openstack/charm-neutron-gateway
Code Issues Proposed changes

Newton apparmor fixes

Browse Source 
In newton neutron-lbaas-agent has been renamed neutron-lbaasv2-agent.
The apparmor profile and resource map requires updates to handle this.

Change-Id: Ia8ac50e5e7fa32139528b90d82dfdd1489a2173a
Depends-On: I69b4e3c38b7b24c4ef93010e5612faf377d7a67a
This commit is contained in:
David Ames 2016-10-12 15:11:55 -07:00
parent 3821e0a3d5
commit c9488cff61
9 changed files with 116 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hooks/neutron_utils.py
View File

@ -111,6 +111,7 @@ NEUTRON_PLUGIN_CONF = {
NEUTRON_DHCP_AA_PROFILE = 'usr.bin.neutron-dhcp-agent'
NEUTRON_L3_AA_PROFILE = 'usr.bin.neutron-l3-agent'
NEUTRON_LBAAS_AA_PROFILE = 'usr.bin.neutron-lbaas-agent'
NEUTRON_LBAASV2_AA_PROFILE = 'usr.bin.neutron-lbaasv2-agent'
NEUTRON_METADATA_AA_PROFILE = 'usr.bin.neutron-metadata-agent'
NEUTRON_METERING_AA_PROFILE = 'usr.bin.neutron-metering-agent'
NOVA_API_METADATA_AA_PROFILE = 'usr.bin.nova-api-metadata'
@ -134,6 +135,8 @@ NEUTRON_L3_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
''.format(NEUTRON_L3_AA_PROFILE))
NEUTRON_LBAAS_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
''.format(NEUTRON_LBAAS_AA_PROFILE))
NEUTRON_LBAASV2_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
''.format(NEUTRON_LBAASV2_AA_PROFILE))
NEUTRON_METADATA_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
''.format(NEUTRON_METADATA_AA_PROFILE))
NEUTRON_METERING_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
@ -383,6 +386,12 @@ NEUTRON_SHARED_CONFIG_FILES = {
context.AppArmorContext(NEUTRON_LBAAS_AA_PROFILE)
],
},
NEUTRON_LBAASV2_AA_PROFILE_PATH: {
'services': ['neutron-lbaasv2-agent'],
'hook_contexts': [
context.AppArmorContext(NEUTRON_LBAASV2_AA_PROFILE)
],
},
NEUTRON_METADATA_AA_PROFILE_PATH: {
'services': ['neutron-metadata-agent'],
'hook_contexts': [
@ -623,6 +632,12 @@ def resolve_config_files(plugin, release):
if lsb_release()['DISTRIB_CODENAME'] >= 'xenial':
drop_config.extend([EXT_PORT_CONF, PHY_NIC_MTU_CONF])
# Rename to lbaasv2 in newton
if os_release('neutron-common') < 'newton':
drop_config.extend([NEUTRON_LBAASV2_AA_PROFILE_PATH])
else:
drop_config.extend([NEUTRON_LBAAS_AA_PROFILE_PATH])
for _config in drop_config:
if _config in config_files[plugin]:
config_files[plugin].pop(_config)

3
templates/usr.bin.neutron-dhcp-agent
View File

@ -15,6 +15,7 @@
/{,usr/}bin/** rix,
/etc/neutron/** r,
/etc/mime.types r,
/var/lib/neutron/** rwk,
/var/log/neutron/** rwk,
/{,var/}run/neutron/** rwk,
@ -39,6 +40,8 @@
# Required for assessment of current state of networking
/proc/sys/net/** r,
/proc/version r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,

3
templates/usr.bin.neutron-l3-agent
View File

@ -15,6 +15,7 @@
/{,usr/}bin/** rix,
/etc/neutron/** r,
/etc/mime.types r,
/var/lib/neutron/** rwk,
/var/log/neutron/** rwk,
/{,var/}run/neutron/** rwk,
@ -37,6 +38,8 @@
# Required for assessment of current state of networking
/proc/sys/net/** r,
/proc/version r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,

48
templates/usr.bin.neutron-lbaasv2-agent Normal file
View File

@ -0,0 +1,48 @@
# Last Modified: Fri Apr 1 16:26:34 2016
# Mode: {{aa_profile_mode}}
#include <tunables/global>
/usr/bin/neutron-lbaasv2-agent {
#include <abstractions/base>
#include <abstractions/python>
#include <abstractions/nameservice>
/usr/bin/neutron-lbaas-agent r,
/sbin/ldconfig* rix,
/bin/ r,
/bin/** rix,
/usr/bin/ r,
/usr/bin/** rix,
/etc/neutron/** r,
/etc/mime.types r,
/var/lib/neutron/** rwk,
/var/log/neutron/** rwk,
/{,var/}run/neutron/** rwk,
/{,var/}run/lock/neutron/** rwk,
# Allow unconfined sudo to support oslo.rootwrap
# profile makes no attempt to restrict this as this
# is limited by the appropriate rootwrap configuration.
/usr/bin/sudo Ux,
# Allow ip to run unrestricted for unpriviledged commands
/{,s}bin/ip Ux,
/tmp/* rw,
/var/tmp/* a,
# Required for parsing of managed process cmdline arguments
/proc/*/cmdline r,
# Required for assessment of current state of networking
/proc/sys/net/** r,
/proc/version r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/ns/net r,
}

3
templates/usr.bin.neutron-metadata-agent
View File

@ -15,6 +15,7 @@
/{,usr/}bin/** rix,
/etc/neutron/** r,
/etc/mime.types r,
/var/lib/neutron/** rwk,
/var/log/neutron/** rwk,
/{,var/}run/neutron/** rwk,
@ -37,6 +38,8 @@
# Required for assessment of current state of networking
/proc/sys/net/** r,
/proc/version r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,

3
templates/usr.bin.neutron-metering-agent
View File

@ -15,6 +15,7 @@
/{,usr/}bin/** rix,
/etc/neutron/** r,
/etc/mime.types r,
/var/lib/neutron/** rwk,
/var/log/neutron/** rwk,
/{,var/}run/neutron/** rwk,
@ -37,6 +38,8 @@
# Required for assessment of current state of networking
/proc/sys/net/** r,
/proc/version r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,

4
templates/usr.bin.neutron-openvswitch-agent
View File

@ -15,12 +15,14 @@
/{,usr/}bin/** rix,
/etc/neutron/** r,
/etc/mime.types r,
/etc/udev/udev.conf r,
/var/lib/neutron/** rwk,
/var/log/neutron/** rwk,
/{,var/}run/neutron/** rwk,
/{,var/}run/lock/neutron/** rwk,
/run/udev/* r,
/run/uuidd/request rw,
/sys/kernel/uevent_seqnum r,
# Allow unconfined sudo to support oslo.rootwrap
@ -41,6 +43,8 @@
# Required for assessment of current state of networking
/proc/sys/net/** r,
/proc/version r,
{% if ubuntu_release <= '12.04' %}
/proc/*/mounts r,
/proc/*/status r,

12
tests/basic_deployment.py
View File

@ -797,6 +797,8 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
expected['DEFAULT']['device_driver'] = \
('neutron_lbaas.drivers.haproxy.namespace_driver.'
'HaproxyNSDriver')
expected['DEFAULT'].pop('periodic_interval')
expected['DEFAULT'].pop('ovs_use_veth')
elif self._get_openstack_release() >= self.trusty_kilo:
expected['DEFAULT']['device_driver'] = \
('neutron_lbaas.services.loadbalancer.drivers.haproxy.'
@ -1041,7 +1043,6 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
conf_file = '/etc/neutron/neutron.conf'
services = {
'neutron-dhcp-agent': conf_file,
'neutron-lbaas-agent': conf_file,
'neutron-metadata-agent': conf_file,
'neutron-metering-agent': conf_file,
'neutron-openvswitch-agent': conf_file,
@ -1049,6 +1050,10 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
if self._get_openstack_release() <= self.trusty_juno:
services.update({'neutron-vpn-agent': conf_file})
if self._get_openstack_release() < self.xenial_newton:
services.update({'neutron-lbaas-agent': conf_file})
if self._get_openstack_release() >= self.xenial_newton:
services.update({'neutron-lbaasv2-agent': conf_file})
# Make config change, check for svc restart, conf file mod time change
u.log.debug('Making config change on {}...'.format(juju_service))
@ -1101,6 +1106,11 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
if self._get_openstack_release() >= self.xenial_mitaka:
services['neutron-l3-agent'] = (
'/etc/apparmor.d/usr.bin.neutron-l3-agent')
if self._get_openstack_release() >= self.xenial_newton:
services.pop('neutron-lbaas-agent')
services['neutron-lbaasv2-agent'] = ('/etc/apparmor.d/'
'usr.bin.neutron-lbaasv2-'
'agent')
sentry = self.neutron_gateway_sentry
juju_service = 'neutron-gateway'

31
unit_tests/test_neutron_utils.py
View File

@ -552,7 +552,7 @@ class TestNeutronUtils(CharmTestCase):
neutron_utils.PHY_NIC_MTU_CONF: ['os-charm-phy-nic-mtu'],
neutron_utils.NEUTRON_DHCP_AA_PROFILE_PATH: ['neutron-dhcp-agent'],
neutron_utils.NEUTRON_L3_AA_PROFILE_PATH: ['neutron-vpn-agent'],
neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH:
neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH:
['neutron-lbaasv2-agent'],
neutron_utils.NEUTRON_METADATA_AA_PROFILE_PATH:
['neutron-metadata-agent'],
@ -637,12 +637,14 @@ class TestNeutronUtils(CharmTestCase):
def test_resolve_config_files_ovs_liberty(self):
self._set_distrib_codename('trusty')
self.os_release.return_value = 'liberty'
self.is_relation_made = False
actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
'liberty')
actual_configs = actual_map[neutron_utils.OVS].keys()
INC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF]
EXC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF]
EXC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF,
neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH]
for config in INC_CONFIG:
self.assertTrue(config in actual_configs)
for config in EXC_CONFIG:
@ -650,12 +652,14 @@ class TestNeutronUtils(CharmTestCase):
def test_resolve_config_files_ovs_mitaka(self):
self._set_distrib_codename('trusty')
self.os_release.return_value = 'mitaka'
self.is_relation_made = False
actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
'mitaka')
actual_configs = actual_map[neutron_utils.OVS].keys()
INC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF]
EXC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF]
EXC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF,
neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH]
for config in INC_CONFIG:
self.assertTrue(config in actual_configs)
for config in EXC_CONFIG:
@ -663,23 +667,40 @@ class TestNeutronUtils(CharmTestCase):
def test_resolve_config_files_ovs_trusty(self):
self._set_distrib_codename('trusty')
self.os_release.return_value = 'mitaka'
self.is_relation_made = False
actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
'mitaka')
actual_configs = actual_map[neutron_utils.OVS].keys()
INC_CONFIG = [neutron_utils.EXT_PORT_CONF,
neutron_utils.PHY_NIC_MTU_CONF]
neutron_utils.PHY_NIC_MTU_CONF,
neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH]
for config in INC_CONFIG:
self.assertTrue(config in actual_configs)
def test_resolve_config_files_ovs_xenial(self):
self._set_distrib_codename('xenial')
self.os_release.return_value = 'mitaka'
self.is_relation_made = False
actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
'mitaka')
actual_configs = actual_map[neutron_utils.OVS].keys()
EXC_CONFIG = [neutron_utils.EXT_PORT_CONF,
neutron_utils.PHY_NIC_MTU_CONF]
neutron_utils.PHY_NIC_MTU_CONF,
neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH]
for config in EXC_CONFIG:
self.assertTrue(config not in actual_configs)
def test_resolve_config_files_ovs_newton(self):
self._set_distrib_codename('xenial')
self.os_release.return_value = 'newton'
self.is_relation_made = False
actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
'newton')
actual_configs = actual_map[neutron_utils.OVS].keys()
EXC_CONFIG = [neutron_utils.EXT_PORT_CONF,
neutron_utils.PHY_NIC_MTU_CONF,
neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH]
for config in EXC_CONFIG:
self.assertTrue(config not in actual_configs)