From 51296591b49c92433026b1c20ba0cba3e13e4ca0 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Fri, 22 Apr 2016 10:01:32 +0200 Subject: [PATCH 1/4] Use a random z/VM instance root password by default We change the default for zvm_config_drive_inject_password to true which causes the root password to be set to a randomly generated individual password rather than the hardcoded root-pass. In case this is undesired this parameter is made configurable so you can change it back to a globally hardcoded password (that is now also configurable) instead. (cherry picked from commit 6b4111c5c35f219e47c031f7d4df4354d7807ce9) (cherry picked from commit c410e40cbb04437684b4cbae1c82c389a62103eb) --- chef/cookbooks/nova/templates/default/nova.conf.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/chef/cookbooks/nova/templates/default/nova.conf.erb b/chef/cookbooks/nova/templates/default/nova.conf.erb index 0c908f75fa..f32c3c3b94 100644 --- a/chef/cookbooks/nova/templates/default/nova.conf.erb +++ b/chef/cookbooks/nova/templates/default/nova.conf.erb @@ -1584,6 +1584,7 @@ control_exchange = nova # Sets the admin password in the config drive (boolean value) #zvm_config_drive_inject_password = false +<%= "zvm_config_drive_inject_password=#{node[:nova][:zvm][:zvm_config_drive_inject_password]}" if @libvirt_type.eql?('zvm') %> # Force can be: (ARCHITECTURE) attempt relocation even though hardware # architecture facilities or CP features are not available on destination @@ -1642,6 +1643,7 @@ control_exchange = nova # Default os root password for a new created vm (string value) #zvm_image_default_password = rootpass +<%= "zvm_image_default_password = #{node[:nova][:zvm][:zvm_image_default_password]}" if @libvirt_type.eql?('zvm') %> # The period(days) to clean up an image that not be used for deploy in one xCAT # MN within the defined time (integer value) From 51a6244e341dc9e7a2380cb5ed1abaaca13ba3d0 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 20 Sep 2016 11:11:49 +0200 Subject: [PATCH 2/4] Add more tuneables for zvm (cherry picked from commit 591b062ac647e18bde1a42892e2eebb34076cb3f) (cherry picked from commit 1993cd7694f33abec8f83f28d48979cfa4899323) --- .../nova/templates/default/nova.conf.erb | 3 ++ .../crowbar/migrate/nova/044_add_zvm_extra.rb | 31 +++++++++++++++++++ chef/data_bags/crowbar/template-nova.json | 5 ++- chef/data_bags/crowbar/template-nova.schema | 3 ++ 4 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 chef/data_bags/crowbar/migrate/nova/044_add_zvm_extra.rb diff --git a/chef/cookbooks/nova/templates/default/nova.conf.erb b/chef/cookbooks/nova/templates/default/nova.conf.erb index f32c3c3b94..84c8305fe8 100644 --- a/chef/cookbooks/nova/templates/default/nova.conf.erb +++ b/chef/cookbooks/nova/templates/default/nova.conf.erb @@ -1608,6 +1608,7 @@ control_exchange = nova # Timeout(seconds) when start an instance. (integer value) #zvm_reachable_timeout = 300 +<%= "zvm_reachable_timeout=#{node[:nova][:zvm][:zvm_reachable_timeout]}" if @libvirt_type.eql?('zvm') %> # XCAT connection read timeout(seconds) (integer value) #zvm_xcat_connection_timeout = 3600 @@ -1621,9 +1622,11 @@ control_exchange = nova # Default password for a new created z/VM user (string value) #zvm_user_default_password = dfltpass +<%= "zvm_user_default_password=#{node[:nova][:zvm][:zvm_user_default_password]}" if @libvirt_type.eql?('zvm') %> # Default privilege level for a new created z/VM user (string value) #zvm_user_default_privilege = g +<%= "zvm_user_default_privilege=#{node[:nova][:zvm][:zvm_user_default_privilege]}" if @libvirt_type.eql?('zvm') %> # Virtual device number for ephemeral root disk (string value) #zvm_user_root_vdev = 0100 diff --git a/chef/data_bags/crowbar/migrate/nova/044_add_zvm_extra.rb b/chef/data_bags/crowbar/migrate/nova/044_add_zvm_extra.rb new file mode 100644 index 0000000000..e2bccf8d48 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/nova/044_add_zvm_extra.rb @@ -0,0 +1,31 @@ +def upgrade(ta, td, a, d) + z = a["zvm"] + + unless z.key? "zvm_user_default_password" + z["zvm_user_default_password"] = ta["zvm"]["zvm_user_default_password"] + end + unless z.key? "zvm_user_default_privilege" + z["zvm_user_default_privilege"] = ta["zvm"]["zvm_user_default_privilege"] + end + unless z.key? "zvm_reachable_timeout" + z["zvm_reachable_timeout"] = ta["zvm"]["zvm_reachable_timeout"] + end + + return a, d +end + +def downgrade(ta, td, a, d) + z = a["zvm"] + + unless ta["zvm"].key? "zvm_user_default_password" + z.delete("zvm_user_default_password") + end + unless ta["zvm"].key? "zvm_user_default_privilege" + z.delete("zvm_user_default_privilege") + end + unless ta["zvm"].key? "zvm_reachable_timeout" + z.delete("zvm_reachable_timeout") + end + + return a, d +end diff --git a/chef/data_bags/crowbar/template-nova.json b/chef/data_bags/crowbar/template-nova.json index 99735893e1..1274a92d89 100644 --- a/chef/data_bags/crowbar/template-nova.json +++ b/chef/data_bags/crowbar/template-nova.json @@ -65,6 +65,9 @@ "zvm_xcat_master": "", "zvm_image_default_password": "rootpass", "zvm_config_drive_inject_password": true, + "zvm_reachable_timeout": 600, + "zvm_user_default_password": "dfltpass", + "zvm_user_default_privilege": "g", "zvm_xcat_ssh_key": "" }, "ssl": { @@ -93,7 +96,7 @@ "nova": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 43, + "schema-revision": 44, "element_states": { "nova-controller": [ "readying", "ready", "applying" ], "nova-compute-docker": [ "readying", "ready", "applying" ], diff --git a/chef/data_bags/crowbar/template-nova.schema b/chef/data_bags/crowbar/template-nova.schema index bd746b40da..9d74709293 100644 --- a/chef/data_bags/crowbar/template-nova.schema +++ b/chef/data_bags/crowbar/template-nova.schema @@ -93,6 +93,9 @@ "zvm_user_profile": { "type": "str", "required": true }, "zvm_xcat_master": { "type": "str", "required": true }, "zvm_image_default_password": { "type": "str", "required": true }, + "zvm_user_default_password": { "type": "str", "required": true }, + "zvm_user_default_privilege": { "type": "str", "required": true }, + "zvm_reachable_timeout": { "type": "int", "required": true }, "zvm_config_drive_inject_password": { "type": "bool", "required": true }, "zvm_xcat_ssh_key": { "type": "str", "required": true } } From ba85c1aebe6cdce0d80bbb748d3e7c69cbe6eb20 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 22 Sep 2016 10:08:12 +0200 Subject: [PATCH 3/4] nova: Allow to define a custom network for xCAT access (bsc#976778) xCAT needs to be able to ssh to the compute nodes. Allow to use something different then the admin network by setting the nova.zvm.zvm_xcat_network to the name of the network that is defined in the network barclamp. z/VM will then allocate an IP in that network and set "my_ip" in nova.conf accordingly. https://bugzilla.suse.com/show_bug.cgi?id=976778 (cherry picked from commit d2de18f778ca764d12bae5f921555d6dc1000f6b) (cherry picked from commit f2f1127fe9b434c3fab820de746ca8f26a0e7887) --- chef/cookbooks/nova/recipes/config.rb | 11 +++++++++- .../migrate/nova/045_add_zvm_xcat_network.rb | 15 +++++++++++++ chef/data_bags/crowbar/template-nova.json | 3 ++- chef/data_bags/crowbar/template-nova.schema | 1 + crowbar_framework/app/models/nova_service.rb | 21 +++++++++++++++++++ crowbar_framework/config/locales/nova/en.yml | 1 + 6 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 chef/data_bags/crowbar/migrate/nova/045_add_zvm_xcat_network.rb diff --git a/chef/cookbooks/nova/recipes/config.rb b/chef/cookbooks/nova/recipes/config.rb index 298c7ee47a..99ad9d288a 100644 --- a/chef/cookbooks/nova/recipes/config.rb +++ b/chef/cookbooks/nova/recipes/config.rb @@ -19,7 +19,16 @@ # limitations under the License. # -node.set[:nova][:my_ip] = Chef::Recipe::Barclamp::Inventory.get_network_by_type(node, "admin").address +my_ip_net = "admin" + +# z/VM compute nodes might need a different "my_ip" setting to be accessible +# from the xCAT management node +if node["roles"].include?("nova-compute-zvm") + my_ip_net = node["nova"]["zvm"]["zvm_xcat_network"] +end + +node.set[:nova][:my_ip] = + Chef::Recipe::Barclamp::Inventory.get_network_by_type(node, my_ip_net).address package "nova-common" do if %w(rhel suse).include?(node[:platform_family]) diff --git a/chef/data_bags/crowbar/migrate/nova/045_add_zvm_xcat_network.rb b/chef/data_bags/crowbar/migrate/nova/045_add_zvm_xcat_network.rb new file mode 100644 index 0000000000..af93aa1450 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/nova/045_add_zvm_xcat_network.rb @@ -0,0 +1,15 @@ +def upgrade(ta, td, a, d) + unless a["zvm"].key? "zvm_xcat_network" + a["zvm"]["zvm_xcat_network"] = "admin" + end + + return a, d +end + +def downgrade(ta, td, a, d) + unless ta["zvm"].key? "zvm_xcat_network" + a["zvm"].delete("zvm_xcat_network") + end + + return a, d +end diff --git a/chef/data_bags/crowbar/template-nova.json b/chef/data_bags/crowbar/template-nova.json index 1274a92d89..6a03d3ccd5 100644 --- a/chef/data_bags/crowbar/template-nova.json +++ b/chef/data_bags/crowbar/template-nova.json @@ -57,6 +57,7 @@ "zvm_xcat_server": "", "zvm_xcat_username": "", "zvm_xcat_password": "", + "zvm_xcat_network": "admin", "zvm_diskpool": "", "zvm_diskpool_type": "", "zvm_host": "", @@ -96,7 +97,7 @@ "nova": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 44, + "schema-revision": 45, "element_states": { "nova-controller": [ "readying", "ready", "applying" ], "nova-compute-docker": [ "readying", "ready", "applying" ], diff --git a/chef/data_bags/crowbar/template-nova.schema b/chef/data_bags/crowbar/template-nova.schema index 9d74709293..e4cd2f60fd 100644 --- a/chef/data_bags/crowbar/template-nova.schema +++ b/chef/data_bags/crowbar/template-nova.schema @@ -86,6 +86,7 @@ "zvm_xcat_server": { "type": "str", "required": true }, "zvm_xcat_username": { "type": "str", "required": true }, "zvm_xcat_password": { "type": "str", "required": true }, + "zvm_xcat_network": { "type": "str", "required": true }, "zvm_diskpool": { "type": "str", "required": true }, "zvm_diskpool_type": { "type": "str", "required": true }, "zvm_host": { "type": "str", "required": true }, diff --git a/crowbar_framework/app/models/nova_service.rb b/crowbar_framework/app/models/nova_service.rb index a49320d465..e91fb5957c 100644 --- a/crowbar_framework/app/models/nova_service.rb +++ b/crowbar_framework/app/models/nova_service.rb @@ -306,6 +306,18 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) neutron["attributes"]["neutron"]["use_dvr"]) end unless all_nodes.nil? + # Allocate IP for xcat_management network for z/VM nodes, if we're + # configured to use something else than the "admin" network for it. + zvm_compute_nodes = role.override_attributes["nova"]["elements"]["nova-compute-zvm"] + unless zvm_compute_nodes.nil? || zvm_compute_nodes.empty? + zvm_xcat_network = role.default_attributes["nova"]["zvm"]["zvm_xcat_network"] + unless zvm_xcat_network == "admin" + zvm_compute_nodes.each do |n| + net_svc.allocate_ip("default", zvm_xcat_network, "host", n) + end + end + end + @logger.debug("Nova apply_role_pre_chef_call: leaving") end @@ -331,6 +343,15 @@ def validate_proposal_after_save proposal validation_error I18n.t("barclamp.#{@bc_name}.validation.hyperv_support") end + unless elements["nova-compute-zvm"].nil? || elements["nova-compute-zvm"].empty? + unless network_present? proposal["attributes"][@bc_name]["zvm"]["zvm_xcat_network"] + validation_error I18n.t( + "barclamp.#{@bc_name}.validation.invalid_zvm_xcat_network", + network: proposal["attributes"][@bc_name]["zvm"]["zvm_xcat_network"] + ) + end + end + elements["nova-compute-docker"].each do |n| nodes[n] += 1 end unless elements["nova-compute-docker"].nil? diff --git a/crowbar_framework/config/locales/nova/en.yml b/crowbar_framework/config/locales/nova/en.yml index e3920730c7..3b85926032 100644 --- a/crowbar_framework/config/locales/nova/en.yml +++ b/crowbar_framework/config/locales/nova/en.yml @@ -90,3 +90,4 @@ en: assigned_node: 'Node %{key} has been assigned to a nova-compute role more than once.' assigned_remotes: 'Remotes %{key} has been assigned to a nova-compute role more than once.' assigned_node_and_remote: 'Node %{node} has been assigned to a nova-compute role as individual node and as remote node of cluster %{cluster}.' + invalid_zvm_xcat_network: 'Network "%{network}" configured for zvm xcat access is not defined in the configuration of the network barclamp.' From f6d46e9af2211f96d9e09e35bba86929945c3230 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Mon, 27 Feb 2017 11:16:16 +0100 Subject: [PATCH 4/4] nova: Avoid changing nova.conf when not using z/VM Some empty lines were added, causing restart of nova services. --- .../nova/templates/default/nova.conf.erb | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/chef/cookbooks/nova/templates/default/nova.conf.erb b/chef/cookbooks/nova/templates/default/nova.conf.erb index 84c8305fe8..e8c1e02003 100644 --- a/chef/cookbooks/nova/templates/default/nova.conf.erb +++ b/chef/cookbooks/nova/templates/default/nova.conf.erb @@ -1584,7 +1584,9 @@ control_exchange = nova # Sets the admin password in the config drive (boolean value) #zvm_config_drive_inject_password = false -<%= "zvm_config_drive_inject_password=#{node[:nova][:zvm][:zvm_config_drive_inject_password]}" if @libvirt_type.eql?('zvm') %> +<% if @libvirt_type.eql?('zvm') -%> +zvm_config_drive_inject_password=<%= node[:nova][:zvm][:zvm_config_drive_inject_password] %> +<% end -%> # Force can be: (ARCHITECTURE) attempt relocation even though hardware # architecture facilities or CP features are not available on destination @@ -1608,7 +1610,9 @@ control_exchange = nova # Timeout(seconds) when start an instance. (integer value) #zvm_reachable_timeout = 300 -<%= "zvm_reachable_timeout=#{node[:nova][:zvm][:zvm_reachable_timeout]}" if @libvirt_type.eql?('zvm') %> +<% if @libvirt_type.eql?('zvm') -%> +zvm_reachable_timeout=<%= node[:nova][:zvm][:zvm_reachable_timeout] %> +<% end -%> # XCAT connection read timeout(seconds) (integer value) #zvm_xcat_connection_timeout = 3600 @@ -1622,11 +1626,15 @@ control_exchange = nova # Default password for a new created z/VM user (string value) #zvm_user_default_password = dfltpass -<%= "zvm_user_default_password=#{node[:nova][:zvm][:zvm_user_default_password]}" if @libvirt_type.eql?('zvm') %> +<% if @libvirt_type.eql?('zvm') -%> +zvm_user_default_password=<%= node[:nova][:zvm][:zvm_user_default_password] %> +<% end -%> # Default privilege level for a new created z/VM user (string value) #zvm_user_default_privilege = g -<%= "zvm_user_default_privilege=#{node[:nova][:zvm][:zvm_user_default_privilege]}" if @libvirt_type.eql?('zvm') %> +<% if @libvirt_type.eql?('zvm') -%> +zvm_user_default_privilege=<%= node[:nova][:zvm][:zvm_user_default_privilege] %> +<% end -%> # Virtual device number for ephemeral root disk (string value) #zvm_user_root_vdev = 0100 @@ -1646,7 +1654,9 @@ control_exchange = nova # Default os root password for a new created vm (string value) #zvm_image_default_password = rootpass -<%= "zvm_image_default_password = #{node[:nova][:zvm][:zvm_image_default_password]}" if @libvirt_type.eql?('zvm') %> +<% if @libvirt_type.eql?('zvm') -%> +zvm_image_default_password=<%= node[:nova][:zvm][:zvm_image_default_password] %> +<% end -%> # The period(days) to clean up an image that not be used for deploy in one xCAT # MN within the defined time (integer value)