Bug#988828: unblock: cloudkitty/13.0.0-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package cloudkitty
Cloudkitty is the "rating" module of OpenStack. With it, operators can
set prices on resources, and Cloudkitty aggregates what's spent.
In this context, the command:
cloudkitty summary get -t <ID-of-the-project>
This results of something like this:
+----------------------------------+---------------+-------------+---------------------+---------------------+
| Tenant ID | Resource Type | Rate | Begin Time | End Time |
+----------------------------------+---------------+-------------+---------------------+---------------------+
| b18351dc53464a7cadb0c002b8b2a0da | ALL | 80890.32918 | 2021-05-01T00:00:00 | 2021-06-01T00:00:00 |
+----------------------------------+---------------+-------------+---------------------+---------------------+
where "Rate" is what has been spent by the project
b18351dc53464a7cadb0c002b8b2a0da.
Unfortunately, the -t option doesn't work, unless the patch (included in
the attached debdiff). The result is that an admin of an OpenStack
deployment cannot know the rating for the administered users.
I had this patch (from upstream) ready for the last 2 months, but I was
not able to properly test it until last week. We tested it in a real
production environment, and it repaired the -t option of "summary get"
as expected.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock cloudkitty/13.0.0-6
Cheers,
Thomas Goirand (zigo)
diff -Nru cloudkitty-13.0.0/debian/changelog cloudkitty-13.0.0/debian/changelog
--- cloudkitty-13.0.0/debian/changelog 2021-03-10 09:43:01.000000000 +0100
+++ cloudkitty-13.0.0/debian/changelog 2021-05-20 09:10:18.000000000 +0200
@@ -1,3 +1,10 @@
+cloudkitty (13.0.0-6) unstable; urgency=medium
+
+ * Tune cloudkitty-api-uwsgi.ini for performance.
+ * Add Fix-default-admin_or_owner-policy-expression.patch.
+
+ -- Thomas Goirand <zigo@debian.org> Thu, 20 May 2021 09:10:18 +0200
+
cloudkitty (13.0.0-5) unstable; urgency=medium
* Add rate-everyone.patch.
diff -Nru cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini
--- cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini 2021-03-10 09:43:01.000000000 +0100
+++ cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini 2021-05-20 09:10:18.000000000 +0200
@@ -12,11 +12,6 @@
# This is running standalone
master = true
-# Threads and processes
-enable-threads = true
-
-processes = 8
-
# uwsgi recommends this to prevent thundering herd on accept.
thunder-lock = true
@@ -34,6 +29,23 @@
# exit instead of brutal reload on SIGTERM
die-on-term = true
+##########################
+### Performance tuning ###
+##########################
+# Threads and processes
+enable-threads = true
+
+# For max perf, set this to number of core*2
+processes = 8
+
+# This was benchmarked as a good value
+threads = 32
+
+# This is the number of sockets in the queue.
+# It improves a lot performances. This is comparable
+# to the Apache ServerLimit/MaxClients option.
+listen = 100
+
##################################
### OpenStack service specific ###
##################################
diff -Nru cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch
--- cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch 1970-01-01 01:00:00.000000000 +0100
+++ cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch 2021-05-20 09:10:18.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Fix default admin_or_owner policy expression
+ By default not even an admin can use the get_summary endpoint with
+ all_tenants=True or using a tenant_id parameter. This commit fixes that.
+ .
+ This rule is now the same as how cinder defines admin_or_owner.
+From: Jonathan Herlin <jonathan.herlin@elits.com>
+Date: Thu, 01 Apr 2021 18:17:08 +0200
+Change-Id: I3e34927e8ab88f25d2975b4dbac89b52a7d94c98
+Origin: upstream, https://review.opendev.org/c/openstack/cloudkitty/+/784444
+Last-Update: 2021-04-23
+
+diff --git a/cloudkitty/common/policies/base.py b/cloudkitty/common/policies/base.py
+index 99591ec..0fe4847 100644
+--- a/cloudkitty/common/policies/base.py
++++ b/cloudkitty/common/policies/base.py
+@@ -25,7 +25,9 @@
+ check_str='role:admin'),
+ policy.RuleDefault(
+ name='admin_or_owner',
+- check_str='is_admin:True or project_id:%(project_id)s'),
++ check_str='is_admin:True or '
++ '(role:admin and is_admin_project:True) or '
++ 'project_id:%(project_id)s'),
+ policy.RuleDefault(
+ name='default',
+ check_str=UNPROTECTED)
+diff --git a/doc/source/_static/cloudkitty.policy.yaml.sample b/doc/source/_static/cloudkitty.policy.yaml.sample
+index 26abee2..37d3e28 100644
+--- a/doc/source/_static/cloudkitty.policy.yaml.sample
++++ b/doc/source/_static/cloudkitty.policy.yaml.sample
+@@ -1,6 +1,6 @@
+ #"context_is_admin": "role:admin"
+
+-#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
++#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
+
+ #"default": ""
+
+@@ -45,7 +45,7 @@
+ # GET /v1/info/config
+ #"info:get_config": ""
+
+-# Reture the list of loaded modules in Cloudkitty.
++# Return the list of loaded modules in Cloudkitty.
+ # LIST /v1/rating/modules
+ #"rating:list_modules": "role:admin"
+
diff -Nru cloudkitty-13.0.0/debian/patches/series cloudkitty-13.0.0/debian/patches/series
--- cloudkitty-13.0.0/debian/patches/series 2021-03-10 09:43:01.000000000 +0100
+++ cloudkitty-13.0.0/debian/patches/series 2021-05-20 09:10:18.000000000 +0200
@@ -4,3 +4,4 @@
log-how-many-tenants-fetched.patch
add-force-granularity-300-for-cpu.patch
rate-everyone.patch
+Fix-default-admin_or_owner-policy-expression.patch
Reply to: