devstack/.zuul.yaml
Slawek Kaplonski 24b65adc9c Deploy Neutron with enforced new RBAC rules
This patch adds new config option NEUTRON_ENFORCE_NEW_DEFAULTS which
if set to True will deploy Neutron with enforce new rbac defaults and
scopes.
It will also use SYSTEM_ADMIN user to interact with Neutron where it is
needed.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/798821

Change-Id: I14d934f0deced34d74003b92824cad3c44ec4f5e
2021-12-20 14:42:35 +01:00

919 lines
27 KiB
YAML

- pragma:
# NOTE(gtema): this is required for the changes in SDK feature/r1 branch to
# be using devstack
# TODO(gtema): delete this once r1 branch is merged into master
implied-branches:
- master
- feature/r1
- nodeset:
name: openstack-single-node
nodes:
- name: controller
label: ubuntu-xenial
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: openstack-single-node-focal
nodes:
- name: controller
label: ubuntu-focal
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: openstack-single-node-bionic
nodes:
- name: controller
label: ubuntu-bionic
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: openstack-single-node-xenial
nodes:
- name: controller
label: ubuntu-xenial
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-centos-7
nodes:
- name: controller
label: centos-7
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-centos-8-stream
nodes:
- name: controller
label: centos-8-stream
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-centos-9-stream
nodes:
- name: controller
label: centos-9-stream
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-opensuse-15
nodes:
- name: controller
label: opensuse-15
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-fedora-latest
nodes:
- name: controller
label: fedora-34
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: devstack-single-node-debian-bullseye
nodes:
- name: controller
label: debian-bullseye
groups:
- name: tempest
nodes:
- controller
- nodeset:
name: openstack-two-node
nodes:
- name: controller
label: ubuntu-xenial
- name: compute1
label: ubuntu-xenial
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- nodeset:
name: openstack-two-node-focal
nodes:
- name: controller
label: ubuntu-focal
- name: compute1
label: ubuntu-focal
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- nodeset:
name: openstack-two-node-bionic
nodes:
- name: controller
label: ubuntu-bionic
- name: compute1
label: ubuntu-bionic
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- nodeset:
name: openstack-two-node-xenial
nodes:
- name: controller
label: ubuntu-xenial
- name: compute1
label: ubuntu-xenial
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- nodeset:
name: openstack-three-node-focal
nodes:
- name: controller
label: ubuntu-focal
- name: compute1
label: ubuntu-focal
- name: compute2
label: ubuntu-focal
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
- compute2
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
- compute2
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- compute2
- nodeset:
name: openstack-three-node-bionic
nodes:
- name: controller
label: ubuntu-bionic
- name: compute1
label: ubuntu-bionic
- name: compute2
label: ubuntu-bionic
groups:
# Node where tests are executed and test results collected
- name: tempest
nodes:
- controller
# Nodes running the compute service
- name: compute
nodes:
- controller
- compute1
- compute2
# Nodes that are not the controller
- name: subnode
nodes:
- compute1
- compute2
# Switch node for multinode networking setup
- name: switch
nodes:
- controller
# Peer nodes for multinode networking setup
- name: peers
nodes:
- compute1
- compute2
- job:
name: devstack-base
parent: multinode
abstract: true
description: |
Base abstract Devstack job.
Defines plays and base variables, but it does not include any project
and it does not run any service by default. This is a common base for
all single Devstack jobs, single or multinode.
Variables are defined in job.vars, which is what is then used by single
node jobs and by multi node jobs for the controller, as well as in
job.group-vars.peers, which is what is used by multi node jobs for subnode
nodes (everything but the controller).
required-projects:
- opendev.org/openstack/devstack
roles:
- zuul: opendev.org/openstack/devstack-gate
- zuul: opendev.org/openstack/openstack-zuul-jobs
vars:
devstack_localrc:
DATABASE_PASSWORD: secretdatabase
RABBIT_PASSWORD: secretrabbit
ADMIN_PASSWORD: secretadmin
SERVICE_PASSWORD: secretservice
NETWORK_GATEWAY: 10.1.0.1
FIXED_RANGE: 10.1.0.0/20
IPV4_ADDRS_SAFE_TO_USE: 10.1.0.0/20
FLOATING_RANGE: 172.24.5.0/24
PUBLIC_NETWORK_GATEWAY: 172.24.5.1
LOGFILE: /opt/stack/logs/devstacklog.txt
LOG_COLOR: false
VERBOSE: true
VERBOSE_NO_TIMESTAMP: true
NOVNC_FROM_PACKAGE: true
ERROR_ON_CLONE: true
# Gate jobs can't deal with nested virt. Disable it by default.
LIBVIRT_TYPE: '{{ devstack_libvirt_type | default("qemu") }}'
devstack_services:
# Ignore any default set by devstack. Emit a "disable_all_services".
base: false
zuul_copy_output:
'{{ devstack_conf_dir }}/local.conf': logs
'{{ devstack_conf_dir }}/localrc': logs
'{{ devstack_conf_dir }}/.localrc.auto': logs
'{{ devstack_conf_dir }}/.stackenv': logs
'{{ devstack_log_dir }}/dstat-csv.log': logs
'{{ devstack_log_dir }}/devstacklog.txt': logs
'{{ devstack_log_dir }}/devstacklog.txt.summary': logs
'{{ devstack_log_dir }}/tcpdump.pcap': logs
'{{ devstack_log_dir }}/worlddump-latest.txt': logs
'{{ devstack_full_log}}': logs
'{{ stage_dir }}/verify_tempest_conf.log': logs
'{{ stage_dir }}/apache': logs
'{{ stage_dir }}/apache_config': logs
'{{ stage_dir }}/etc': logs
/var/log/rabbitmq: logs
/var/log/postgresql: logs
/var/log/mysql: logs
/var/log/libvirt: logs
/etc/libvirt: logs
/etc/sudoers: logs
/etc/sudoers.d: logs
'{{ stage_dir }}/iptables.txt': logs
'{{ stage_dir }}/df.txt': logs
'{{ stage_dir }}/pip2-freeze.txt': logs
'{{ stage_dir }}/pip3-freeze.txt': logs
'{{ stage_dir }}/dpkg-l.txt': logs
'{{ stage_dir }}/rpm-qa.txt': logs
'{{ stage_dir }}/core': logs
'{{ stage_dir }}/listen53.txt': logs
'{{ stage_dir }}/deprecations.log': logs
'{{ stage_dir }}/audit.log': logs
/etc/ceph: logs
/var/log/ceph: logs
/var/log/openvswitch: logs
/var/log/glusterfs: logs
/etc/glusterfs/glusterd.vol: logs
/etc/resolv.conf: logs
/var/log/unbound.log: logs
extensions_to_txt:
conf: true
log: true
localrc: true
stackenv: true
auto: true
group-vars:
subnode:
devstack_localrc:
DATABASE_PASSWORD: secretdatabase
RABBIT_PASSWORD: secretrabbit
ADMIN_PASSWORD: secretadmin
SERVICE_PASSWORD: secretservice
NETWORK_GATEWAY: 10.1.0.1
FIXED_RANGE: 10.1.0.0/20
IPV4_ADDRS_SAFE_TO_USE: 10.1.0.0/20
FLOATING_RANGE: 172.24.5.0/24
PUBLIC_NETWORK_GATEWAY: 172.24.5.1
LOGFILE: /opt/stack/logs/devstacklog.txt
LOG_COLOR: false
VERBOSE: true
VERBOSE_NO_TIMESTAMP: true
NOVNC_FROM_PACKAGE: true
ERROR_ON_CLONE: true
LIBVIRT_TYPE: qemu
devstack_services:
base: false
pre-run: playbooks/pre.yaml
run: playbooks/devstack.yaml
post-run: playbooks/post.yaml
irrelevant-files:
# Documentation related
- ^.*\.rst$
- ^api-ref/.*$
- ^doc/.*$
- ^releasenotes/.*$
# Translations
- ^.*/locale/.*po$
- job:
name: devstack-minimal
parent: devstack-base
description: |
Minimal devstack base job, intended for use by jobs that need
less than the normal minimum set of required-projects.
nodeset: openstack-single-node-focal
required-projects:
- opendev.org/openstack/requirements
vars:
devstack_localrc:
# Multinode specific settings
SERVICE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
HOST_IP: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
PUBLIC_BRIDGE_MTU: '{{ external_bridge_mtu }}'
devstack_services:
# Shared services
dstat: true
etcd3: true
memory_tracker: true
mysql: true
rabbit: true
group-vars:
subnode:
devstack_services:
# Shared services
dstat: true
memory_tracker: true
devstack_localrc:
# Multinode specific settings
HOST_IP: "{{ hostvars[inventory_hostname]['nodepool']['private_ipv4'] }}"
SERVICE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
PUBLIC_BRIDGE_MTU: '{{ external_bridge_mtu }}'
# Subnode specific settings
DATABASE_TYPE: mysql
RABBIT_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
DATABASE_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
- job:
name: devstack
parent: devstack-minimal
description: |
Base devstack job for integration gate.
This base job can be used for single node and multinode devstack jobs.
With a single node nodeset, this job sets up an "all-in-one" (aio)
devstack with the seven OpenStack services included in the devstack tree:
keystone, glance, cinder, neutron, nova, placement, and swift.
With a two node nodeset, this job sets up an aio + compute node.
The controller can be customised using host-vars.controller, the
sub-nodes can be customised using group-vars.subnode.
Descendent jobs can enable / disable services, add devstack configuration
options, enable devstack plugins, configure log files or directories to be
transferred to the log server.
The job assumes that there is only one controller node. The number of
subnodes can be scaled up seamlessly by setting a custom nodeset in
job.nodeset.
The run playbook consists of a single role, so it can be easily rewritten
and extended.
required-projects:
- opendev.org/openstack/cinder
- opendev.org/openstack/glance
- opendev.org/openstack/keystone
- opendev.org/openstack/neutron
- opendev.org/openstack/nova
- opendev.org/openstack/placement
- opendev.org/openstack/swift
timeout: 7200
vars:
devstack_localrc:
# Common OpenStack services settings
SWIFT_REPLICAS: 1
SWIFT_START_ALL_SERVICES: false
SWIFT_HASH: 1234123412341234
DEBUG_LIBVIRT_COREDUMPS: true
NOVA_VNC_ENABLED: true
OVN_DBS_LOG_LEVEL: dbg
devstack_local_conf:
post-config:
$NEUTRON_CONF:
DEFAULT:
global_physnet_mtu: '{{ external_bridge_mtu }}'
devstack_services:
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
dstat: true
etcd3: true
memory_tracker: true
mysql: true
rabbit: true
tls-proxy: true
# Keystone services
key: true
# Glance services
g-api: true
# Nova services
n-api: true
n-api-meta: true
n-cond: true
n-cpu: true
n-novnc: true
n-sch: true
# Placement service
placement-api: true
# OVN services
ovn-controller: true
ovn-northd: true
ovs-vswitchd: true
ovsdb-server: true
# Neutron services
q-svc: true
q-ovn-metadata-agent: true
# Swift services
s-account: true
s-container: true
s-object: true
s-proxy: true
# Cinder services
c-api: true
c-bak: true
c-sch: true
c-vol: true
# Services we don't need.
# This section is not really needed, it's for readability.
horizon: false
tempest: false
# Test matrix emits ceilometer but ceilomenter is not installed in the
# integrated gate, so specifying the services has not effect.
# ceilometer-*: false
group-vars:
subnode:
devstack_services:
# Core services enabled for this branch.
# This list replaces the test-matrix.
# Shared services
dstat: true
memory_tracker: true
tls-proxy: true
# Nova services
n-cpu: true
# Placement services
placement-client: true
# OVN services
ovn-controller: true
ovs-vswitchd: true
ovsdb-server: true
# Neutron services
q-ovn-metadata-agent: true
# Cinder services
c-bak: true
c-vol: true
# Services we don't run at all on subnode.
# This section is not really needed, it's for readability.
# keystone: false
# s-*: false
horizon: false
tempest: false
# Test matrix emits ceilometer but ceilometer is not installed in the
# integrated gate, so specifying the services has not effect.
# ceilometer-*: false
devstack_localrc:
# Subnode specific settings
GLANCE_HOSTPORT: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}:9292"
Q_HOST: "{{ hostvars['controller']['nodepool']['private_ipv4'] }}"
NOVA_VNC_ENABLED: true
ENABLE_CHASSIS_AS_GW: false
- job:
name: devstack-ipv6
parent: devstack
description: |
Devstack single node job for integration gate with IPv6.
vars:
devstack_localrc:
SERVICE_IP_VERSION: 6
SERVICE_HOST: ""
- job:
name: devstack-enforce-scope
parent: devstack
description: |
This job runs the devstack with scope checks enabled.
vars:
devstack_localrc:
# Keep enabeling the services here to run with system scope
CINDER_ENFORCE_SCOPE: true
GLANCE_ENFORCE_SCOPE: true
NEUTRON_ENFORCE_SCOPE: true
- job:
name: devstack-multinode
parent: devstack
nodeset: openstack-two-node-focal
description: |
Simple multinode test to verify multinode functionality on devstack side.
This is not meant to be used as a parent job.
# NOTE(ianw) Platform tests have traditionally been non-voting because
# we often have to rush things through devstack to stabilise the gate,
# and these platforms don't have the round-the-clock support to avoid
# becoming blockers in that situation.
- job:
name: devstack-platform-centos-8-stream
parent: tempest-full-py3
description: CentOS 8 Stream platform test
nodeset: devstack-single-node-centos-8-stream
voting: false
timeout: 9000
vars:
configure_swap_size: 4096
- job:
name: devstack-platform-centos-9-stream
parent: tempest-full-py3
description: CentOS 9 Stream platform test
nodeset: devstack-single-node-centos-9-stream
voting: false
timeout: 9000
vars:
configure_swap_size: 4096
- job:
name: devstack-platform-debian-bullseye
parent: tempest-full-py3
description: Debian Bullseye platform test
nodeset: devstack-single-node-debian-bullseye
voting: false
timeout: 9000
vars:
configure_swap_size: 4096
# NOTE(yoctozepto): Debian Bullseye does not yet offer OVN. Switch to OVS
# for the time being.
devstack_localrc:
Q_AGENT: openvswitch
Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
Q_ML2_TENANT_NETWORK_TYPE: vxlan
devstack_services:
# Disable OVN services
ovn-northd: false
ovn-controller: false
ovs-vswitchd: false
ovsdb-server: false
# Disable Neutron ML2/OVN services
q-ovn-metadata-agent: false
# Enable Neutron ML2/OVS services
q-agt: true
q-dhcp: true
q-l3: true
q-meta: true
q-metering: true
group-vars:
subnode:
devstack_services:
# Disable OVN services
ovn-controller: false
ovs-vswitchd: false
ovsdb-server: false
# Disable Neutron ML2/OVN services
q-ovn-metadata-agent: false
# Enable Neutron ML2/OVS services
q-agt: true
- job:
name: devstack-no-tls-proxy
parent: tempest-full-py3
description: |
Tempest job with tls-proxy off.
Some gates run devstack like this and it follows different code paths.
vars:
devstack_services:
tls-proxy: false
- job:
name: devstack-platform-fedora-latest
parent: tempest-full-py3
description: Fedora latest platform test
nodeset: devstack-single-node-fedora-latest
voting: false
- job:
name: devstack-platform-fedora-latest-virt-preview
parent: tempest-full-py3
description: Fedora latest platform test using the virt-preview repo.
nodeset: devstack-single-node-fedora-latest
voting: false
vars:
devstack_localrc:
ENABLE_FEDORA_VIRT_PREVIEW_REPO: true
- job:
name: devstack-tox-base
parent: devstack
description: |
Base job for devstack-based functional tests that use tox.
This job is not intended to be run directly. It's just here
for organizational purposes for devstack-tox-functional and
devstack-tox-functional-consumer.
post-run: playbooks/tox/post.yaml
vars:
tox_envlist: functional
tox_install_siblings: false
- job:
name: devstack-tox-functional
parent: devstack-tox-base
description: |
Base job for devstack-based functional tests that use tox.
Runs devstack, then runs the tox ``functional`` environment,
then collects tox/testr build output like normal tox jobs.
Turns off tox sibling installation. Projects may be involved
in the devstack deployment and so may be in the required-projects
list, but may not want to test against master of the other
projects in their tox env. Child jobs can set tox_install_siblings
to True to re-enable sibling processing.
run: playbooks/tox/run-both.yaml
- job:
name: devstack-tox-functional-consumer
parent: devstack
description: |
Base job for devstack-based functional tests for projects that
consume the devstack cloud.
This base job should only be used by projects that are not involved
in the devstack deployment step, but are instead projects that are using
devstack to get a cloud against which they can test things.
Runs devstack in pre-run, then runs the tox ``functional`` environment,
then collects tox/testr build output like normal tox jobs.
Turns off tox sibling installation. Projects may be involved
in the devstack deployment and so may be in the required-projects
list, but may not want to test against master of the other
projects in their tox env. Child jobs can set tox_install_siblings
to True to re-enable sibling processing.
pre-run:
- playbooks/devstack.yaml
- playbooks/tox/pre.yaml
run: playbooks/tox/run.yaml
- job:
name: devstack-unit-tests
nodeset: ubuntu-focal
description: |
Runs unit tests on devstack project.
It runs ``run_tests.sh``.
pre-run: playbooks/unit-tests/pre.yaml
run: playbooks/unit-tests/run.yaml
- project:
templates:
- integrated-gate-py3
- publish-openstack-docs-pti
check:
jobs:
- devstack
- devstack-ipv6
- devstack-enforce-scope
- devstack-platform-fedora-latest
- devstack-platform-centos-8-stream
- devstack-platform-centos-9-stream
- devstack-platform-debian-bullseye
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
- ironic-tempest-bios-ipmi-direct-tinyipa
- swift-dsvm-functional
- grenade:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- neutron-ovs-grenade-multinode:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- neutron-linuxbridge-tempest:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- neutron-ovn-tempest-ovs-release:
voting: false
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- tempest-multinode-full-py3:
voting: false
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- openstacksdk-functional-devstack:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- tempest-ipv6-only:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- nova-ceph-multistore:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
gate:
jobs:
- devstack
- devstack-ipv6
- devstack-enforce-scope
- devstack-multinode
- devstack-unit-tests
- openstack-tox-bashate
- neutron-ovs-grenade-multinode:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- neutron-linuxbridge-tempest:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- ironic-tempest-bios-ipmi-direct-tinyipa
- swift-dsvm-functional
- grenade:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- openstacksdk-functional-devstack:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- tempest-ipv6-only:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- nova-ceph-multistore:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
# Please add a note on each job and conditions for the job not
# being experimental any more, so we can keep this list somewhat
# pruned.
#
# * nova-next: maintained by nova for unreleased/undefaulted
# things
# * neutron-fullstack-with-uwsgi: maintained by neutron for fullstack test
# when neutron-api is served by uwsgi, it's in exprimental for testing.
# the next cycle we can remove this job if things turn out to be
# stable enough.
# * neutron-functional-with-uwsgi: maintained by neutron for functional
# test. Next cycle we can remove this one if things turn out to be
# stable engouh with uwsgi.
# * neutron-tempest-with-uwsgi: maintained by neutron for tempest test.
# Next cycle we can remove this if everything run out stable enough.
# * nova-multi-cell: maintained by nova and currently non-voting in the
# check queue for nova changes but relies on devstack configuration
# * devstack-platform-fedora-latest-virt-preview: Maintained by lyarwood
# for Nova to allow early testing of the latest versions of Libvirt and
# QEMU. Should only graduate out of experimental if it ever moves into
# the check queue for Nova.
experimental:
jobs:
- nova-multi-cell
- nova-next
- neutron-fullstack-with-uwsgi
- neutron-functional-with-uwsgi
- neutron-tempest-with-uwsgi
- devstack-plugin-ceph-tempest-py3:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- neutron-ovs-tempest-dvr:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- neutron-ovs-tempest-dvr-ha-multinode-full:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- cinder-tempest-lvm-multibackend:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- tempest-pg-full:
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- devstack-platform-fedora-latest-virt-preview
- devstack-no-tls-proxy
periodic:
jobs:
- devstack-no-tls-proxy