def test_configure_local_ephemeral_storage_encrypted( self, determine_block_device, uuid): determine_block_device.return_value = '/dev/sdb' uuid.uuid4.return_value = 'test' mock_context = MagicMock() mock_context.complete = True mock_context.return_value = 'test_context' self.test_config.set('encrypt', True) self.vaultlocker.VaultKVContext.return_value = mock_context self.is_block_device.return_value = True self.is_device_mounted.return_value = False utils.configure_local_ephemeral_storage() self.mkfs_xfs.assert_called_with('/dev/mapper/crypt-test', force=True) self.check_call.assert_has_calls([ call(['vaultlocker', 'encrypt', '--uuid', 'test', '/dev/sdb']), call(['chown', '-R', 'nova:nova', '/var/lib/nova/instances']), call(['chmod', '-R', '0755', '/var/lib/nova/instances']) ]) self.mount.assert_called_with('/dev/mapper/crypt-test', '/var/lib/nova/instances', filesystem='xfs') self.fstab_add.assert_called_with( '/dev/mapper/crypt-test', '/var/lib/nova/instances', 'xfs', options='defaults,nofail,' '[email protected],' 'comment=vaultlocker') self.assertTrue(self.test_kv.get('storage-configured')) self.vaultlocker.write_vaultlocker_conf.assert_called_with( 'test_context', priority=80)
def test_configure_local_ephemeral_storage(self, determine_block_device, uuid): determine_block_device.return_value = '/dev/sdb' uuid.uuid4.return_value = 'test' mock_context = MagicMock() mock_context.complete = False mock_context.return_value = {} self.test_config.set('encrypt', False) self.vaultlocker.VaultKVContext.return_value = mock_context self.is_block_device.return_value = True self.is_device_mounted.return_value = False utils.configure_local_ephemeral_storage() self.mkfs_xfs.assert_called_with('/dev/sdb', force=True) self.check_call.assert_has_calls([ call(['chown', '-R', 'nova:nova', '/var/lib/nova/instances']), call(['chmod', '-R', '0755', '/var/lib/nova/instances']) ]) self.mount.assert_called_with('/dev/sdb', '/var/lib/nova/instances', filesystem='xfs') self.fstab_add.assert_called_with('/dev/sdb', '/var/lib/nova/instances', 'xfs', options=None) self.assertTrue(self.test_kv.get('storage-configured')) self.vaultlocker.write_vaultlocker_conf.assert_not_called()
def secrets_storage_changed(): vault_ca = relation_get('vault_ca') if vault_ca: vault_ca = base64.decodebytes(json.loads(vault_ca).encode()) write_file('/usr/local/share/ca-certificates/vault-ca.crt', vault_ca, perms=0o644) subprocess.check_call(['update-ca-certificates', '--fresh']) configure_local_ephemeral_storage()
def test_configure_local_ephemeral_storage_encrypted( self, determine_block_device, uuid): determine_block_device.return_value = '/dev/sdb' uuid.uuid4.return_value = 'test' mock_context = MagicMock() mock_context.complete = True mock_context.return_value = 'test_context' self.test_config.set('encrypt', True) self.vaultlocker.VaultKVContext.return_value = mock_context self.is_block_device.return_value = True self.is_device_mounted.return_value = False utils.configure_local_ephemeral_storage() self.mkfs_xfs.assert_called_with( '/dev/mapper/crypt-test', force=True ) self.check_call.assert_has_calls([ call(['vaultlocker', 'encrypt', '--uuid', 'test', '/dev/sdb']), call(['chown', '-R', 'nova:nova', '/var/lib/nova/instances']), call(['chmod', '-R', '0755', '/var/lib/nova/instances']) ]) self.mount.assert_called_with( '/dev/mapper/crypt-test', '/var/lib/nova/instances', filesystem='xfs') self.fstab_add.assert_called_with( '/dev/mapper/crypt-test', '/var/lib/nova/instances', 'xfs', options='defaults,nofail,' '[email protected],' 'comment=vaultlocker' ) self.assertTrue(self.test_kv.get('storage-configured')) self.vaultlocker.write_vaultlocker_conf.assert_called_with( 'test_context', priority=80 )
def test_configure_local_ephemeral_storage_done(self): self.test_kv.set('storage-configured', True) mock_context = MagicMock() mock_context.complete = True mock_context.return_value = 'test_context' self.test_config.set('encrypt', True) self.vaultlocker.VaultKVContext.return_value = mock_context utils.configure_local_ephemeral_storage() # NOTE: vaultlocker conf should always be re-written to # pickup any changes to secret_id over time. self.vaultlocker.write_vaultlocker_conf.assert_called_with( 'test_context', priority=80) self.is_block_device.assert_not_called()
def test_configure_local_ephemeral_storage_done(self): self.test_kv.set('storage-configured', True) mock_context = MagicMock() mock_context.complete = True mock_context.return_value = 'test_context' self.test_config.set('encrypt', True) self.vaultlocker.VaultKVContext.return_value = mock_context utils.configure_local_ephemeral_storage() # NOTE: vaultlocker conf should always be re-written to # pickup any changes to secret_id over time. self.vaultlocker.write_vaultlocker_conf.assert_called_with( 'test_context', priority=80 ) self.is_block_device.assert_not_called()
def test_configure_local_ephemeral_storage(self, determine_block_device, uuid): determine_block_device.return_value = '/dev/sdb' uuid.uuid4.return_value = 'test' mock_context = MagicMock() mock_context.complete = False mock_context.return_value = {} self.test_config.set('encrypt', False) self.vaultlocker.VaultKVContext.return_value = mock_context self.is_block_device.return_value = True self.is_device_mounted.return_value = False utils.configure_local_ephemeral_storage() self.mkfs_xfs.assert_called_with( '/dev/sdb', force=True ) self.check_call.assert_has_calls([ call(['chown', '-R', 'nova:nova', '/var/lib/nova/instances']), call(['chmod', '-R', '0755', '/var/lib/nova/instances']) ]) self.mount.assert_called_with( '/dev/sdb', '/var/lib/nova/instances', filesystem='xfs') self.fstab_add.assert_called_with( '/dev/sdb', '/var/lib/nova/instances', 'xfs', options=None ) self.assertTrue(self.test_kv.get('storage-configured')) self.vaultlocker.write_vaultlocker_conf.assert_not_called()
def storage_changed(): configure_local_ephemeral_storage()
def config_changed(): if is_unit_paused_set(): log("Do not run config_changed when paused", "WARNING") return if config('ephemeral-unmount'): umount(config('ephemeral-unmount'), persist=True) if config('prefer-ipv6'): status_set('maintenance', 'configuring ipv6') assert_charm_supports_ipv6() if (migration_enabled() and config('migration-auth-type') not in MIGRATION_AUTH_TYPES): message = ("Invalid migration-auth-type") status_set('blocked', message) raise Exception(message) global CONFIGS send_remote_restart = False if not config('action-managed-upgrade'): if openstack_upgrade_available('nova-common'): status_set('maintenance', 'Running openstack upgrade') do_openstack_upgrade(CONFIGS) send_remote_restart = True sysctl_settings = config('sysctl') if sysctl_settings: create_sysctl(sysctl_settings, '/etc/sysctl.d/50-nova-compute.conf') remove_libvirt_network('default') if migration_enabled() and config('migration-auth-type') == 'ssh': # Check-in with nova-c-c and register new ssh key, if it has just been # generated. status_set('maintenance', 'SSH key exchange') initialize_ssh_keys() import_authorized_keys() if config('enable-resize') is True: enable_shell(user='******') status_set('maintenance', 'SSH key exchange') initialize_ssh_keys(user='******') import_authorized_keys(user='******', prefix='nova') else: disable_shell(user='******') if config('instances-path') is not None: fp = config('instances-path') fix_path_ownership(fp, user='******') [compute_joined(rid) for rid in relation_ids('cloud-compute')] for rid in relation_ids('neutron-plugin'): neutron_plugin_joined(rid, remote_restart=send_remote_restart) for rid in relation_ids('nova-ceilometer'): nova_ceilometer_joined(rid, remote_restart=send_remote_restart) if is_relation_made("nrpe-external-master"): update_nrpe_config() if config('hugepages'): install_hugepages() # Disable smt for ppc64, required for nova/libvirt/kvm arch = platform.machine() log('CPU architecture: {}'.format(arch)) if arch in ['ppc64el', 'ppc64le']: set_ppc64_cpu_smt_state('off') # NOTE(jamespage): trigger any configuration related changes # for cephx permissions restrictions and # keys on disk for ceph-access backends for rid in relation_ids('ceph'): for unit in related_units(rid): ceph_changed(rid=rid, unit=unit) for rid in relation_ids('ceph-access'): for unit in related_units(rid): ceph_access(rid=rid, unit=unit) CONFIGS.write_all() NovaComputeAppArmorContext().setup_aa_profile() if (network_manager() in ['flatmanager', 'flatdhcpmanager'] and config('multi-host').lower() == 'yes'): NovaAPIAppArmorContext().setup_aa_profile() NovaNetworkAppArmorContext().setup_aa_profile() install_vaultlocker() install_multipath() configure_local_ephemeral_storage()
def config_changed(): if is_unit_paused_set(): log("Do not run config_changed when paused", "WARNING") return if config('ephemeral-unmount'): umount(config('ephemeral-unmount'), persist=True) if config('prefer-ipv6'): status_set('maintenance', 'configuring ipv6') assert_charm_supports_ipv6() if (migration_enabled() and config('migration-auth-type') not in MIGRATION_AUTH_TYPES): message = ("Invalid migration-auth-type") status_set('blocked', message) raise Exception(message) global CONFIGS send_remote_restart = False if not config('action-managed-upgrade'): if openstack_upgrade_available('nova-common'): status_set('maintenance', 'Running openstack upgrade') do_openstack_upgrade(CONFIGS) send_remote_restart = True sysctl_settings = config('sysctl') if sysctl_settings and not is_container(): create_sysctl( sysctl_settings, '/etc/sysctl.d/50-nova-compute.conf', # Some keys in the config may not exist in /proc/sys/net/. # For example, the conntrack module may not be loaded when # using lxd drivers insteam of kvm. In these cases, we # simply ignore the missing keys, rather than making time # consuming calls out to the filesystem to check for their # existence. ignore=True) remove_libvirt_network('default') if migration_enabled() and config('migration-auth-type') == 'ssh': # Check-in with nova-c-c and register new ssh key, if it has just been # generated. status_set('maintenance', 'SSH key exchange') initialize_ssh_keys() import_authorized_keys() if config('enable-resize') is True: enable_shell(user='******') status_set('maintenance', 'SSH key exchange') initialize_ssh_keys(user='******') import_authorized_keys(user='******', prefix='nova') else: disable_shell(user='******') if config('instances-path') is not None: fp = config('instances-path') if not os.path.exists(fp): mkdir(path=fp, owner='nova', group='nova', perms=0o775) fix_path_ownership(fp, user='******') for rid in relation_ids('cloud-compute'): compute_joined(rid) for rid in relation_ids('neutron-plugin'): neutron_plugin_joined(rid, remote_restart=send_remote_restart) for rid in relation_ids('nova-ceilometer'): nova_ceilometer_joined(rid, remote_restart=send_remote_restart) for rid in relation_ids('nova-vgpu'): nova_vgpu_joined(rid, remote_restart=send_remote_restart) if is_relation_made("nrpe-external-master"): update_nrpe_config() if config('hugepages'): install_hugepages() # Disable smt for ppc64, required for nova/libvirt/kvm arch = platform.machine() log('CPU architecture: {}'.format(arch)) if arch in ['ppc64el', 'ppc64le']: set_ppc64_cpu_smt_state('off') # NOTE(jamespage): trigger any configuration related changes # for cephx permissions restrictions and # keys on disk for ceph-access backends for rid in relation_ids('ceph'): for unit in related_units(rid): ceph_changed(rid=rid, unit=unit) for rid in relation_ids('ceph-access'): for unit in related_units(rid): ceph_access(rid=rid, unit=unit) update_all_configs() install_vaultlocker() install_multipath() configure_local_ephemeral_storage() check_and_start_iscsid()
def config_changed(): if is_unit_paused_set(): log("Do not run config_changed when paused", "WARNING") return if config('ephemeral-unmount'): umount(config('ephemeral-unmount'), persist=True) if config('prefer-ipv6'): status_set('maintenance', 'configuring ipv6') assert_charm_supports_ipv6() if (migration_enabled() and config('migration-auth-type') not in MIGRATION_AUTH_TYPES): message = ("Invalid migration-auth-type") status_set('blocked', message) raise Exception(message) global CONFIGS send_remote_restart = False if not config('action-managed-upgrade'): if openstack_upgrade_available('nova-common'): status_set('maintenance', 'Running openstack upgrade') do_openstack_upgrade(CONFIGS) send_remote_restart = True sysctl_settings = config('sysctl') if sysctl_settings and not is_container(): create_sysctl( sysctl_settings, '/etc/sysctl.d/50-nova-compute.conf', # Some keys in the config may not exist in /proc/sys/net/. # For example, the conntrack module may not be loaded when # using lxd drivers insteam of kvm. In these cases, we # simply ignore the missing keys, rather than making time # consuming calls out to the filesystem to check for their # existence. ignore=True) remove_libvirt_network('default') if migration_enabled() and config('migration-auth-type') == 'ssh': # Check-in with nova-c-c and register new ssh key, if it has just been # generated. status_set('maintenance', 'SSH key exchange') initialize_ssh_keys() import_authorized_keys() if config('enable-resize') is True: enable_shell(user='******') status_set('maintenance', 'SSH key exchange') initialize_ssh_keys(user='******') import_authorized_keys(user='******', prefix='nova') else: disable_shell(user='******') if config('instances-path') is not None: fp = config('instances-path') fix_path_ownership(fp, user='******') [compute_joined(rid) for rid in relation_ids('cloud-compute')] for rid in relation_ids('neutron-plugin'): neutron_plugin_joined(rid, remote_restart=send_remote_restart) for rid in relation_ids('nova-ceilometer'): nova_ceilometer_joined(rid, remote_restart=send_remote_restart) if is_relation_made("nrpe-external-master"): update_nrpe_config() if config('hugepages'): install_hugepages() # Disable smt for ppc64, required for nova/libvirt/kvm arch = platform.machine() log('CPU architecture: {}'.format(arch)) if arch in ['ppc64el', 'ppc64le']: set_ppc64_cpu_smt_state('off') # NOTE(jamespage): trigger any configuration related changes # for cephx permissions restrictions and # keys on disk for ceph-access backends for rid in relation_ids('ceph'): for unit in related_units(rid): ceph_changed(rid=rid, unit=unit) for rid in relation_ids('ceph-access'): for unit in related_units(rid): ceph_access(rid=rid, unit=unit) CONFIGS.write_all() NovaComputeAppArmorContext().setup_aa_profile() if (network_manager() in ['flatmanager', 'flatdhcpmanager'] and config('multi-host').lower() == 'yes'): NovaAPIAppArmorContext().setup_aa_profile() NovaNetworkAppArmorContext().setup_aa_profile() install_vaultlocker() install_multipath() configure_local_ephemeral_storage()