18686478 kstat warning every minute in nova-compute log on SPARC
authordavid.comay@oracle.com
Mon, 07 Jul 2014 20:35:11 -0700
changeset 1990 c1c6cc703d7a
parent 1989 ae222899e270
child 1991 dec41166c508
18686478 kstat warning every minute in nova-compute log on SPARC 19064962 power state mapping for incomplete zone is incorrect 19065445 Horizon doesn't deal well with shutdown zones 19130253 pausing/suspension "successful" in horizon, though nothing happens 19161623 problem in SERVICE/KEYSTONE 19166348 cinder & nova should default signing_dir explicitly for consistency 19166359 minor pkgfmt(1) issues with OpenStack manifests
components/openstack/cinder/files/api-paste.ini
components/openstack/common/openstack.p5m
components/openstack/horizon/files/overrides.py
components/openstack/keystone/patches/07-CVE-2014-3520.patch
components/openstack/nova/files/api-paste.ini
components/openstack/nova/files/solariszones/driver.py
components/openstack/swift/swift.p5m
--- a/components/openstack/cinder/files/api-paste.ini	Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/cinder/files/api-paste.ini	Mon Jul 07 20:35:11 2014 -0700
@@ -58,4 +58,4 @@
 # signing_dir is configurable, but the default behavior of the authtoken
 # middleware should be sufficient.  It will create a temporary directory
 # in the home directory for the user the cinder process is running as.
-#signing_dir = /var/lib/cinder/keystone-signing
+signing_dir = /var/lib/cinder/keystone-signing
--- a/components/openstack/common/openstack.p5m	Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/common/openstack.p5m	Mon Jul 07 20:35:11 2014 -0700
@@ -48,8 +48,8 @@
 depend type=group fmri=cloud/openstack/swift
 depend type=group fmri=library/python/ceilometerclient
 depend type=group fmri=library/python/cinderclient
+depend type=group fmri=library/python/glanceclient
 depend type=group fmri=library/python/heatclient
-depend type=group fmri=library/python/glanceclient
 depend type=group fmri=library/python/keystoneclient
 depend type=group fmri=library/python/neutronclient
 depend type=group fmri=library/python/novaclient
--- a/components/openstack/horizon/files/overrides.py	Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/horizon/files/overrides.py	Mon Jul 07 20:35:11 2014 -0700
@@ -38,6 +38,8 @@
     InstanceDetailTabs, LogTab, OverviewTab
 from openstack_dashboard.dashboards.project.instances.workflows import \
     create_instance
+from openstack_dashboard.dashboards.project.instances.workflows import \
+    update_instance
 from openstack_dashboard.dashboards.project.networks.ports.tables import \
     PortsTable as projectPortsTable
 from openstack_dashboard.dashboards.project.networks.subnets.tables import \
@@ -53,7 +55,7 @@
 from openstack_dashboard.dashboards.project.networks.workflows import \
     CreateNetworkInfoAction, CreateSubnetDetailAction, CreateSubnetInfoAction
 
-# remove VolumeOptions and PostCreationStep from LaunchInstance
+# Remove 'PostCreationStep' from Project/Instances/Launch Instance
 create_instance.LaunchInstance.default_steps = (
     create_instance.SelectProjectUser,
     create_instance.SetInstanceDetails,
@@ -61,59 +63,80 @@
     create_instance.SetNetwork
 )
 
-# Remove the Security Groups tab from Project/Access and Security
+# Remove 'UpdateInstanceSecurityGroups' from
+# Project/Instances/Actions/Edit Instance
+update_instance.UpdateInstance.default_steps = (
+    update_instance.UpdateInstanceInfo,
+)
+
+# Remove 'SecurityGroupsTab' tab from Project/Access & Security
 AccessAndSecurityTabs.tabs = (KeypairsTab, FloatingIPsTab, APIAccessTab)
 
-# remove the 'Console' tab from Instance Detail
+# Remove 'ConsoleTab' tab from Project/Instances/Instance Name
 InstanceDetailTabs.tabs = (OverviewTab, LogTab)
 
-# remove the 'Console' option in the Admin Instances pulldown by removing the
-# action for project_tables.ConsoleLink
+# Remove 'ConfirmResize', 'RevertResize', 'ConsoleLink', 'TogglePause',
+# 'ToggleSuspend', 'MigrateInstance' actions from Admin/Instances/Actions
 admin_tables.AdminInstancesTable._meta.row_actions = (
-    project_tables.ConfirmResize,
-    project_tables.RevertResize,
     admin_tables.AdminEditInstance,
     project_tables.LogLink,
     project_tables.CreateSnapshot,
-    project_tables.TogglePause,
-    project_tables.ToggleSuspend,
-    admin_tables.MigrateInstance,
     project_tables.SoftRebootInstance,
     project_tables.RebootInstance,
     project_tables.TerminateInstance
 )
 
-# Disable 'admin_state' and 'shared' checkboxes on Create Networks
+# Remove 'ConfirmResize', 'RevertResize', 'EditInstanceSecurityGroups',
+# 'ConsoleLink', 'TogglePause', 'ToggleSuspend', 'ResizeLink',
+# 'RebuildInstance' actions from Project/Instances/Actions
+project_tables.InstancesTable._meta.row_actions = (
+    project_tables.StartInstance,
+    project_tables.CreateSnapshot,
+    project_tables.SimpleAssociateIP,
+    project_tables.AssociateIP,
+    project_tables.SimpleDisassociateIP,
+    project_tables.EditInstance,
+    project_tables.LogLink,
+    project_tables.SoftRebootInstance,
+    project_tables.RebootInstance,
+    project_tables.StopInstance,
+    project_tables.TerminateInstance
+)
+
+# Disable 'admin_state' and 'shared' checkboxes in
+# Admin/Networks/Create Network
 CreateNetwork.base_fields['admin_state'].widget.attrs['disabled'] = True
 CreateNetwork.base_fields['shared'].widget.attrs['disabled'] = True
 
-# Disable 'admin_state' checkbox on Create Port
+# Disable 'admin_state' checkbox in
+# Admin/Networks/Network Name/Create Port
 CreatePort.base_fields['admin_state'].widget.attrs['disabled'] = True
 
-# Remove the ability to Update Ports
+# Remove 'UpdatePort' action from Admin/Networks/Network Name/Actions
 PortsTable._meta.row_actions = (DeletePort,)
 
-# Remove the ability to Update Subnets
+# Remove 'UpdateSubnet' action from Admin/Networks/Network Name/Actions
 SubnetsTable._meta.row_actions = (DeleteSubnet,)
 
-# Remove the ability to Edit Networks
+# Remove the 'EditNetwork' action from Admin/Networks/Actions
 NetworksTable._meta.row_actions = (DeleteNetwork,)
 
-# Remove the ability to Update project Ports
+# Remove the 'UpdatePort' action from Project/Networks/Name/Ports/Actions
 projectPortsTable._meta.row_actions = ()
 
-# Remove the ability to Update project Subnets
+# Remove the 'UpdateSubnet' action from
+# Project/Networks/Name/Subnets/Actions
 projectSubnetsTable._meta.row_actions = (projectDeleteSubnet,)
 
-# Remove the ability to Edit project Networks
+# Remove the 'EditNetwork' action from Project/Networks/Actions
 projectNetworksTable._meta.row_actions = (projectCreateSubnet,
                                           projectDeleteNetwork)
 
-# Disable 'admin_state' checkbox on Create project Networks
+# Disable 'admin_state' checkboxes in Project/Networks/Create Network/Network
 CreateNetworkInfoAction.base_fields['admin_state'].widget.attrs['disabled'] = \
     True
 
-# Disable 'no_gateway' checkbox on Create project Networks
+# Disable 'no_gateway' checkboxes in Project/Networks/Create Network/Subnet
 CreateSubnetInfoAction.base_fields['no_gateway'].widget.attrs['disabled'] = \
     True
 
@@ -121,7 +144,8 @@
 # Project/Images & Snapshots/Actions
 ImagesTable._meta.row_actions = (LaunchImage, EditImage, DeleteImage,)
 
-# change 'allocation_pools' and 'host_routes' to readonly
+# Change 'allocation_pools' and 'host_routes' fields to read-only in
+# Project/Networks/Create Network/Subnet Detail
 base_fields = CreateSubnetDetailAction.base_fields
 base_fields['allocation_pools'].widget.attrs['readonly'] = 'readonly'
 base_fields['host_routes'].widget.attrs['readonly'] = 'readonly'
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/07-CVE-2014-3520.patch	Mon Jul 07 20:35:11 2014 -0700
@@ -0,0 +1,91 @@
+This upstream patch addresses CVE-2014-3520 and is tracked under
+Launchpad bug 1331912. It is addressed in Icehouse 2014.1.2 and Havana
+2013.2.4.
+
+commit 96d9bcf230a74d6122a2b14e00ef10915c8f76e3
+Author: Jamie Lennox <[email protected]>
+Date:   Thu Jun 19 14:41:22 2014 +1000
+
+    Ensure that in v2 auth tenant_id matches trust
+    
+    Previously if a trustee requests a trust scoped token for a project that
+    is different to the one in the trust, however the trustor has the
+    appropriate roles then a token would be issued.
+    
+    Ensure that the trust that was given matches the project that was
+    specified in the scope.
+    
+    (cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
+    
+    Closes-Bug: #1331912
+    Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
+
+diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
+index 6371caf..0d97f44 100644
+--- a/keystone/tests/test_auth.py
++++ b/keystone/tests/test_auth.py
[email protected]@ -624,13 +624,15 @@ class AuthWithTrust(AuthTest):
+         self.new_trust = self.trust_controller.create_trust(
+             context, trust=trust_data)['trust']
+ 
+-    def build_v2_token_request(self, username, password):
++    def build_v2_token_request(self, username, password, tenant_id=None):
++        if not tenant_id:
++            tenant_id = self.tenant_bar['id']
+         body_dict = _build_user_auth(username=username, password=password)
+         self.unscoped_token = self.controller.authenticate({}, body_dict)
+         unscoped_token_id = self.unscoped_token['access']['token']['id']
+         request_body = _build_user_auth(token={'id': unscoped_token_id},
+                                         trust_id=self.new_trust['id'],
+-                                        tenant_id=self.tenant_bar['id'])
++                                        tenant_id=tenant_id)
+         return request_body
+ 
+     def test_create_trust_bad_data_fails(self):
[email protected]@ -704,6 +706,15 @@ class AuthWithTrust(AuthTest):
+             exception.Forbidden,
+             self.controller.authenticate, {}, request_body)
+ 
++    def test_token_from_trust_wrong_project_fails(self):
++        for assigned_role in self.assigned_roles:
++            self.assignment_api.add_role_to_user_and_project(
++                self.trustor['id'], self.tenant_baz['id'], assigned_role)
++        request_body = self.build_v2_token_request('TWO', 'two2',
++                                                   self.tenant_baz['id'])
++        self.assertRaises(exception.Forbidden, self.controller.authenticate,
++                          {}, request_body)
++
+     def fetch_v2_token_from_trust(self):
+         request_body = self.build_v2_token_request('TWO', 'two2')
+         auth_response = self.controller.authenticate({}, request_body)
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index 72486a1..de7e473 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
[email protected]@ -160,6 +160,8 @@ class Auth(controller.V2Controller):
+ 
+         user_ref = old_token_ref['user']
+         user_id = user_ref['id']
++        tenant_id = self._get_project_id_from_auth(auth)
++
+         if not CONF.trust.enabled and 'trust_id' in auth:
+             raise exception.Forbidden('Trusts are disabled.')
+         elif CONF.trust.enabled and 'trust_id' in auth:
[email protected]@ -168,6 +170,9 @@ class Auth(controller.V2Controller):
+                 raise exception.Forbidden()
+             if user_id != trust_ref['trustee_user_id']:
+                 raise exception.Forbidden()
++            if (trust_ref['project_id'] and
++                    tenant_id != trust_ref['project_id']):
++                raise exception.Forbidden()
+             if ('expires' in trust_ref) and (trust_ref['expires']):
+                 expiry = trust_ref['expires']
+                 if expiry < timeutils.parse_isotime(timeutils.isotime()):
[email protected]@ -190,7 +195,6 @@ class Auth(controller.V2Controller):
+             current_user_ref = self.identity_api.get_user(user_id)
+ 
+         metadata_ref = {}
+-        tenant_id = self._get_project_id_from_auth(auth)
+         tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
+             user_id, tenant_id)
+ 
--- a/components/openstack/nova/files/api-paste.ini	Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/nova/files/api-paste.ini	Mon Jul 07 20:35:11 2014 -0700
@@ -122,6 +122,6 @@
 # signing_dir is configurable, but the default behavior of the authtoken
 # middleware should be sufficient.  It will create a temporary directory
 # in the home directory for the user the nova process is running as.
-#signing_dir = /var/lib/nova/keystone-signing
+signing_dir = /var/lib/nova/keystone-signing
 # Workaround for https://bugs.launchpad.net/nova/+bug/1154809
 auth_version = v2.0
--- a/components/openstack/nova/files/solariszones/driver.py	Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/nova/files/solariszones/driver.py	Mon Jul 07 20:35:11 2014 -0700
@@ -95,7 +95,7 @@
 # Mapping between zone state and Nova power_state.
 SOLARISZONES_POWER_STATE = {
     ZONE_STATE_CONFIGURED:      power_state.NOSTATE,
-    ZONE_STATE_INCOMPLETE:      power_state.BUILDING,
+    ZONE_STATE_INCOMPLETE:      power_state.NOSTATE,
     ZONE_STATE_UNAVAILABLE:     power_state.NOSTATE,
     ZONE_STATE_INSTALLED:       power_state.SHUTDOWN,
     ZONE_STATE_READY:           power_state.RUNNING,
@@ -498,9 +498,9 @@
             kstat_object = self._rad_instance.get_object(
                 kstat.Kstat(), rad.client.ADRGlobPattern(pattern))
         except Exception as reason:
-            LOG.warning(_("Unable to retrieve kstat object '%s:%s:%s' of "
-                          "class '%s' via kstat(3RAD): %s")
-                        % (module, instance, name, kstat_class, reason))
+            LOG.info(_("Unable to retrieve kstat object '%s:%s:%s' of class "
+                       "'%s' via kstat(3RAD): %s")
+                     % (module, instance, name, kstat_class, reason))
             return None
 
         kstat_data = {}
@@ -727,7 +727,8 @@
                 LOG.error(_("Cannot attach Fibre Channel volume '%s' because "
                           "no Fibre Channel HBA initiators were found")
                           % (target_wwn))
-                raise exception.InvalidVolume(reason="No host FC initiator")
+                raise exception.InvalidVolume(
+                    reason="No host Fibre Channel initiator found")
 
             target_lun = data['target_lun']
             # If the volume was exported just a few seconds previously then
@@ -1404,6 +1405,10 @@
         if zone is None:
             raise exception.InstanceNotFound(instance_id=name)
 
+        if self._get_state(zone) == power_state.SHUTDOWN:
+            self._power_on(instance)
+            return
+
         try:
             if reboot_type == 'SOFT':
                 zone.shutdown(['-r'])
--- a/components/openstack/swift/swift.p5m	Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/swift/swift.p5m	Mon Jul 07 20:35:11 2014 -0700
@@ -24,7 +24,6 @@
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
-
 set name=pkg.fmri \
     value=pkg:/cloud/openstack/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value="OpenStack Swift"
@@ -71,7 +70,6 @@
 file path=etc/swift/swift-bench.conf
 file path=etc/swift/swift.conf
 <transform file path=lib/svc/.*/([^/]*) -> set action.hash files/%<1>>
-<transform file path=lib/svc/method/swift-proxy-server -> set action.hash files/swift-smf-method>
 file path=lib/svc/manifest/application/openstack/swift-account-auditor.xml
 file path=lib/svc/manifest/application/openstack/swift-account-reaper.xml
 file path=lib/svc/manifest/application/openstack/swift-account-replicator.xml
@@ -89,6 +87,7 @@
 file path=lib/svc/manifest/application/openstack/swift-proxy-server.xml
 file path=lib/svc/manifest/application/openstack/swift-replicator-rsync.xml
 <transform hardlink path=lib/svc/method -> default target swift-proxy-server>
+<transform file path=lib/svc/method/swift-proxy-server -> set action.hash files/swift-smf-method>
 hardlink path=lib/svc/method/swift-account-auditor
 hardlink path=lib/svc/method/swift-account-reaper
 hardlink path=lib/svc/method/swift-account-replicator