Skip to content

Instantly share code, notes, and snippets.

@markus-hentsch

markus-hentsch/openstack_devstack_development.md

Created June 6, 2025 10:02
Show Gist options
  • Save markus-hentsch/ab0f44683478be1a0a284f30f4b02254 to your computer and use it in GitHub Desktop.
Save markus-hentsch/ab0f44683478be1a0a284f30f4b02254 to your computer and use it in GitHub Desktop.
Download ZIP
Tips & Tricks when developing on a DevStack
Raw
openstack_devstack_development.md

OpenStack DevStack development

Making changes to the deployed components

Enabling cinder-backup

Add the following to your local.conf to enable cinder-backup followed by a redeployment:

# Cinder backup (will use Swift per default, otherwise $CINDER_BACKUP_DRIVER)
enable_service c-bak
# Swift, needed by Cinder backup
enable_service swift s-proxy s-object s-container s-account

Adding Barbican

Barbican is not deployed per default and needs to be added explicitly via the following addition to local.conf followed by a redeployment:

...
# Barbican plugin
enable_plugin barbican https://opendev.org/openstack/barbican

Making changes to configuration or source code

Upstream guide: https://docs.openstack.org/devstack/latest/development.html

Making configuration changes

  • you can find the .conf files in the VM guest directly under the corresponding /etc/ trees
    • e.g. /etc/keystone/keystone.conf
  • there are systemd services for all OpenStack components
    • you can list them with systemctl list-units | grep devstack
    • note that many services have abbreviated names: c-* for Cinder, g-* for Glance, n-* for Neutron and so on

Enabling the new RBAC defaults (enforce_scope)

Related: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

To use this new option, adjustments are necessary both server-side (DevStack) and client-side (OSC, Tempest).

NOTE: The enforce_scope-related settings need to be in sync between both sides at all times. If you revert this configuration, make sure to revert both sides.

DevStack

keystone.conf

[oslo_policy]
enforce_new_defaults = true
enforce_scope = true

sudo systemctl restart devstack@keystone
OpenStackClient
unset OS_PROJECT_NAME
unset OS_TENANT_NAME
unset OS_USER_DOMAIN_ID
unset OS_PROJECT_DOMAIN_ID
export OS_SYSTEM_SCOPE=all
Tempest

tempest.conf

# IMPORTANT: comment out admin_project_name and admin_domain_name when you
# enable enforce_scope! Otherwise auth won't work.
[auth]
#admin_project_name = admin
#admin_domain_name = Default
admin_system = all

[identity-feature-enabled]
enforce_scope = true

[enforce_scope]
# Does the compute/identity/network/... service API policies enforce scope and
# new defaults? Should be enabled when
# nova.conf: oslo_policy.enforce_new_defaults and oslo_policy.enforce_scope are
# enabled.
keystone = true
...

[barbican_rbac_scope_verification]
enforce_scope = true

Making source code changes

  • source code of the main components can be edited directly under /opt/stack/<component>/
    • changes will take effect once the corresponding service(s) is/are restarted
      • e.g. systemctl restart devstack@g-api
      • this is because the /opt/stack/<component>/ Python packages are installed via pip install -e which makes repeated pip install calls after source code changes unnecessary
  • to change library source code you have to edit it in the common VirtualEnv located at /opt/stack/data/venv/
    • e.g. /opt/stack/data/venv/lib/python3.10/site-packages/keystoneauth1/ for the keystoneauth library
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment