OVN +# agent service (q-ovn-agent neutron-ovn-agent) configuration, always disabling +# the first one (OVN Metadata agent) and enabling the second (OVN agent). +# This variable will be removed in 2026.2, along with the OVN Metadata agent +# removal. +TARGET_ENABLE_OVN_AGENT=$(trueorfalse False TARGET_ENABLE_OVN_AGENT) # If True (default) the node will be considered a gateway node. ENABLE_CHASSIS_AS_GW=$(trueorfalse True ENABLE_CHASSIS_AS_GW) @@ -301,6 +308,21 @@ function create_public_bridge { _configure_public_network_connectivity } +function is_ovn_metadata_agent_enabled { + if is_service_enabled q-ovn-metadata-agent neutron-ovn-metadata-agent && [[ "$TARGET_ENABLE_OVN_AGENT" == "False" ]]; then + return 0 + fi + return 1 +} + +function is_ovn_agent_enabled { + if is_service_enabled q-ovn-agent neutron-ovn-agent || [[ "$TARGET_ENABLE_OVN_AGENT" == "True" ]]; then + enable_service q-ovn-agent + return 0 + fi + return 1 + +} # OVN compilation functions # ------------------------- @@ -498,9 +520,9 @@ function configure_ovn_plugin { inicomment /$Q_PLUGIN_CONF_FILE network_log local_output_log_base="$Q_LOG_DRIVER_LOG_BASE" fi - if is_service_enabled q-ovn-metadata-agent neutron-ovn-metadata-agent; then + if is_ovn_metadata_agent_enabled; then populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_metadata_enabled=True - elif is_service_enabled q-ovn-agent neutron-ovn-agent && [[ "$OVN_AGENT_EXTENSIONS" =~ 'metadata' ]]; then + elif is_ovn_agent_enabled && [[ "$OVN_AGENT_EXTENSIONS" =~ 'metadata' ]]; then populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_metadata_enabled=True else populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_metadata_enabled=False @@ -521,9 +543,9 @@ function configure_ovn_plugin { fi if is_service_enabled n-api-meta ; then - if is_service_enabled q-ovn-metadata-agent neutron-ovn-metadata-agent; then + if is_ovn_metadata_agent_enabled; then iniset $NOVA_CONF neutron service_metadata_proxy True - elif is_service_enabled q-ovn-agent neutron-ovn-agent && [[ "$OVN_AGENT_EXTENSIONS" =~ 'metadata' ]]; then + elif is_ovn_agent_enabled && [[ "$OVN_AGENT_EXTENSIONS" =~ 'metadata' ]]; then iniset $NOVA_CONF neutron service_metadata_proxy True fi fi @@ -558,10 +580,10 @@ function configure_ovn { # Metadata local sample_file="" local config_file="" - if is_service_enabled q-ovn-agent neutron-ovn-agent && [[ "$OVN_AGENT_EXTENSIONS" =~ 'metadata' ]] && is_service_enabled ovn-controller; then + if is_ovn_agent_enabled && [[ "$OVN_AGENT_EXTENSIONS" =~ 'metadata' ]] && is_service_enabled ovn-controller; then sample_file=$NEUTRON_DIR/etc/neutron/plugins/ml2/ovn_agent.ini.sample config_file=$OVN_AGENT_CONF - elif is_service_enabled q-ovn-metadata-agent neutron-ovn-metadata-agent && is_service_enabled ovn-controller; then + elif is_ovn_metadata_agent_enabled && is_service_enabled ovn-controller; then sample_file=$NEUTRON_DIR/etc/neutron_ovn_metadata_agent.ini.sample config_file=$OVN_META_CONF fi @@ -758,13 +780,13 @@ function start_ovn { fi fi - if is_service_enabled q-ovn-metadata-agent neutron-ovn-metadata-agent; then + if is_ovn_metadata_agent_enabled; then run_process q-ovn-metadata-agent "$NEUTRON_OVN_BIN_DIR/$NEUTRON_OVN_METADATA_BINARY --config-file $OVN_META_CONF" # Format logging setup_logging $OVN_META_CONF fi - if is_service_enabled q-ovn-agent neutron-ovn-agent; then + if is_ovn_agent_enabled; then run_process q-ovn-agent "$NEUTRON_OVN_BIN_DIR/$NEUTRON_OVN_AGENT_BINARY --config-file $OVN_AGENT_CONF" # Format logging setup_logging $OVN_AGENT_CONF @@ -786,13 +808,17 @@ function _stop_process { } function stop_ovn { + # NOTE(ralonsoh): this check doesn't use "is_ovn_metadata_agent_enabled", + # instead it relies only in the configured services, disregarding the + # flag "TARGET_ENABLE_OVN_AGENT". It is needed to force the OVN Metadata + # agent stop in case the flag "TARGET_ENABLE_OVN_AGENT" is set. if is_service_enabled q-ovn-metadata-agent neutron-ovn-metadata-agent; then # pkill takes care not to kill itself, but it may kill its parent # sudo unless we use the "ps | grep [f]oo" trick sudo pkill -9 -f "[h]aproxy" || : _stop_process "devstack@q-ovn-metadata-agent.service" fi - if is_service_enabled q-ovn-agent neutron-ovn-agent; then + if is_ovn_agent_enabled; then # pkill takes care not to kill itself, but it may kill its parent # sudo unless we use the "ps | grep [f]oo" trick sudo pkill -9 -f "[h]aproxy" || : From e8a11f5070fef8b9d757155b51da16481bac9aed Mon Sep 17 00:00:00 2001 From: "Dr. Jens Harbott" Date: Fri, 21 Nov 2025 21:01:50 +0100 Subject: [PATCH 56/74] Drop lib/oslo from unstack.sh This was missed in [0]. [0] I6a66359c19d0385beafb4c5e57b6ec3cd6d9cc54 Signed-off-by: Dr. Jens Harbott Change-Id: Idaee45beb63b2badc72c4a70442c5b9aa7fb19fe --- unstack.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/unstack.sh b/unstack.sh index 29c80718f8..8e8996c63b 100755 --- a/unstack.sh +++ b/unstack.sh @@ -61,7 +61,6 @@ source $TOP_DIR/lib/tls # Source project function libraries source $TOP_DIR/lib/infra -source $TOP_DIR/lib/oslo source $TOP_DIR/lib/lvm source $TOP_DIR/lib/horizon source $TOP_DIR/lib/keystone From 5d602fef2a7f3ac153c907304a8f43b38c0c1a50 Mon Sep 17 00:00:00 2001 From: Ghanshyam Date: Fri, 21 Nov 2025 20:40:07 +0000 Subject: [PATCH 57/74] Revert "Cap stable/2025.2 network, swift, volume api_extensions for tempest" This reverts commit 093bc57518a72b63a59389df63491d476069fc5c. Reason for revert: This is done by mistake on master. It needs to be done on stable/2025.2 https://review.opendev.org/c/openstack/devstack/+/968073 Change-Id: I8bd7b732c181f3abb015a57b4445332614f8c6c9 Signed-off-by: Ghanshyam --- lib/tempest | 61 +++-------------------------------------------------- 1 file changed, 3 insertions(+), 58 deletions(-) diff --git a/lib/tempest b/lib/tempest index 892e7fd72a..1ebe9c5f1f 100644 --- a/lib/tempest +++ b/lib/tempest @@ -805,48 +805,7 @@ function configure_tempest { DISABLE_NETWORK_API_EXTENSIONS+=", l3_agent_scheduler" fi - DEFAULT_NET_EXT="address-scope,agent,allowed-address-pairs,auto-allocated-topology" - DEFAULT_NET_EXT+=",availability_zone,binding,default-subnetpools,dhcp_agent_scheduler" - DEFAULT_NET_EXT+=",dvr,ext-gw-mode,external-net,extra_dhcp_opt,extraroute,flavors" - DEFAULT_NET_EXT+=",l3-flavors,l3-ha,l3_agent_scheduler,multi-provider,net-mtu" - DEFAULT_NET_EXT+=",network-ip-availability,network_availability_zone,pagination" - DEFAULT_NET_EXT+=",port-security,project-id,provider,quotas,quota_details,rbac-policies" - DEFAULT_NET_EXT+=",revision-if-match,router,router_availability_zone,security-group,service-type,sorting" - DEFAULT_NET_EXT+=",standard-attr-description,standard-attr-revisions,standard-attr-tag,standard-attr-timestamp" - DEFAULT_NET_EXT+=",subnet-service-types,subnet_allocation,net-mtu-writable,ip-substring-filtering" - DEFAULT_NET_EXT+=",availability_zone_filter,filter-validation,empty-string-filtering,port-mac-address-regenerate" - DEFAULT_NET_EXT+=",port-security-groups-filtering,fip-port-details,binding-extended" - DEFAULT_NET_EXT+=",subnet_onboard,l3-port-ip-change-not-allowed,agent-resources-synced" - DEFAULT_NET_EXT+=",floatingip-pools,rbac-security-groups,subnetpool-prefix-ops,router-admin-state-down-before-update" - DEFAULT_NET_EXT+=",rbac-subnetpool,tag-ports-during-bulk-creation,stateful-security-group,address-group,extraroute-atomic" - DEFAULT_NET_EXT+=",port-numa-affinity-policy,rbac-address-scope,security-groups-remote-address-group,trunk,trunk-details" - DEFAULT_NET_EXT+=",rbac-address-group,port-device-profile" - DEFAULT_NET_EXT+=",multiple-external-gateways,qos-pps-minimum,l3-ext-ndp-proxy,rbac-bgpvpn" - DEFAULT_NET_EXT+=",qos-pps,ecmp_routes,bgp,floating-ip-port-forwarding-port-ranges" - # New in Yoga - DEFAULT_NET_EXT+=",security-groups-shared-filtering,security-groups-normalized-cidr,quota-check-limit" - DEFAULT_NET_EXT+=",port-resource-request-groups" - # New in Zed - DEFAULT_NET_EXT+=",port-mac-override,floating-ip-port-forwarding-detail,network-cascade-delete" - # New in 2023.1 - DEFAULT_NET_EXT+=",port-hints,floating-ip-distributed" - # New in 2023.2 - DEFAULT_NET_EXT+=",port-hint-ovs-tx-steering,enable-default-route-bfd" - DEFAULT_NET_EXT+=",enable-default-route-ecmp,standard-attr-fwaas-v2" - DEFAULT_NET_EXT+=",allowed-address-pairs-atomic,network_ha" - DEFAULT_NET_EXT+=",security-groups-rules-belongs-to-default-sg" - DEFAULT_NET_EXT+=",port-hardware-offload-type" - # New in 2024.1 - DEFAULT_NET_EXT+=",vpn-aes-ccm-gcm,tap-mirror,subnet-external-network" - DEFAULT_NET_EXT+=",port-numa-affinity-policy-socket" - # New in 2024.2 - DEFAULT_NET_EXT+=",tag-creation,quota-check-limit-default,port-trusted-vif" - DEFAULT_NET_EXT+=",uplink-status-propagation-updatable" - # New in 2025.1 - DEFAULT_NET_EXT+=",qing,vpn-aes-ctr" - # New in 2025.2: None - local network_api_extensions=${NETWORK_API_EXTENSIONS:-$DEFAULT_NET_EXT} - + local network_api_extensions=${NETWORK_API_EXTENSIONS:-"all"} if [[ ! -z "$DISABLE_NETWORK_API_EXTENSIONS" ]]; then # Enabled extensions are either the ones explicitly specified or those available on the API endpoint network_api_extensions=${NETWORK_API_EXTENSIONS:-$(iniget $tmp_cfg_file network-feature-enabled api_extensions | tr -d " ")} @@ -858,10 +817,7 @@ function configure_tempest { fi iniset $TEMPEST_CONFIG network-feature-enabled api_extensions $network_api_extensions # Swift API Extensions - DEFAULT_SWIFT_OPT="account_quotas,bulk_delete,bulk_upload,container_quotas" - DEFAULT_SWIFT_OPT+=",container_sync,crossdomain,formpost,ratelimit,slo" - DEFAULT_SWIFT_OPT+=",staticweb,tempauth,tempurl,versioned_writes" - local object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-$DEFAULT_SWIFT_OPT} + local object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-"all"} if [[ ! -z "$DISABLE_OBJECT_STORAGE_API_EXTENSIONS" ]]; then # Enabled extensions are either the ones explicitly specified or those available on the API endpoint object_storage_api_extensions=${OBJECT_STORAGE_API_EXTENSIONS:-$(iniget $tmp_cfg_file object-storage-feature-enabled discoverable_apis | tr -d " ")} @@ -870,18 +826,7 @@ function configure_tempest { fi iniset $TEMPEST_CONFIG object-storage-feature-enabled discoverable_apis $object_storage_api_extensions # Cinder API Extensions - DEFAULT_VOL_EXT="OS-SCH-HNT,backups,capabilities,cgsnapshots,consistencygroups" - DEFAULT_VOL_EXT+=",encryption,os-admin-actions,os-availability-zone" - DEFAULT_VOL_EXT+=",os-extended-services,os-extended-snapshot-attributes" - DEFAULT_VOL_EXT+=",os-hosts,os-quota-class-sets,os-quota-sets" - DEFAULT_VOL_EXT+=",os-services,os-snapshot-actions,os-snapshot-manage" - DEFAULT_VOL_EXT+=",os-snapshot-unmanage,os-types-extra-specs,os-types-manage" - DEFAULT_VOL_EXT+=",os-used-limits,os-vol-host-attr,os-vol-image-meta" - DEFAULT_VOL_EXT+=",os-vol-mig-status-attr,os-vol-tenant-attr,os-volume-actions" - DEFAULT_VOL_EXT+=",os-volume-encryption-metadata,os-volume-manage" - DEFAULT_VOL_EXT+=",os-volume-transfer,os-volume-type-access" - DEFAULT_VOL_EXT+=",os-volume-unmanage,qos-specs,scheduler-stats" - local volume_api_extensions=${VOLUME_API_EXTENSIONS:-$DEFAULT_VOL_EXT} + local volume_api_extensions=${VOLUME_API_EXTENSIONS:-"all"} if [[ ! -z "$DISABLE_VOLUME_API_EXTENSIONS" ]]; then # Enabled extensions are either the ones explicitly specified or those available on the API endpoint volume_api_extensions=${VOLUME_API_EXTENSIONS:-$(iniget $tmp_cfg_file volume-feature-enabled api_extensions | tr -d " ")} From c2a5090c2f6ab70cf8d3026e9af26af84cca3a3a Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Mon, 24 Nov 2025 18:25:57 +0000 Subject: [PATCH 58/74] allow get_extra_files to retry on common errors This change add 4 new varibles to devstack to allow controlling the behvaior fo downloadign files via get_extra_files EXTRA_FILES_RETRY=${EXTRA_FILES_RETRY:-3} EXTRA_FILES_RETRY_ERRORS=${EXTRA_FILES_RETRY_ERRORS:-"500,503"} EXTRA_FILES_DOWNLOAD_TIMEOUT=${EXTRA_FILES_DOWNLOAD_TIMEOUT:-2} EXTRA_FILES_RETRY_TIMEOUT=${EXTRA_FILES_RETRY_TIMEOUT:-10} get_extra_files checks if a file is precached and downlaods it if not present The new fucntionaltiy modifes the wget invocation to retry up to 3 times if there are dns name issues, connection refused or the server return a 500 or 503 This change will not retry on 403 or 429 error codes which are often used to indicate rate limits. The download timeout remains at 2 seconds but can now be set if required. A 10 second over all retry wait timeout is added matching wgets default. finally the use of sed to strip the file:// prefix if present is replace with usign bash parmater expansion echo "${file_url#file://}" Assisted-By: gemini pro 3 Change-Id: Iedbb8974dce34a3d1c89f2a2561df76e696afae6 Signed-off-by: Sean Mooney --- functions | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/functions b/functions index 829fc86c55..63c6318c2e 100644 --- a/functions +++ b/functions @@ -47,6 +47,10 @@ function short_source { # export it so child shells have access to the 'short_source' function also. export -f short_source +EXTRA_FILES_RETRY=${EXTRA_FILES_RETRY:-3} +EXTRA_FILES_RETRY_ERRORS=${EXTRA_FILES_RETRY_ERRORS:-"500,503"} +EXTRA_FILES_DOWNLOAD_TIMEOUT=${EXTRA_FILES_DOWNLOAD_TIMEOUT:-2} +EXTRA_FILES_RETRY_TIMEOUT=${EXTRA_FILES_RETRY_TIMEOUT:-10} # Download a file from a URL # # Will check cache (in $FILES) or download given URL. @@ -55,17 +59,20 @@ export -f short_source # # Will echo the local path to the file as the output. Will die on # failure to download. -# + # Files can be pre-cached for CI environments, see EXTRA_CACHE_URLS # and tools/image_list.sh function get_extra_file { local file_url=$1 - - file_name=$(basename "$file_url") + local retry_args="--retry-on-host-error --retry-on-http-error=${EXTRA_FILES_RETRY_ERRORS} " + retry_args+="-t ${EXTRA_FILES_DOWNLOAD_TIMEOUT} --waitretry=${EXTRA_FILES_RETRY_TIMEOUT} " + retry_args+="--tries=${EXTRA_FILES_RETRY} --retry-connrefused" + # Using Bash parameter expansion (##*/) instead of external 'basename' + local file_name="${file_url##*/}" if [[ $file_url != file* ]]; then # If the file isn't cache, download it if [[ ! -f $FILES/$file_name ]]; then - wget --progress=dot:giga -t 2 -c $file_url -O $FILES/$file_name + wget --progress=dot:giga ${retry_args} -c $file_url -O $FILES/$file_name if [[ $? -ne 0 ]]; then die "$file_url could not be downloaded" fi @@ -74,7 +81,7 @@ function get_extra_file { return else # just strip the file:// bit and that's the path to the file - echo $file_url | sed 's/$file:\/\///g' + echo "${file_url#file://}" fi } From fc31d8a37e59d6811b208b5dba6c312365abd2d8 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Tue, 9 Dec 2025 17:49:41 +0100 Subject: [PATCH 59/74] almalinux: Switch to build OVS from source Since almalinux-10 label in OpenDev runs on both x86-64-v2 and v3, and CentOS NFV SIG OVS packages are only build for v3, these jobs have been only successful when spawned on v3 hardware. In order to make the job passable on v2 hardware - we should be building OVS from source. Rename the jobs to reflect the change Change-Id: I67b19c18b45af23cda7899f7c2edab21b8ed1ede Signed-off-by: Michal Nasiadka --- .zuul.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 0aa2530d77..2227f185dd 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -818,7 +818,7 @@ # and these platforms don't have the round-the-clock support to avoid # becoming blockers in that situation. - job: - name: devstack-platform-almalinux-purple-lion + name: devstack-platform-almalinux-purple-lion-ovn-source parent: tempest-full-py3 description: AlmaLinux 10 platform test nodeset: devstack-single-node-almalinux-10 @@ -826,6 +826,11 @@ voting: false vars: configure_swap_size: 4096 + devstack_localrc: + OVN_BUILD_FROM_SOURCE: True + OVN_BRANCH: "branch-24.03" + OVS_BRANCH: "branch-3.3" + OVS_SYSCONFDIR: "/usr/local/etc/openvswitch" - job: name: devstack-platform-centos-10-stream @@ -1036,7 +1041,7 @@ - devstack - devstack-ipv6 - devstack-enforce-scope - - devstack-platform-almalinux-purple-lion + - devstack-platform-almalinux-purple-lion-ovn-source - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm @@ -1124,7 +1129,7 @@ - devstack-no-tls-proxy periodic-weekly: jobs: - - devstack-platform-almalinux-purple-lion + - devstack-platform-almalinux-purple-lion-ovn-source - devstack-platform-centos-10-stream - devstack-platform-centos-9-stream - devstack-platform-debian-bookworm From c11b16b44de613a15833e610ebf77d539e488856 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Wed, 13 Aug 2025 01:02:34 +0900 Subject: [PATCH 60/74] Fix ownership of keyring file The file should be owned by the user(STACK_USER) to run the process. Note that STACK_USER may not match the current user in case stack.sh is run by root. Also we should not assume that the group name always matches the user name. Change-Id: Iec300311cab1b1a2fa124879aa3dc6a57a6a706b Signed-off-by: Takashi Kajinami --- lib/cinder_backups/ceph | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/cinder_backups/ceph b/lib/cinder_backups/ceph index e60efbb632..e4d6b96407 100644 --- a/lib/cinder_backups/ceph +++ b/lib/cinder_backups/ceph @@ -34,7 +34,7 @@ function configure_cinder_backup_ceph { sudo ceph -c ${CEPH_CONF_FILE} osd pool set ${CINDER_BAK_CEPH_POOL} crush_ruleset ${RULE_ID} fi sudo ceph -c ${CEPH_CONF_FILE} auth get-or-create client.${CINDER_BAK_CEPH_USER} mon "profile rbd" osd "profile rbd pool=${CINDER_BAK_CEPH_POOL}, profile rbd pool=${CINDER_CEPH_POOL}" | sudo tee ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring - sudo chown $(whoami):$(whoami) ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring + sudo chown $STACK_USER ${CEPH_CONF_DIR}/ceph.client.${CINDER_BAK_CEPH_USER}.keyring fi iniset $CINDER_CONF DEFAULT backup_driver "cinder.backup.drivers.ceph.CephBackupDriver" From 0b200dd617e4bec34d797e5ecb82382d8ffe21ea Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Fri, 2 Jan 2026 09:39:25 +0100 Subject: [PATCH 61/74] lib/neutron: read api-paste and rootwrap from $NEUTRON_DIR/etc/neutron Related patches: * https://review.opendev.org/c/openstack/devstack/+/961224 * https://review.opendev.org/c/openstack/neutron/+/961130 Signed-off-by: Rodolfo Alonso Hernandez Change-Id: I7cf4483d533f9536d2450088a97e95dfb4f22e3a --- lib/neutron | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/lib/neutron b/lib/neutron index dec15fb782..532945f6d5 100644 --- a/lib/neutron +++ b/lib/neutron @@ -996,13 +996,7 @@ function _configure_neutron_plugin_agent { # It is called when q-svc is enabled. function _configure_neutron_service { Q_API_PASTE_FILE=$NEUTRON_CONF_DIR/api-paste.ini - if test -r $NEUTRON_DIR/etc/neutron/api-paste.ini; then - cp $NEUTRON_DIR/etc/neutron/api-paste.ini $Q_API_PASTE_FILE - else - # TODO(stephenfin): Remove this branch once [1] merges - # [1] https://review.opendev.org/c/openstack/neutron/+/961130 - cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE - fi + cp $NEUTRON_DIR/etc/neutron/api-paste.ini $Q_API_PASTE_FILE # Update either configuration file with plugin iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS @@ -1079,13 +1073,7 @@ function _neutron_setup_rootwrap { # Set up ``rootwrap.conf``, pointing to ``$NEUTRON_CONF_DIR/rootwrap.d`` # location moved in newer versions, prefer new location - if test -r $NEUTRON_DIR/etc/neutron/rootwrap.conf; then - sudo install -o root -g root -m 644 $NEUTRON_DIR/etc/neutron/rootwrap.conf $Q_RR_CONF_FILE - else - # TODO(stephenfin): Remove this branch once [1] merges - # [1] https://review.opendev.org/c/openstack/neutron/+/961130 - sudo install -o root -g root -m 644 $NEUTRON_DIR/etc/rootwrap.conf $Q_RR_CONF_FILE - fi + sudo install -o root -g root -m 644 $NEUTRON_DIR/etc/neutron/rootwrap.conf $Q_RR_CONF_FILE sudo sed -e "s:^filters_path=.*$:filters_path=$Q_CONF_ROOTWRAP_D:" -i $Q_RR_CONF_FILE # Rely on $PATH set by devstack to determine what is safe to execute # by rootwrap rather than use explicit whitelist of paths in From 92a70ba9dda1669f7af00cacd6cc7f41b764f5da Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 6 Jan 2026 08:52:41 +0100 Subject: [PATCH 62/74] Fix centos/rhel 9/10 dependencies An error was introduced in [0], it added an incorrect dependency on genisoimage for nova, and kept a valid dependency on xorriso in n-cpu. It breaks centos 10 deployments, the expected behavior is to use xorriso on modern rhel/centos. [0] https://review.opendev.org/c/openstack/devstack/+/963799 Change-Id: I0057f934c453ded198f8b5e58f4924260a3d2508 Signed-off-by: Gregory Thiemonge --- files/rpms/nova | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/rpms/nova b/files/rpms/nova index c323224279..d0f843bb60 100644 --- a/files/rpms/nova +++ b/files/rpms/nova @@ -1,7 +1,6 @@ conntrack-tools curl ebtables -genisoimage iptables iputils kernel-modules # not:openEuler-22.03 @@ -11,3 +10,4 @@ polkit rabbitmq-server # NOPRIME sqlite sudo +xorriso From 03db96dc9e8c17e284e201d2350627a2ebfd4a1a Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Wed, 7 Jan 2026 17:43:59 -0500 Subject: [PATCH 63/74] Start using project_network_types for neutron ML2 Change neutron to configure project_network_types instead of tenant_network_types, which is being deprecated. Changed some other text as appropriate. Blueprint: https://blueprints.launchpad.net/neutron/+spec/keystone-v3` Depends-on: https://review.opendev.org/c/openstack/neutron/+/972591 Change-Id: I264dc7bbc3d3550120092297a775d04e43514d4a Signed-off-by: Brian Haley --- lib/neutron | 20 ++++++++++---------- lib/neutron_plugins/ml2 | 8 ++++---- lib/neutron_plugins/openvswitch | 6 +++--- lib/neutron_plugins/services/l3 | 6 +++--- tools/ping_neutron.sh | 4 ++-- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/lib/neutron b/lib/neutron index dec15fb782..52002ac79f 100644 --- a/lib/neutron +++ b/lib/neutron @@ -201,35 +201,35 @@ fi # -------------------------------- # The following variables control the Neutron ML2 plugins' allocation -# of tenant networks and availability of provider networks. If these -# are not configured in ``localrc``, tenant networks will be local to +# of project networks and availability of provider networks. If these +# are not configured in ``localrc``, project networks will be local to # the host (with no remote connectivity), and no physical resources # will be available for the allocation of provider networks. -# To disable tunnels (GRE or VXLAN) for tenant networks, +# To disable tunnels (GRE or VXLAN) for project networks, # set to False in ``local.conf``. # GRE tunnels are only supported by the openvswitch. ENABLE_TENANT_TUNNELS=${ENABLE_TENANT_TUNNELS:-True} -# If using GRE, VXLAN or GENEVE tunnels for tenant networks, -# specify the range of IDs from which tenant networks are +# If using GRE, VXLAN or GENEVE tunnels for project networks, +# specify the range of IDs from which project networks are # allocated. Can be overridden in ``localrc`` if necessary. TENANT_TUNNEL_RANGES=${TENANT_TUNNEL_RANGES:-1:1000} -# To use VLANs for tenant networks, set to True in localrc. VLANs +# To use VLANs for project networks, set to True in localrc. VLANs # are supported by the ML2 plugins, requiring additional configuration # described below. ENABLE_TENANT_VLANS=${ENABLE_TENANT_VLANS:-False} -# If using VLANs for tenant networks, set in ``localrc`` to specify -# the range of VLAN VIDs from which tenant networks are +# If using VLANs for project networks, set in ``localrc`` to specify +# the range of VLAN VIDs from which project networks are # allocated. An external network switch must be configured to # trunk these VLANs between hosts for multi-host connectivity. # # Example: ``TENANT_VLAN_RANGE=1000:1999`` TENANT_VLAN_RANGE=${TENANT_VLAN_RANGE:-} -# If using VLANs for tenant networks, or if using flat or VLAN +# If using VLANs for project networks, or if using flat or VLAN # provider networks, set in ``localrc`` to the name of the physical # network, and also configure ``OVS_PHYSICAL_BRIDGE`` for the # openvswitch agent, as described below. @@ -237,7 +237,7 @@ TENANT_VLAN_RANGE=${TENANT_VLAN_RANGE:-} # Example: ``PHYSICAL_NETWORK=default`` PHYSICAL_NETWORK=${PHYSICAL_NETWORK:-public} -# With the openvswitch agent, if using VLANs for tenant networks, +# With the openvswitch agent, if using VLANs for project networks, # or if using flat or VLAN provider networks, set in ``localrc`` to # the name of the OVS bridge to use for the physical network. The # bridge will be created if it does not already exist, but a diff --git a/lib/neutron_plugins/ml2 b/lib/neutron_plugins/ml2 index 687167bf79..71bede842e 100644 --- a/lib/neutron_plugins/ml2 +++ b/lib/neutron_plugins/ml2 @@ -72,16 +72,16 @@ function neutron_plugin_configure_common { function neutron_plugin_configure_service { if [[ "$Q_ML2_TENANT_NETWORK_TYPE" != "local" ]]; then - Q_SRV_EXTRA_OPTS+=(tenant_network_types=$Q_ML2_TENANT_NETWORK_TYPE) + Q_SRV_EXTRA_OPTS+=(project_network_types=$Q_ML2_TENANT_NETWORK_TYPE) elif [[ "$ENABLE_TENANT_TUNNELS" == "True" ]]; then # This assumes you want a simple configuration, and will overwrite # Q_SRV_EXTRA_OPTS if set in addition to ENABLE_TENANT_TUNNELS. - Q_SRV_EXTRA_OPTS+=(tenant_network_types=gre) + Q_SRV_EXTRA_OPTS+=(project_network_types=gre) Q_ML2_PLUGIN_GRE_TYPE_OPTIONS=(tunnel_id_ranges=$TENANT_TUNNEL_RANGES) elif [[ "$ENABLE_TENANT_VLANS" == "True" ]]; then - Q_SRV_EXTRA_OPTS+=(tenant_network_types=vlan) + Q_SRV_EXTRA_OPTS+=(project_network_types=vlan) else - echo "WARNING - The ml2 plugin is using local tenant networks, with no connectivity between hosts." + echo "WARNING - The ml2 plugin is using local project networks, with no connectivity between hosts." fi # Allow for overrding VLAN configuration (for example, to configure provider diff --git a/lib/neutron_plugins/openvswitch b/lib/neutron_plugins/openvswitch index 130eaacab3..c661a1a600 100644 --- a/lib/neutron_plugins/openvswitch +++ b/lib/neutron_plugins/openvswitch @@ -20,12 +20,12 @@ function neutron_plugin_configure_common { function neutron_plugin_configure_service { if [[ "$ENABLE_TENANT_TUNNELS" == "True" ]]; then - iniset /$Q_PLUGIN_CONF_FILE ovs tenant_network_type gre + iniset /$Q_PLUGIN_CONF_FILE ovs project_network_type gre iniset /$Q_PLUGIN_CONF_FILE ovs tunnel_id_ranges $TENANT_TUNNEL_RANGES elif [[ "$ENABLE_TENANT_VLANS" == "True" ]]; then - iniset /$Q_PLUGIN_CONF_FILE ovs tenant_network_type vlan + iniset /$Q_PLUGIN_CONF_FILE ovs project_network_type vlan else - echo "WARNING - The openvswitch plugin is using local tenant networks, with no connectivity between hosts." + echo "WARNING - The openvswitch plugin is using local project networks, with no connectivity between hosts." fi # Override ``OVS_VLAN_RANGES`` and ``OVS_BRIDGE_MAPPINGS`` in ``localrc`` diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3 index bbedc57a44..238dd34b56 100644 --- a/lib/neutron_plugins/services/l3 +++ b/lib/neutron_plugins/services/l3 @@ -35,7 +35,7 @@ Q_PUBLIC_VETH_INT=${Q_PUBLIC_VETH_INT:-veth-pub-int} # The next variable is configured by plugin # e.g. _configure_neutron_l3_agent or lib/neutron_plugins/* # -# L3 routers exist per tenant +# L3 routers exist per project Q_L3_ROUTER_PER_TENANT=${Q_L3_ROUTER_PER_TENANT:-True} @@ -216,7 +216,7 @@ function create_neutron_initial_network { if is_networking_extension_supported "router" && is_networking_extension_supported "external-net"; then # Create a router, and add the private subnet as one of its interfaces if [[ "$Q_L3_ROUTER_PER_TENANT" == "True" ]]; then - # create a tenant-owned router. + # create a project-owned router. ROUTER_ID=$(openstack --os-cloud devstack --os-region "$REGION_NAME" router create $Q_ROUTER_NAME -f value -c id) die_if_not_set $LINENO ROUTER_ID "Failure creating router $Q_ROUTER_NAME" else @@ -387,7 +387,7 @@ function _neutron_configure_router_v6 { # Override global IPV6_ROUTER_GW_IP with the true value from neutron # NOTE(slaweq): when enforce scopes is enabled in Neutron, router's # gateway ports aren't visible in API because such ports don't belongs - # to any tenant. Because of that, at least temporary we need to find + # to any project. Because of that, at least temporary we need to find # IPv6 address of the router's gateway in a bit different way. # It can be reverted when bug # https://bugs.launchpad.net/neutron/+bug/1959332 will be fixed diff --git a/tools/ping_neutron.sh b/tools/ping_neutron.sh index ab8e8dfca8..2b65fd0fb3 100755 --- a/tools/ping_neutron.sh +++ b/tools/ping_neutron.sh @@ -21,7 +21,7 @@ set -o pipefail TOP_DIR=$(cd $(dirname "$0")/.. && pwd) -# This *must* be run as the admin tenant +# This *must* be run as the admin project source $TOP_DIR/openrc admin admin function usage { @@ -29,7 +29,7 @@ function usage { ping_neutron.sh [ping args] This provides a wrapper to ping neutron guests that are on isolated -tenant networks that the caller can't normally reach. It does so by +project networks that the caller can't normally reach. It does so by using either the DHCP or Metadata network namespace to support both ML2/OVS and OVN. From efb34cacc71d4c80a4a62655f271526981a61a48 Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Fri, 9 Jan 2026 19:02:39 +0000 Subject: [PATCH 64/74] Fix neutron service detection in unstack.sh Neutron services (neutron-api, neutron-rpc-server, and neutron-periodic-workers) were not being stopped during unstack because they were not detected as enabled in ENABLED_SERVICES. The root cause was that these services were dynamically enabled during stack.sh execution via inline enable_service calls in start_neutron_service_and_check(), but this logic was not replicated in unstack.sh. When unstack.sh called stop_process for these services, the is_service_enabled check failed because the services were not in ENABLED_SERVICES. This fix creates a shared enable_neutron_server_services() function that encapsulates the service enabling logic, reading neutron.conf to determine which services should be enabled (including conditional RPC worker enablement based on the rpc_workers configuration). This function is now called from both the stack.sh path (in start_neutron_service_and_check) and the unstack.sh path (after loading plugin settings). This ensures both stack and unstack use identical logic to determine enabled services, allowing stop_process to properly detect and stop all neutron server services. Generated-By: Cursor claude-sonnet-4.5 Change-Id: I6179f3a861401ff12178aaee8b82ba7bf71dd765 Signed-off-by: Sean Mooney --- lib/neutron | 60 ++++++++++++++++++++++++++++++++++------------------- unstack.sh | 6 ++++++ 2 files changed, 45 insertions(+), 21 deletions(-) diff --git a/lib/neutron b/lib/neutron index dec15fb782..dbdac5c7da 100644 --- a/lib/neutron +++ b/lib/neutron @@ -348,12 +348,6 @@ function _determine_config_l3 { echo "$opts" } -function _enable_ovn_maintenance { - if [[ $Q_AGENT == "ovn" ]]; then - enable_service neutron-ovn-maintenance-worker - fi -} - function _run_ovn_maintenance { if [[ $Q_AGENT == "ovn" ]]; then run_process neutron-ovn-maintenance-worker "$NEUTRON_BIN_DIR/neutron-ovn-maintenance-worker $cfg_file_options" @@ -606,6 +600,39 @@ function start_ovn_services { fi } +# Enable neutron server services based on configuration +# This function determines which neutron services should be enabled +# and adds them to ENABLED_SERVICES. It reads the neutron configuration +# to determine if RPC workers should be enabled. +# This must be called after configure_neutron has created the config files. +function enable_neutron_server_services { + local rpc_workers + + # The default value of "rpc_workers" is None (not defined). If + # "rpc_workers" is explicitly set to 0, the RPC workers process + # should not be executed. + if [[ -f $NEUTRON_CONF ]]; then + rpc_workers=$(iniget_multiline $NEUTRON_CONF DEFAULT rpc_workers) + else + # If config doesn't exist yet, assume default behavior (enable rpc workers) + rpc_workers="" + fi + + # Always enable these core services + enable_service neutron-api + enable_service neutron-periodic-workers + + # Conditionally enable RPC server based on configuration + if [[ "$rpc_workers" != "0" ]]; then + enable_service neutron-rpc-server + fi + + # Enable OVN maintenance worker if using OVN + if [[ $Q_AGENT == "ovn" ]]; then + enable_service neutron-ovn-maintenance-worker + fi +} + # Start running processes function start_neutron_service_and_check { local service_port=$Q_PORT @@ -620,24 +647,15 @@ function start_neutron_service_and_check { service_protocol="http" fi - # Start the Neutron service - # The default value of "rpc_workers" is None (not defined). If - # "rpc_workers" is explicitly set to 0, the RPC workers process - # should not be executed. - local rpc_workers - rpc_workers=$(iniget_multiline $NEUTRON_CONF DEFAULT rpc_workers) + # Enable neutron server services based on configuration + enable_neutron_server_services - enable_service neutron-api + # Start the Neutron service processes run_process neutron-api "$(which uwsgi) --procname-prefix neutron-api --ini $NEUTRON_UWSGI_CONF" neutron_url=$Q_PROTOCOL://$Q_HOST/ - if [ "$rpc_workers" != "0" ]; then - enable_service neutron-rpc-server - fi - enable_service neutron-periodic-workers - _enable_ovn_maintenance - if [ "$rpc_workers" != "0" ]; then - run_process neutron-rpc-server "$NEUTRON_BIN_DIR/neutron-rpc-server $cfg_file_options" - fi + + # Start RPC server if enabled (run_process checks is_service_enabled internally) + run_process neutron-rpc-server "$NEUTRON_BIN_DIR/neutron-rpc-server $cfg_file_options" run_process neutron-periodic-workers "$NEUTRON_BIN_DIR/neutron-periodic-workers $cfg_file_options" _run_ovn_maintenance if [ ! -z "$NEUTRON_ENDPOINT_SERVICE_NAME" ]; then diff --git a/unstack.sh b/unstack.sh index 8e8996c63b..48626419da 100755 --- a/unstack.sh +++ b/unstack.sh @@ -87,6 +87,12 @@ fi load_plugin_settings +# Enable neutron server services so they can be properly stopped +# This replicates the service enabling logic from stack.sh +if is_service_enabled neutron; then + enable_neutron_server_services +fi + set -o xtrace # Run extras From 2df8cce816641d1b3ab720f04e1e38382987e526 Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Fri, 9 Jan 2026 19:22:10 +0000 Subject: [PATCH 65/74] Fix missing service stops in unstack.sh Several services started by stack.sh were not properly stopped in unstack.sh, which could leave processes running and prevent clean restacking: - tcpdump: lib/tcpdump was not sourced, so stop_tcpdump was unavailable. Added source and stop call when tcpdump service is enabled. - s-container-sync: Swift's container-sync daemon was started via run_process but not explicitly stopped. Added stop_process call in stop_swift function. - ldap: The stop_ldap function existed but was never called. Added stop call in UNSTACK_ALL section, consistent with mysql/rabbit handling. These fixes ensure all services started by stack.sh are properly stopped by unstack.sh, allowing clean restacking. Generated-By: Cursor claude-opus-4.5 Change-Id: I8bcc6fe82264bb35a616dae39f4216ba6200b547 Signed-off-by: Sean Mooney --- lib/swift | 2 ++ unstack.sh | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/lib/swift b/lib/swift index 862927437d..d4ff8cc196 100644 --- a/lib/swift +++ b/lib/swift @@ -838,6 +838,8 @@ function stop_swift { for type in proxy object container account; do stop_process s-${type} done + # Stop the container-sync daemon if it was started + stop_process s-container-sync # Blast out any stragglers pkill -f swift- || true } diff --git a/unstack.sh b/unstack.sh index 48626419da..1919ef8ad7 100755 --- a/unstack.sh +++ b/unstack.sh @@ -73,6 +73,7 @@ source $TOP_DIR/lib/neutron source $TOP_DIR/lib/ldap source $TOP_DIR/lib/dstat source $TOP_DIR/lib/atop +source $TOP_DIR/lib/tcpdump source $TOP_DIR/lib/etcd3 # Extras Source @@ -162,6 +163,11 @@ if [[ -n "$UNSTACK_ALL" ]]; then if is_service_enabled rabbit; then stop_service rabbitmq-server fi + + # Stop LDAP server + if is_service_enabled ldap; then + stop_ldap + fi fi if is_service_enabled neutron; then @@ -178,6 +184,10 @@ if is_service_enabled openstack-cli-server; then stop_service devstack@openstack-cli-server fi +if is_service_enabled tcpdump; then + stop_tcpdump +fi + stop_dstat if is_service_enabled atop; then From 5e21304153df15db80287efd34f4cf73a04d4ced Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Fri, 9 Jan 2026 23:07:10 +0000 Subject: [PATCH 66/74] Refactor MySQL auth to support restacking This change refactors the MySQL/MariaDB configuration to: - Allow both unix_socket and mysql_native_password authentication using the MariaDB 'IDENTIFIED VIA ... OR ...' syntax. This enables restacking without needing to reset authentication in unstack.sh. - Add use_mariadb_socket_auth helper variable to simplify the complex conditional logic (addresses TODO comment). - Fix missing DATABASE_USER@'%' creation for modern Debian/Ubuntu with MariaDB socket auth. - Fix inconsistent distro checks that were missing trixie. - Remove dead Oracle Linux code since it's not in SUPPORTED_DISTROS. Oracle Linux is still handled as RHEL-like via is_fedora(). Generated-By: Cursor claude-opus-4.5 Change-Id: I4becbfe6325bcb29deef8e50e9a9f05678f47802 Signed-off-by: Sean Mooney --- functions-common | 11 ---------- lib/databases/mysql | 52 ++++++++++++++++++++++----------------------- 2 files changed, 25 insertions(+), 38 deletions(-) diff --git a/functions-common b/functions-common index c2042c4fef..39424e3352 100644 --- a/functions-common +++ b/functions-common @@ -517,17 +517,6 @@ function is_arch { [[ "$(uname -m)" == "$1" ]] } -# Determine if current distribution is an Oracle distribution -# is_oraclelinux -function is_oraclelinux { - if [[ -z "$os_VENDOR" ]]; then - GetOSVersion - fi - - [ "$os_VENDOR" = "OracleServer" ] -} - - # Determine if current distribution is a Fedora-based distribution # (Fedora, RHEL, CentOS, Rocky, etc). # is_fedora diff --git a/lib/databases/mysql b/lib/databases/mysql index a47580ca3d..4def1842a7 100644 --- a/lib/databases/mysql +++ b/lib/databases/mysql @@ -18,7 +18,7 @@ register_database mysql if [[ -z "$MYSQL_SERVICE_NAME" ]]; then MYSQL_SERVICE_NAME=mysql - if is_fedora && ! is_oraclelinux; then + if is_fedora; then MYSQL_SERVICE_NAME=mariadb elif [[ "$DISTRO" =~ trixie|bookworm|bullseye ]]; then MYSQL_SERVICE_NAME=mariadb @@ -44,15 +44,9 @@ function cleanup_database_mysql { apt_get purge -y mysql* mariadb* sudo rm -rf /var/lib/mysql sudo rm -rf /etc/mysql - return - elif is_oraclelinux; then - uninstall_package mysql-community-server - sudo rm -rf /var/lib/mysql elif is_fedora; then uninstall_package mariadb-server sudo rm -rf /var/lib/mysql - else - return fi } @@ -68,8 +62,6 @@ function configure_database_mysql { if is_ubuntu; then my_conf=/etc/mysql/my.cnf - elif is_oraclelinux; then - my_conf=/etc/my.cnf elif is_fedora; then my_conf=/etc/my.cnf local cracklib_conf=/etc/my.cnf.d/cracklib_password_check.cnf @@ -101,13 +93,20 @@ function configure_database_mysql { restart_service $MYSQL_SERVICE_NAME fi + # MariaDB 10.4+ on modern Debian/Ubuntu uses unix_socket auth by default + # See https://mariadb.org/authentication-in-mariadb-10-4/ + local use_mariadb_socket_auth=False + if is_ubuntu && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then + if [[ ! "$DISTRO" =~ bookworm|bullseye ]]; then + use_mariadb_socket_auth=True + fi + fi + # Set the root password - only works the first time. For Ubuntu, we already # did that with debconf before installing the package, but we still try, # because the package might have been installed already. We don't do this - # for Ubuntu 22.04+ because the authorization model change in - # version 10.4 of mariadb. See - # https://mariadb.org/authentication-in-mariadb-10-4/ - if ! (is_ubuntu && [[ ! "$DISTRO" =~ trixie|bookworm|bullseye ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]); then + # for MariaDB with socket auth because the root password is managed differently. + if [[ "$use_mariadb_socket_auth" != "True" ]]; then sudo mysqladmin -u root password $DATABASE_PASSWORD || true fi @@ -129,19 +128,20 @@ function configure_database_mysql { restart_service $MYSQL_SERVICE_NAME fi - # In mariadb e.g. on Ubuntu socket plugin is used for authentication - # as root so it works only as sudo. To restore old "mysql like" behaviour, - # we need to change auth plugin for root user - # TODO(frickler): simplify this logic - if is_ubuntu && [[ ! "$DISTRO" =~ bookworm|bullseye ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then - # For Ubuntu 22.04+ we follow the model outlined in - # https://mariadb.org/authentication-in-mariadb-10-4/ - sudo mysql -e "ALTER USER $DATABASE_USER@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD('$DATABASE_PASSWORD');" + # Configure database user authentication + if [[ "$use_mariadb_socket_auth" == "True" ]]; then + # Allow both unix_socket (for sudo mysql) and password auth + # Using OR allows restacking without needing to reset auth in unstack + sudo mysql -e "ALTER USER $DATABASE_USER@localhost IDENTIFIED VIA unix_socket OR mysql_native_password USING PASSWORD('$DATABASE_PASSWORD');" fi - if ! (is_ubuntu && [[ ! "$DISTRO" =~ bookworm|bullseye ]] && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]); then - # Create DB user if it does not already exist + + # Create remote access user and grant privileges (needed for all distros) + if [[ "$use_mariadb_socket_auth" == "True" ]]; then + # Use sudo mysql since we have socket auth + sudo mysql -e "CREATE USER IF NOT EXISTS '$DATABASE_USER'@'%' identified by '$DATABASE_PASSWORD';" + sudo mysql -e "GRANT ALL PRIVILEGES ON *.* TO '$DATABASE_USER'@'%';" + else sudo mysql $cmd_args -e "CREATE USER IF NOT EXISTS '$DATABASE_USER'@'%' identified by '$DATABASE_PASSWORD';" - # Update the DB to give user '$DATABASE_USER'@'%' full control of the all databases: sudo mysql $cmd_args -e "GRANT ALL PRIVILEGES ON *.* TO '$DATABASE_USER'@'%';" fi @@ -226,9 +226,7 @@ EOF fi # Install mysql-server if [[ "$INSTALL_DATABASE_SERVER_PACKAGES" == "True" ]]; then - if is_oraclelinux; then - install_package mysql-community-server - elif is_fedora; then + if is_fedora; then install_package mariadb-server mariadb-devel mariadb sudo systemctl enable $MYSQL_SERVICE_NAME elif is_ubuntu; then From 20ed3c5f11295a02ff4d74f8cf95fab1414d9ba8 Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Fri, 9 Jan 2026 19:41:29 +0000 Subject: [PATCH 67/74] Improve OVS/OVN stop robustness for restacking The stop_ovn function stops services but leaves behind runtime files and stale configuration that can cause restacking failures. This change improves robustness by: - Making _stop_process check is-active in addition to is-enabled, so services are stopped even if they are running but not enabled. - Clearing OVS external-ids before stopping to prevent stale config (ovn-remote, ovn-bridge, etc.) from persisting across restacks. - Cleaning up runtime files (*.sock, *.pid, *.ctl) in both OVS_RUNDIR and OVN_RUNDIR after stopping services, as stale sockets can prevent ovsdb-server from binding on restart. - Removing database lock files (.*.db.~lock~) which can block database access if services crash or stop uncleanly. These changes allow stack.sh to run successfully after unstack.sh without requiring a full clean.sh. Generated-By: Cursor claude-opus-4.5 Change-Id: I8736f19a8892200948ee74854f99fd99eed5110b Signed-off-by: Sean Mooney --- lib/neutron_plugins/ovn_agent | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent index 48e92a1782..5404cfdd0d 100644 --- a/lib/neutron_plugins/ovn_agent +++ b/lib/neutron_plugins/ovn_agent @@ -798,8 +798,11 @@ function _stop_ovs_dp { function _stop_process { local service=$1 echo "Stopping process $service" - if $SYSTEMCTL is-enabled $service; then + # Stop if running, regardless of enabled state + if $SYSTEMCTL is-active $service; then $SYSTEMCTL stop $service + fi + if $SYSTEMCTL is-enabled $service; then $SYSTEMCTL disable $service fi } @@ -834,10 +837,22 @@ function stop_ovn { _stop_process "devstack@ovs-vtep.service" fi + # Clear OVS external-ids before stopping to prevent stale config on restack + if sudo ovs-vsctl show &>/dev/null; then + sudo ovs-vsctl --if-exists clear open_vswitch . external-ids + fi + _stop_process "$OVS_VSWITCHD_SERVICE" _stop_process "$OVSDB_SERVER_SERVICE" _stop_ovs_dp + + # Clean up runtime files that can prevent restart + sudo rm -f $OVS_RUNDIR/*.sock $OVS_RUNDIR/*.pid $OVS_RUNDIR/*.ctl + sudo rm -f $OVN_RUNDIR/*.sock $OVN_RUNDIR/*.pid $OVN_RUNDIR/*.ctl + # Clean up database lock files + sudo rm -f $OVS_DATADIR/.*.db.~lock~ + sudo rm -f $OVN_DATADIR/.*.db.~lock~ } function _cleanup { From 64dc60a11b2fba795a1f87a2a3a7e4d06c379074 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sat, 24 Jan 2026 21:35:42 +0900 Subject: [PATCH 68/74] Fix duplicated wget package Trivial-Fix Change-Id: I061c5dcdd88cb1514b9f4e449d8317e2e1f48b81 Signed-off-by: Takashi Kajinami --- files/debs/general | 1 - 1 file changed, 1 deletion(-) diff --git a/files/debs/general b/files/debs/general index 1e63e4f582..0cddcf05f4 100644 --- a/files/debs/general +++ b/files/debs/general @@ -33,5 +33,4 @@ tcpdump unzip uuid-runtime wget -wget zlib1g-dev From 01f574d501dbdcb6a00006c3fd43e62872af7882 Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Fri, 30 Jan 2026 09:09:55 +0100 Subject: [PATCH 69/74] Fix S3 API authentication failures This change is required as a follow up to [1] and [2]. Recent versions of Keystone require auth tokens when accessing the /v3/s3tokens Keystone endpoint. [1] https://review.opendev.org/c/openstack/keystone/+/966069 [2] https://review.opendev.org/c/openstack/swift/+/966062 Closes-Bug: #2139405 Signed-off-by: Christian Schwede Change-Id: I55f6e2c68ae7d76b94919ed47df0a2251287e67b --- lib/swift | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/swift b/lib/swift index d4ff8cc196..32aa6d74e1 100644 --- a/lib/swift +++ b/lib/swift @@ -434,6 +434,13 @@ function configure_swift { swift_pipeline+=" s3token" iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token auth_uri ${KEYSTONE_SERVICE_URI_V3} iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token delay_auth_decision true + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token secret_cache_duration 900 + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token auth_url ${KEYSTONE_SERVICE_URI} + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token project_name 'service' + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token project_domain_name ${SERVICE_DOMAIN_NAME} + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token username 'swift' + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token user_domain_name ${SERVICE_DOMAIN_NAME} + iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:s3token password ${SERVICE_PASSWORD} fi swift_pipeline+=" keystoneauth" fi From ea0fdd2c806cf93e48a698e68165306da45314a2 Mon Sep 17 00:00:00 2001 From: "Dr. Jens Harbott" Date: Mon, 16 Feb 2026 07:53:08 +0100 Subject: [PATCH 70/74] Drop platform job for Ubuntu Jammy The job stopped working recently, the reason is unclear, but since Jammy is no longer included as required platform, let's just stop testing it. Signed-off-by: Dr. Jens Harbott Change-Id: I796eddac96313584f4aa5225a9b9803bb2ad19b5 --- .zuul.yaml | 11 ----------- stack.sh | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 2227f185dd..e1dec5b3fd 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -897,15 +897,6 @@ vars: configure_swap_size: 4096 -- job: - name: devstack-platform-ubuntu-jammy - parent: tempest-full-py3 - description: Ubuntu 22.04 LTS (Jammy) platform test - nodeset: openstack-single-node-jammy - timeout: 9000 - vars: - configure_swap_size: 8192 - - job: name: devstack-platform-ubuntu-noble-ovn-source parent: devstack-platform-ubuntu-noble @@ -1050,7 +1041,6 @@ - devstack-platform-rocky-red-quartz - devstack-platform-ubuntu-noble-ovn-source - devstack-platform-ubuntu-noble-ovs - - devstack-platform-ubuntu-jammy - devstack-multinode - devstack-unit-tests - openstack-tox-bashate @@ -1137,4 +1127,3 @@ - devstack-platform-rocky-red-quartz - devstack-platform-ubuntu-noble-ovn-source - devstack-platform-ubuntu-noble-ovs - - devstack-platform-ubuntu-jammy diff --git a/stack.sh b/stack.sh index 965f58007d..c6d37611c9 100755 --- a/stack.sh +++ b/stack.sh @@ -229,7 +229,7 @@ write_devstack_version # Warn users who aren't on an explicitly supported distro, but allow them to # override check and attempt installation with ``FORCE=yes ./stack`` -SUPPORTED_DISTROS="trixie|bookworm|jammy|noble|rhel9|rhel10" +SUPPORTED_DISTROS="trixie|bookworm|noble|rhel9|rhel10" if [[ ! ${DISTRO} =~ $SUPPORTED_DISTROS ]]; then echo "WARNING: this script has not been tested on $DISTRO" From cc82266a57c97910ef26305f92ea51d358eb015c Mon Sep 17 00:00:00 2001 From: Abhishek Bongale Date: Thu, 5 Feb 2026 13:39:40 +0000 Subject: [PATCH 71/74] Add venv for plugin list generation Isolate dependencies for generate-devstack-plugins-list.sh by creating a dedicated Python virtual environment with required packages. This ensures the script uses the correct version of dependencies regardless of system Python configuration. Closes-Bug: #2138869 Change-Id: I8a7e49b0b908aec7c95b7fbfb6c9a16375f267a6 Signed-off-by: Abhishek Bongale --- tools/generate-devstack-plugins-list.sh | 13 ++++++++++++- tools/requirements.txt | 1 + 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 tools/requirements.txt diff --git a/tools/generate-devstack-plugins-list.sh b/tools/generate-devstack-plugins-list.sh index 3307943df9..45a926392e 100755 --- a/tools/generate-devstack-plugins-list.sh +++ b/tools/generate-devstack-plugins-list.sh @@ -38,6 +38,17 @@ # current working directory, it will be prepended or appended to # the generated reStructuredText plugins table respectively. +# Setup virtual environment +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +VENV_DIR="${SCRIPT_DIR}/.venv" + +if [[ ! -d "${VENV_DIR}" ]]; then + python3 -m venv "${VENV_DIR}" +fi + +source "${VENV_DIR}/bin/activate" +pip install -q -r "${SCRIPT_DIR}/requirements.txt" + # Print the title underline for a RST table. Argument is the length # of the first column, second column is assumed to be "URL" function title_underline { @@ -54,7 +65,7 @@ if [[ -r data/devstack-plugins-registry.header ]]; then cat data/devstack-plugins-registry.header fi -sorted_plugins=$(python3 tools/generate-devstack-plugins-list.py) +sorted_plugins=$("${VENV_DIR}/bin/python3" tools/generate-devstack-plugins-list.py) # find the length of the name column & pad name_col_len=$(echo "${sorted_plugins}" | wc -L) diff --git a/tools/requirements.txt b/tools/requirements.txt new file mode 100644 index 0000000000..f2293605cf --- /dev/null +++ b/tools/requirements.txt @@ -0,0 +1 @@ +requests From e9cf8cf3ed9ef5fdaf57f7707880e45ce1fbe2c0 Mon Sep 17 00:00:00 2001 From: OpenStack Proposal Bot Date: Wed, 18 Feb 2026 03:03:08 +0000 Subject: [PATCH 72/74] Updated from generate-devstack-plugins-list Change-Id: I440ae4bfbb97202f3b6ddca99d58fb3ff4604352 Signed-off-by: OpenStack Proposal Bot Generated-By: openstack/project-config:playbooks/proposal/propose_update.sh --- doc/source/plugin-registry.rst | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/doc/source/plugin-registry.rst b/doc/source/plugin-registry.rst index 9185263443..560668f2a0 100644 --- a/doc/source/plugin-registry.rst +++ b/doc/source/plugin-registry.rst @@ -48,7 +48,6 @@ openstack/grian-ui `https://opendev.org/openstack/grian-ui openstack/heat `https://opendev.org/openstack/heat `__ openstack/heat-dashboard `https://opendev.org/openstack/heat-dashboard `__ openstack/ironic `https://opendev.org/openstack/ironic `__ -openstack/ironic-inspector `https://opendev.org/openstack/ironic-inspector `__ openstack/ironic-prometheus-exporter `https://opendev.org/openstack/ironic-prometheus-exporter `__ openstack/ironic-ui `https://opendev.org/openstack/ironic-ui `__ openstack/keystone `https://opendev.org/openstack/keystone `__ @@ -60,9 +59,6 @@ openstack/manila-tempest-plugin `https://opendev.org/openstack/manila-t openstack/manila-ui `https://opendev.org/openstack/manila-ui `__ openstack/masakari `https://opendev.org/openstack/masakari `__ openstack/mistral `https://opendev.org/openstack/mistral `__ -openstack/monasca-api `https://opendev.org/openstack/monasca-api `__ -openstack/monasca-events-api `https://opendev.org/openstack/monasca-events-api `__ -openstack/monasca-tempest-plugin `https://opendev.org/openstack/monasca-tempest-plugin `__ openstack/networking-bagpipe `https://opendev.org/openstack/networking-bagpipe `__ openstack/networking-baremetal `https://opendev.org/openstack/networking-baremetal `__ openstack/networking-bgpvpn `https://opendev.org/openstack/networking-bgpvpn `__ @@ -84,7 +80,6 @@ openstack/osprofiler `https://opendev.org/openstack/osprofil openstack/ovn-bgp-agent `https://opendev.org/openstack/ovn-bgp-agent `__ openstack/ovn-octavia-provider `https://opendev.org/openstack/ovn-octavia-provider `__ openstack/rally-openstack `https://opendev.org/openstack/rally-openstack `__ -openstack/shade `https://opendev.org/openstack/shade `__ openstack/skyline-apiserver `https://opendev.org/openstack/skyline-apiserver `__ openstack/storlets `https://opendev.org/openstack/storlets `__ openstack/tacker `https://opendev.org/openstack/tacker `__ @@ -114,6 +109,7 @@ starlingx/nfv `https://opendev.org/starlingx/nfv `__ vexxhost/openstack-operator `https://opendev.org/vexxhost/openstack-operator `__ x/almanach `https://opendev.org/x/almanach `__ +x/apmec `https://opendev.org/x/apmec `__ x/bilean `https://opendev.org/x/bilean `__ x/broadview-collector `https://opendev.org/x/broadview-collector `__ x/collectd-openstack-plugins `https://opendev.org/x/collectd-openstack-plugins `__ From 55c045539dd2e47ee34154cadd9f9e280f90d042 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Wed, 25 Feb 2026 23:40:08 +0900 Subject: [PATCH 73/74] Drop installation of tox The comment indicates that tox is used to generate config files, but it's actually not. Change-Id: Iddd45e084641bb3711985484e988ed533965f4f4 Signed-off-by: Takashi Kajinami --- lib/neutron_plugins/ovn_agent | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent index 5404cfdd0d..8e3ca4ab89 100644 --- a/lib/neutron_plugins/ovn_agent +++ b/lib/neutron_plugins/ovn_agent @@ -401,9 +401,6 @@ function install_ovn { # Check the OVN configuration ovn_sanity_check - # Install tox, used to generate the config (see devstack/override-defaults) - pip_install tox - sudo mkdir -p $OVS_RUNDIR sudo chown $(whoami) $OVS_RUNDIR From 98f61116068b0fa73a3eb5c05f0670723ecd887d Mon Sep 17 00:00:00 2001 From: Yatin Karel Date: Mon, 2 Mar 2026 14:20:18 +0530 Subject: [PATCH 74/74] Honor PYTHON3_VERSION while venv prepare Currently PYTHON3_VERSION was not honored while preparing venv, this patch fixes it. Change-Id: I3f9db8cfa38572cdc80d4973ed3b5908335ef6e8 Signed-off-by: Yatin Karel --- stackrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stackrc b/stackrc index 93f8b1cd6d..a16080600b 100644 --- a/stackrc +++ b/stackrc @@ -133,7 +133,7 @@ export PYTHON3_VERSION=${PYTHON3_VERSION:-${_DEFAULT_PYTHON3_VERSION:-3}} # Create a virtualenv with this # Use the built-in venv to avoid more dependencies -export VIRTUALENV_CMD="python3 -m venv" +export VIRTUALENV_CMD="python$PYTHON3_VERSION -m venv" # Default for log coloring is based on interactive-or-not. # Baseline assumption is that non-interactive invocations are for CI,