PyPI - inmanta-module-openstack - Versions diffs - 5.0.2__tar.gz → 5.1.0__tar.gz - Mend

inmanta-module-openstack 5.0.2tar.gz → 5.1.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: inmanta-module-openstack
-Version: 5.0.2
+Version: 5.1.0
 License: Apache 2.0
 Requires-Dist: inmanta-module-ssh
 Requires-Dist: inmanta-module-std

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_module_openstack.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: inmanta-module-openstack
-Version: 5.0.2
+Version: 5.1.0
 License: Apache 2.0
 Requires-Dist: inmanta-module-ssh
 Requires-Dist: inmanta-module-std

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_module_openstack.egg-info/SOURCES.txt RENAMED Viewed

@@ -15,6 +15,7 @@ inmanta_plugins/openstack/common/base.py
 inmanta_plugins/openstack/common/deps.py
 inmanta_plugins/openstack/compute/__init__.py
 inmanta_plugins/openstack/compute/flavor.py
+inmanta_plugins/openstack/compute/host_aggregate.py
 inmanta_plugins/openstack/compute/host_port.py
 inmanta_plugins/openstack/compute/virtual_machine.py
 inmanta_plugins/openstack/identity/__init__.py
@@ -45,6 +46,8 @@ tests/test_block_devices.py
 tests/test_dependency_handling.py
 tests/test_examples.py
 tests/test_flavor.py
+tests/test_host_aggregate.py
+tests/test_host_port_security_groups.py
 tests/test_image.py
 tests/test_keystone.py
 tests/test_neutron.py

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/common/deps.py RENAMED Viewed

@@ -17,11 +17,15 @@ Contact: code@inmanta.com
 """
 from collections import defaultdict
+from collections.abc import Mapping
 from inmanta.export import dependency_manager
 from inmanta_plugins.openstack.common.base import OpenstackResource
+# Per-provider view of the collected resources: resource type -> resource name -> resource.
+ResourceCollector = Mapping[str, Mapping[str, OpenstackResource]]
 MANAGED_DEPENDENCIES = {
     "openstack::Project",
     "openstack::Network",
@@ -34,9 +38,15 @@ MANAGED_DEPENDENCIES = {
 }
-def resource_collector(resource_model):
-    purged_resources = defaultdict(lambda: defaultdict(dict))
-    non_purged_resources = defaultdict(lambda: defaultdict(dict))
+def resource_collector(
+    resource_model: Mapping[object, OpenstackResource],
+) -> tuple[Mapping[object, ResourceCollector], Mapping[object, ResourceCollector]]:
+    purged_resources: dict[object, dict[str, dict[str, OpenstackResource]]] = (
+        defaultdict(lambda: defaultdict(dict))
+    )
+    non_purged_resources: dict[object, dict[str, dict[str, OpenstackResource]]] = (
+        defaultdict(lambda: defaultdict(dict))
+    )
     for current_resource in resource_model.values():
         rtype = current_resource.id.entity_type
@@ -51,14 +61,13 @@ def resource_collector(resource_model):
     return purged_resources, non_purged_resources
-def set_dependencies_on_purged_resources(
-    collector: dict[str, OpenstackResource],
-) -> None:
+def set_dependencies_on_purged_resources(collector: ResourceCollector) -> None:
     """
-    This method only sets the dependencies between a VM and its ports!
+    Set the dependencies between purged VMs/ports and the security groups they reference.
     """
     vms = collector.get("openstack::VirtualMachine", {})
     ports = collector.get("openstack::HostPort", {})
+    sgs = collector.get("openstack::SecurityGroup", {})
     # When the VM is purged, all its purged ports should be deployed first
     for vm in vms.values():
@@ -67,10 +76,15 @@ def set_dependencies_on_purged_resources(
                 port_id = ports[vm_port["name"]].id
                 vm.requires.add(port_id)
+    # When a security group is purged, every port referencing it must be removed (or have the
+    # reference dropped) before the group itself can be deleted.
+    for port in ports.values():
+        for sg_name in port.security_groups:
+            if sg_name in sgs:
+                sgs[sg_name].requires.add(port.id)
-def set_dependencies_on_non_purged_resources(
-    collector: dict[str, OpenstackResource],
-) -> None:
+def set_dependencies_on_non_purged_resources(collector: ResourceCollector) -> None:
     projects = collector.get("openstack::Project", {})
     networks = collector.get("openstack::Network", {})
     routers = collector.get("openstack::Router", {})
@@ -131,6 +145,10 @@ def set_dependencies_on_non_purged_resources(
         if port.host in vms:
             port.requires.add(vms[port.host].id)
+        for sg_name in port.security_groups:
+            if sg_name in sgs:
+                port.requires.add(sgs[sg_name].id)
     for fip in fips.values():
         if fip.external_network in networks:
             fip.requires.add(networks[fip.external_network].id)
@@ -146,7 +164,9 @@ def set_dependencies_on_non_purged_resources(
 @dependency_manager
-def openstack_dependencies(config_model, resource_model):
+def openstack_dependencies(
+    config_model: object, resource_model: Mapping[object, OpenstackResource]
+) -> None:
     purged_resources, non_purged_resources = resource_collector(resource_model)
     for project, collector in non_purged_resources.items():
         set_dependencies_on_non_purged_resources(collector)
@@ -155,10 +175,12 @@ def openstack_dependencies(config_model, resource_model):
 @dependency_manager
-def keystone_dependencies(config_model, resource_model):
-    projects = {}
-    users = {}
-    roles = []
+def keystone_dependencies(
+    config_model: object, resource_model: Mapping[object, OpenstackResource]
+) -> None:
+    projects: dict[str, OpenstackResource] = {}
+    users: dict[str, OpenstackResource] = {}
+    roles: list[OpenstackResource] = []
     for _, res in resource_model.items():
         if res.id.entity_type == "openstack::Project":
             if not res.purged:

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/compute/flavor.py RENAMED Viewed

@@ -79,6 +79,29 @@ class FlavorHandler(OpenStackHandler):
         )
         return self.require_single_item(flavors)
+    def _create_flavor(self, resource: Flavor):
+        """Create a flavor in OpenStack."""
+        flavor = self._connection.compute.create_flavor(
+            name=resource.name,
+            ram=resource.ram,
+            vcpus=resource.vcpus,
+            disk=resource.disk,
+            id=resource.flavor_id,
+            ephemeral=resource.ephemeral,
+            swap=resource.swap,
+            rxtx_factor=resource.rxtx_factor,
+            is_public=resource.is_public,
+        )
+        if resource.extra_specs:
+            self._connection.compute.create_flavor_extra_specs(
+                flavor, resource.extra_specs
+            )
+        return flavor
+    def _delete_flavor(self) -> None:
+        self._connection.compute.delete_flavor(self.flavor.id, ignore_missing=True)
     def read_resource(self, ctx: handler.HandlerContext, resource: Flavor) -> None:
         self.flavor = self._get_flavor(resource)
         if self.flavor is None:
@@ -101,27 +124,12 @@ class FlavorHandler(OpenStackHandler):
         self._set_facts(ctx)
     def create_resource(self, ctx: handler.HandlerContext, resource: Flavor) -> None:
-        self.flavor = self._connection.compute.create_flavor(
-            name=resource.name,
-            ram=resource.ram,
-            vcpus=resource.vcpus,
-            disk=resource.disk,
-            id=resource.flavor_id,
-            ephemeral=resource.ephemeral,
-            swap=resource.swap,
-            rxtx_factor=resource.rxtx_factor,
-            is_public=resource.is_public,
-        )
-        if resource.extra_specs:
-            self._connection.compute.create_flavor_extra_specs(
-                self.flavor, resource.extra_specs
-            )
+        self.flavor = self._create_flavor(resource)
         self._set_facts(ctx)
         ctx.set_created()
     def delete_resource(self, ctx: handler.HandlerContext, resource: Flavor) -> None:
-        self._connection.compute.delete_flavor(self.flavor.id, ignore_missing=True)
+        self._delete_flavor()
         ctx.set_purged()
     def update_resource(
@@ -130,31 +138,33 @@ class FlavorHandler(OpenStackHandler):
         changes: dict,
         resource: Flavor,
     ) -> None:
-        self.validate_allowed_fields(
-            changes,
-            {
-                "extra_specs",
-            },
-        )
-        if "extra_specs" in changes:
-            new_extra_specs = changes["extra_specs"]["desired"]
-            extra_specs_to_remove = [
-                key for key in self.flavor.extra_specs if key not in new_extra_specs
-            ]
-            for key in extra_specs_to_remove:
-                self._connection.compute.delete_flavor_extra_specs_property(
-                    self.flavor, key
-                )
-            self._connection.compute.create_flavor_extra_specs(
-                self.flavor, new_extra_specs
+        """Update flavor parameters.
+        OpenStack flavors must be immutable, so *every* change - including
+        extra_specs - is applied by deleting the existing flavor and
+        recreating it. This is only safe when OpenStack assigns the id: an
+        explicit flavor_id would collide with the soft-deleted flavor, so we
+        refuse such changes instead.
+        """
+        if self._resource_has_explicit_flavor_id(resource):
+            raise ValueError(
+                f"Cannot change {sorted(changes)} on a flavor with an explicit "
+                f"flavor_id: recreating it would reuse the soft-deleted id. "
+                f"Remove the flavor and create a new one instead."
             )
-            self.flavor = self._get_flavor(resource)
+        ctx.info(
+            "Recreating flavor; changed field(s): %(fields)s",
+            fields=sorted(changes),
+        )
+        self._delete_flavor()
+        self.flavor = self._create_flavor(resource)
+        self._set_facts(ctx)
         ctx.set_updated()
     def _set_facts(self, ctx):
-        ctx.set_fact("flavor_id", self.flavor.id, expires=False)
-        ctx.set_fact("is_disabled", str(self.flavor.is_disabled), expires=True)
+        ctx.set_fact("flavor_id", self.flavor.id)
+        ctx.set_fact("is_disabled", str(self.flavor.is_disabled))
     @cache(timeout=5)
     def facts(self, ctx, resource: Flavor) -> dict:

inmanta_module_openstack-5.1.0/inmanta_plugins/openstack/compute/host_aggregate.py ADDED Viewed

@@ -0,0 +1,117 @@
+"""
+Copyright 2026 Inmanta
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+Contact: code@inmanta.com
+"""
+from inmanta.agent import handler
+from inmanta.agent.handler import ResourcePurged, SkipResource, provider
+from inmanta.resources import resource
+from inmanta_plugins.openstack.common.base import (
+    OpenstackAdminResource,
+    OpenStackHandler,
+)
+@resource(
+    "openstack::HostAggregateMetadata",
+    agent="provider.name",
+    id_attribute="metadata_id",
+)
+class HostAggregateMetadata(OpenstackAdminResource):
+    """A single key/value metadata item on a Nova host aggregate."""
+    fields = ("aggregate", "key", "value")
+    aggregate: str
+    key: str
+    value: str
+    @staticmethod
+    def get_metadata_id(_, resource) -> str:
+        # Unique per (aggregate, key) within the provider's agent.
+        return f"{resource.aggregate}::{resource.key}"
+@provider("openstack::HostAggregateMetadata", name="openstack")
+class HostAggregateMetadataHandler(OpenStackHandler):
+    """Manage a single metadata key on a host aggregate.
+    create/update -> set the key to the desired value
+    delete        -> remove the key (Nova removes a key when its value is None),
+                     leaving any other keys on the aggregate untouched
+    """
+    def _get_aggregate(self, resource: HostAggregateMetadata, *, required: bool):
+        aggregate = self._connection.compute.find_aggregate(
+            resource.aggregate, ignore_missing=True
+        )
+        if aggregate is None and required:
+            raise SkipResource(
+                f"Host aggregate '{resource.aggregate}' does not exist; cannot manage "
+                f"metadata key '{resource.key}'. The aggregate must be created first."
+            )
+        return aggregate
+    def read_resource(
+        self, ctx: handler.HandlerContext, resource: HostAggregateMetadata
+    ) -> None:
+        aggregate = self._get_aggregate(resource, required=True)
+        metadata = aggregate.metadata or {}
+        if resource.key not in metadata:
+            raise ResourcePurged()
+        resource.purged = False
+        # Surface the current value so a changed value is detected as a diff.
+        resource.value = metadata[resource.key]
+    def create_resource(
+        self, ctx: handler.HandlerContext, resource: HostAggregateMetadata
+    ) -> None:
+        aggregate = self._get_aggregate(resource, required=True)
+        self._connection.compute.set_aggregate_metadata(
+            aggregate, metadata={resource.key: resource.value}
+        )
+        ctx.set_created()
+    def update_resource(
+        self,
+        ctx: handler.HandlerContext,
+        changes: dict,
+        resource: HostAggregateMetadata,
+    ) -> None:
+        # Only the value can change; aggregate and key are part of the resource id.
+        aggregate = self._get_aggregate(resource, required=True)
+        self._connection.compute.set_aggregate_metadata(
+            aggregate, metadata={resource.key: resource.value}
+        )
+        ctx.set_updated()
+    def delete_resource(
+        self, ctx: handler.HandlerContext, resource: HostAggregateMetadata
+    ) -> None:
+        aggregate = self._get_aggregate(resource, required=False)
+        if aggregate is None:
+            # Aggregate gone -> the key is gone with it; nothing to unset.
+            ctx.set_purged()
+            return
+        # Nova removes a metadata key when it is set to None, leaving any other keys
+        # on the aggregate untouched.
+        self._connection.compute.set_aggregate_metadata(
+            aggregate, metadata={resource.key: None}
+        )
+        ctx.set_purged()

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/compute/host_port.py RENAMED Viewed

@@ -47,6 +47,7 @@ class HostPort(Port):
         "wait",
         "allowed_address_pairs",
         "wait_for_vm",
+        "security_groups",
     )
     host: str
     portsecurity: bool
@@ -56,6 +57,7 @@ class HostPort(Port):
     wait: bool
     allowed_address_pairs: dict[str, Optional[str]]
     wait_for_vm: bool
+    security_groups: list[str]
     @staticmethod
     def get_host(_, port):
@@ -77,6 +79,10 @@ class HostPort(Port):
         """field used to determine if we expect the VM to be present at all"""
         return not (port.vm.purged)
+    @staticmethod
+    def get_security_groups(_, port):
+        return sorted([v.name for v in port.security_groups])
 @provider("openstack::HostPort", name="openstack")
 class HostPortHandler(OpenStackHandler):
@@ -182,6 +188,13 @@ class HostPortHandler(OpenStackHandler):
             pair["ip_address"]: pair.get("mac_address")
             for pair in self.port.allowed_address_pairs
         }
+        if resource.security_groups:
+            resource.security_groups = sorted(
+                self.get_security_group(project_id=self.project_id, group_id=sg_id).name
+                for sg_id in self.port.security_group_ids
+            )
         resource.name = self.port.name
         self._set_facts(ctx)
@@ -209,7 +222,13 @@ class HostPortHandler(OpenStackHandler):
             ]
         port_attrs["port_security_enabled"] = resource.portsecurity
-        port_attrs["security_groups"] = None
+        if resource.security_groups:
+            port_attrs["security_group_ids"] = [
+                self.get_security_group(project_id=self.project_id, name=sg).id
+                for sg in resource.security_groups
+            ]
+        else:
+            port_attrs["security_group_ids"] = None
         # Allowed address pairs
         if resource.allowed_address_pairs:
@@ -248,16 +267,27 @@ class HostPortHandler(OpenStackHandler):
         resource: HostPort,
     ) -> None:
         self.validate_allowed_fields(
-            changes, {"portsecurity", "name", "allowed_address_pairs"}
+            changes,
+            {"portsecurity", "name", "allowed_address_pairs", "security_groups"},
+        )
+        disabling_portsecurity = (
+            "portsecurity" in changes and not changes["portsecurity"]["desired"]
         )
         if self.port.is_port_security_enabled and "portsecurity" in changes:
             if not changes["portsecurity"]["desired"]:
                 self.port.is_port_security_enabled = False
-                self.port.security_groups = None
+                self.port.security_group_ids = []
             else:
                 raise SkipResource("Turning port security on again is not supported.")
+        if "security_groups" in changes and not disabling_portsecurity:
+            self.port.security_group_ids = [
+                self.get_security_group(project_id=self.project_id, name=sg).id
+                for sg in resource.security_groups
+            ]
         # Handle name change
         if "name" in changes:
             self.port.name = resource.name

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/compute/virtual_machine.py RENAMED Viewed

@@ -57,6 +57,7 @@ class VirtualMachine(OpenstackResource):
         "metadata",
         "personality",
         "block_devices",
+        "availability_zone",
     )
     name: str
     flavor: str
@@ -69,6 +70,7 @@ class VirtualMachine(OpenstackResource):
     config_drive: bool
     metadata: dict[str, str]
     personality: dict[str, str]
+    availability_zone: str | None
     block_devices: list[dict]
     @staticmethod
@@ -282,8 +284,17 @@ class VirtualMachineHandler(OpenStackHandler):
             )
         resource.purged = False
-        self._connection.compute.fetch_server_security_groups(self.server)
-        resource.security_groups = [sg["name"] for sg in self.server.security_groups]
+        if resource.security_groups:
+            # An empty relation leaves the server-level security groups unmanaged, so port
+            # security groups (managed through neutron) can be used for fine-grained control
+            # without the VM handler fighting over the nova server-level groups.
+            self._connection.compute.fetch_server_security_groups(self.server)
+            resource.security_groups = [
+                sg["name"] for sg in self.server.security_groups
+            ]
+        # AZ is create-only; reflect the live value only when pinned to avoid spurious drift.
+        if resource.availability_zone is not None:
+            resource.availability_zone = self.server.availability_zone
         # The port handler has to handle all network/port related changes
         self._set_facts(ctx)
@@ -316,6 +327,8 @@ class VirtualMachineHandler(OpenStackHandler):
             args["block_device_mapping_v2"] = list(resource.block_devices)
         else:
             args["image_id"] = resource.image
+        if resource.availability_zone is not None:
+            args["availability_zone"] = resource.availability_zone
         ctx.info(
             f"Creating server with name {resource.name} and options",
             options=args,

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/model/_init.cf RENAMED Viewed

@@ -365,7 +365,16 @@ entity HostPort extends Port:
     int wait=5
 end
+implementation noSecurityGroupsWhenPortSecurityDisabled for HostPort:
+    # Security groups can only be enforced on a port when port security is enabled.
+    std::assert(
+        std::count(self.security_groups) == 0,
+        "HostPort '{{name}}' cannot have security_groups assigned while portsecurity is disabled."
+    )
+end
 implement HostPort using providerRequire
+implement HostPort using noSecurityGroupsWhenPortSecurityDisabled when not self.portsecurity
 HostPort.subnet [1] -- Subnet.host_ports [0:]
 HostPort.vm [1] -- VirtualMachine.ports [0:]
@@ -618,6 +627,12 @@ end
 SecurityGroup.provider [1] -- Provider.security_groups [0:]
 SecurityGroup.project [1] -- Project.security_groups [0:]
 SecurityGroup.virtual_machines [0:] -- VirtualMachine.security_groups [0:]
+HostPort.security_groups [0:] -- SecurityGroup
+"""
+:rel security_groups: The security groups to enforce on this port. When left empty (the default), the
+    port's security groups are left unmanaged for backward compatibility: existing groups (including the
+    Neutron ``default`` group) are kept untouched and never cleared. Requires portsecurity to be enabled.
+"""
 typedef protocol as string matching self in ["tcp", "udp", "icmp", "sctp", "all"]
@@ -683,6 +698,7 @@ entity VMAttributes:
         :param metadata: A dict of metadata items
         :param personality: A dict of files (personality)
         :param config_drive: Attach a configuration drive to the vm
+        :param availability_zone: Nova availability zone to schedule the VM in. When null, Nova chooses.
     """
     string flavor
     string? image = null
@@ -690,6 +706,7 @@ entity VMAttributes:
     dict metadata={}
     dict personality={}
     bool config_drive=false
+    string? availability_zone = null
 end
 entity VirtualMachine extends OpenStackResource, VMAttributes:
@@ -770,6 +787,32 @@ end
 implement Flavor using providerRequire
+index HostAggregateMetadata(provider, aggregate, key)
+HostAggregateMetadata.provider [1] -- Provider.host_aggregate_metadata [0:]
+entity HostAggregateMetadata extends OpenStackResource:
+    """
+        A single metadata item (key/value) on a Nova host aggregate.
+        Each instance manages exactly one key on the named aggregate and leaves all
+        other keys untouched, so multiple instances - and multiple consumers - can
+        safely manage different keys on the same aggregate. Purging the resource removes
+        the key from the aggregate again.
+        A typical use case is the ``AggregateMultiTenancyIsolation`` scheduler filter,
+        where keys of the form ``filter_tenant_id_<suffix>`` pin projects to an aggregate.
+        :attr aggregate: Name of the host aggregate to manage the metadata on. The
+            aggregate must already exist; this resource does not create or delete it.
+        :attr key: The metadata key to manage.
+        :attr value: The value to set for ``key``.
+    """
+    string aggregate
+    string key
+    string value
+end
+implement HostAggregateMetadata using providerRequire
 index Image(provider, name)
 Image.provider [1] -- Provider.images [0:]

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/network/network_port.py RENAMED Viewed

@@ -70,7 +70,7 @@ class NetworkPortHandler(OpenStackHandler):
                 "Cannot read a port when the project id is not yet known."
             )
-        self.network = self.get_network(None, resource.network)
+        self.network = self.get_network(self.project_id, resource.network)
         if self.network is None:
             raise SkipResource(
                 "Network {} for port {} not found.".format(

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/inmanta_plugins/openstack/setup.cfg RENAMED Viewed

@@ -22,7 +22,7 @@ target-version = 'py36', 'py37', 'py38'
 name = inmanta-module-openstack
 freeze_recursive = False
 freeze_operator = ~=
-version = 5.0.2
+version = 5.1.0
 license = Apache 2.0
 [egg_info]

{inmanta_module_openstack-5.0.2 → inmanta_module_openstack-5.1.0}/setup.cfg RENAMED Viewed

@@ -22,7 +22,7 @@ target-version = 'py36', 'py37', 'py38'
 name = inmanta-module-openstack
 freeze_recursive = False
 freeze_operator = ~=
-version = 5.0.2
+version = 5.1.0
 license = Apache 2.0
 [egg_info]

inmanta-module-openstack 5.0.2__tar.gz → 5.1.0__tar.gz

inmanta-module-openstack 5.0.2tar.gz → 5.1.0tar.gz