GitLab

Remove RC versions from Changelog and NEWS and add release date for
version 0.16.

paramiko throws 'SSHException' and not 'socket.error' when it cannot
connect to the remote server (Connection Refused). Catch the
SSHException and retry.

Since we are using a proper CA we do not need cert_override.txt
nor we should update-ca-certificates for skakeoil cert.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Apache and VNC will use the certificate previously issued by our CA.
For the Client we add this certificate to the system wide accepted
ones via update-ca-certificates and to the firefox database via
certutil.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

snf-vncauthproxy can now run on a separate node.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

The ca role will be a separate node able to create and sign
certificates. All components that need a certificate will get it
from this node. Since we are going to have one common certificate
for the synnefo.live CN including all DNS alternatives (astakos,
cyclades, vnc, etc.) this certificate will be created in advance and
everyone will get it during setup.

The cacert.pem will be added to the firefox db via certutil -A.

snf-vncauthproxy will use the corresponding cert.pem and key.pem.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

In short Synnefo will run as synnefo:www-data while Archipelago as
synnefo:synnefo. The exported directories in NFS should be
root:synnefo with g+ws.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Additionally change the NFS dirs to /srv/pithos/{blocks,maps,locks}.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

It was 20-snf-astakos-oa2-app-settings.py.
Make it 20-snf-astakos-app-oa2.conf.

This way the postinst script will find it and dpkg-statoverride
properly.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..until a proper postinst script that uses dpkg-statoverride
to modify the owners and permissions of its own conf files
is included in the package.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..shipped under /etc/gunicorn.d/synnefo.example.

Let gunicorn run as synnefo:synnefo
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Due to a bug in Archipelago [2] we chown /dev/shm/posixfd after
Archipelago restart.

This should be reverted after this PR is merged and a
new Archipelago version is released.

[2] https://github.com/grnet/archipelago/pull/44Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

In short make gunicorn and snf-dispatcher run as
synnefo:synnefo, and Archipelago as archipelago:synnefo.

This way the synnefo components that run as synnefo:synnefo
(Cyclades, Pithos, etc.) can access the backing storage only through
Archipelago (i.e. named pipes in /dev/shm/posixfd/) and not
directly.

Since we are using NFS we let archipelago user and synnefo group
with common uid and gid respectively across all nodes. The
Archipelago dir to be exported will be owned by archipelago:synnefo
and have group write permissions.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Both Image and Kamaki download the debian base image. In order
to download it just once we store it under /tmp and check
if it exists before downloading it again.

Use -4 option in wget in order not to use IPv6.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Up until now, snf-deploy used /etc/default/snf-image as a template with
default snf-image settings commented. These settings were never
updated and as a result they were different from the ones the package is
shipped with. This patch, after package installation, moves original
/etc/default/snf-image to snf-image.orig and then overwrites it with
the template that includes only the settings that deploy wants to
change.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

In order to communicate with Archipelago, Pithos backend needs to create
named pipes (under '/var/run/shm/posixfd') that can be read/written by the
group that Archipelago is running. This is achieved by using 'setgid' in the
specified directory combined with a proper 'umask'. For Gunicorn workers, the
umask is set by gunicorn-hooks. However, snf-manage commands did not set the
needed umask which resulted in wrong permissions.

This commits includes an ugly workaround to bypass this issue by setting
the needed umask in 'SynnefoManagementUtility' for subcommands that are
handling images, snapshots and files and for subcommands that define
the 'umask' class attribute.

Retry '_check_file_through_ssh' if ssh connection fails with
'ECONNREFUSED' (probably because the sshd service has not come up yet).

Since qemu doesn't truncate the pid file when it opens / creates it,
there's a chance that the pid file will contain more than one lines,
with truncated older PIDs. Read only the first line of the pid file, to
avoid an exception in the cpustats collectd plugin.

If '-k' flag is not given, try to retrieve it from kamaki's config file.

Update volume-type-list command to count only non-deleted servers,
volumes and flavors that are using each volume type. Also, remove
select and prefetch related statements as they are only making the
DB query slower.

Patch kamaki clients to use ca_certs path found in kamakirc file or to
completely skip SSL verification using the '--ignore-ssl' flag.

Bump kamaki version dependency to '>= 0.13rc5'.

Patch kamaki clients to use ca_certs path found in kamakirc file or to
completely skip SSL verification using the '--ignore-ssl' flag.

If import statement fails to find Gevent's select use
Python select instead.

Pithos and Cyclades components require ArchipSynnefo which makes
gunicorn run as root:archipelago.

Currently all snf-* packages install their conf files as
root:www-data. Note that the g+s mode in /etc/synnefo does is not
enough since debian uses mv and not copy to put the conf files in
the proper dir.

Thus we have to manually change the owner of conf files after
package installation.

Do this in GTools and Admin components too.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>