diff --git a/hooks/neutron_utils.py b/hooks/neutron_utils.py index 91b72fe6..1a553573 100644 --- a/hooks/neutron_utils.py +++ b/hooks/neutron_utils.py @@ -111,6 +111,7 @@ NEUTRON_PLUGIN_CONF = { NEUTRON_DHCP_AA_PROFILE = 'usr.bin.neutron-dhcp-agent' NEUTRON_L3_AA_PROFILE = 'usr.bin.neutron-l3-agent' NEUTRON_LBAAS_AA_PROFILE = 'usr.bin.neutron-lbaas-agent' +NEUTRON_LBAASV2_AA_PROFILE = 'usr.bin.neutron-lbaasv2-agent' NEUTRON_METADATA_AA_PROFILE = 'usr.bin.neutron-metadata-agent' NEUTRON_METERING_AA_PROFILE = 'usr.bin.neutron-metering-agent' NOVA_API_METADATA_AA_PROFILE = 'usr.bin.nova-api-metadata' @@ -134,6 +135,8 @@ NEUTRON_L3_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' ''.format(NEUTRON_L3_AA_PROFILE)) NEUTRON_LBAAS_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' ''.format(NEUTRON_LBAAS_AA_PROFILE)) +NEUTRON_LBAASV2_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' + ''.format(NEUTRON_LBAASV2_AA_PROFILE)) NEUTRON_METADATA_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' ''.format(NEUTRON_METADATA_AA_PROFILE)) NEUTRON_METERING_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' @@ -383,6 +386,12 @@ NEUTRON_SHARED_CONFIG_FILES = { context.AppArmorContext(NEUTRON_LBAAS_AA_PROFILE) ], }, + NEUTRON_LBAASV2_AA_PROFILE_PATH: { + 'services': ['neutron-lbaasv2-agent'], + 'hook_contexts': [ + context.AppArmorContext(NEUTRON_LBAASV2_AA_PROFILE) + ], + }, NEUTRON_METADATA_AA_PROFILE_PATH: { 'services': ['neutron-metadata-agent'], 'hook_contexts': [ @@ -623,6 +632,12 @@ def resolve_config_files(plugin, release): if lsb_release()['DISTRIB_CODENAME'] >= 'xenial': drop_config.extend([EXT_PORT_CONF, PHY_NIC_MTU_CONF]) + # Rename to lbaasv2 in newton + if os_release('neutron-common') < 'newton': + drop_config.extend([NEUTRON_LBAASV2_AA_PROFILE_PATH]) + else: + drop_config.extend([NEUTRON_LBAAS_AA_PROFILE_PATH]) + for _config in drop_config: if _config in config_files[plugin]: config_files[plugin].pop(_config) diff --git a/templates/usr.bin.neutron-dhcp-agent b/templates/usr.bin.neutron-dhcp-agent index 6706575a..ff29a32b 100644 --- a/templates/usr.bin.neutron-dhcp-agent +++ b/templates/usr.bin.neutron-dhcp-agent @@ -15,6 +15,7 @@ /{,usr/}bin/** rix, /etc/neutron/** r, + /etc/mime.types r, /var/lib/neutron/** rwk, /var/log/neutron/** rwk, /{,var/}run/neutron/** rwk, @@ -39,6 +40,8 @@ # Required for assessment of current state of networking /proc/sys/net/** r, + /proc/version r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, diff --git a/templates/usr.bin.neutron-l3-agent b/templates/usr.bin.neutron-l3-agent index 3e612de4..4067aed2 100644 --- a/templates/usr.bin.neutron-l3-agent +++ b/templates/usr.bin.neutron-l3-agent @@ -15,6 +15,7 @@ /{,usr/}bin/** rix, /etc/neutron/** r, + /etc/mime.types r, /var/lib/neutron/** rwk, /var/log/neutron/** rwk, /{,var/}run/neutron/** rwk, @@ -37,6 +38,8 @@ # Required for assessment of current state of networking /proc/sys/net/** r, + /proc/version r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, diff --git a/templates/usr.bin.neutron-lbaasv2-agent b/templates/usr.bin.neutron-lbaasv2-agent new file mode 100644 index 00000000..8763ce3a --- /dev/null +++ b/templates/usr.bin.neutron-lbaasv2-agent @@ -0,0 +1,48 @@ +# Last Modified: Fri Apr 1 16:26:34 2016 +# Mode: {{aa_profile_mode}} +#include + +/usr/bin/neutron-lbaasv2-agent { + #include + #include + #include + + /usr/bin/neutron-lbaas-agent r, + + /sbin/ldconfig* rix, + + /bin/ r, + /bin/** rix, + /usr/bin/ r, + /usr/bin/** rix, + + /etc/neutron/** r, + /etc/mime.types r, + /var/lib/neutron/** rwk, + /var/log/neutron/** rwk, + /{,var/}run/neutron/** rwk, + /{,var/}run/lock/neutron/** rwk, + + # Allow unconfined sudo to support oslo.rootwrap + # profile makes no attempt to restrict this as this + # is limited by the appropriate rootwrap configuration. + /usr/bin/sudo Ux, + + # Allow ip to run unrestricted for unpriviledged commands + /{,s}bin/ip Ux, + + /tmp/* rw, + /var/tmp/* a, + + # Required for parsing of managed process cmdline arguments + /proc/*/cmdline r, + + # Required for assessment of current state of networking + /proc/sys/net/** r, + + /proc/version r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/ns/net r, +} diff --git a/templates/usr.bin.neutron-metadata-agent b/templates/usr.bin.neutron-metadata-agent index 34def84c..82ee2ec9 100644 --- a/templates/usr.bin.neutron-metadata-agent +++ b/templates/usr.bin.neutron-metadata-agent @@ -15,6 +15,7 @@ /{,usr/}bin/** rix, /etc/neutron/** r, + /etc/mime.types r, /var/lib/neutron/** rwk, /var/log/neutron/** rwk, /{,var/}run/neutron/** rwk, @@ -37,6 +38,8 @@ # Required for assessment of current state of networking /proc/sys/net/** r, + /proc/version r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, diff --git a/templates/usr.bin.neutron-metering-agent b/templates/usr.bin.neutron-metering-agent index 3d23c865..9cc54911 100644 --- a/templates/usr.bin.neutron-metering-agent +++ b/templates/usr.bin.neutron-metering-agent @@ -15,6 +15,7 @@ /{,usr/}bin/** rix, /etc/neutron/** r, + /etc/mime.types r, /var/lib/neutron/** rwk, /var/log/neutron/** rwk, /{,var/}run/neutron/** rwk, @@ -37,6 +38,8 @@ # Required for assessment of current state of networking /proc/sys/net/** r, + /proc/version r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, diff --git a/templates/usr.bin.neutron-openvswitch-agent b/templates/usr.bin.neutron-openvswitch-agent index 303b8f52..e8f222f5 100644 --- a/templates/usr.bin.neutron-openvswitch-agent +++ b/templates/usr.bin.neutron-openvswitch-agent @@ -15,12 +15,14 @@ /{,usr/}bin/** rix, /etc/neutron/** r, + /etc/mime.types r, /etc/udev/udev.conf r, /var/lib/neutron/** rwk, /var/log/neutron/** rwk, /{,var/}run/neutron/** rwk, /{,var/}run/lock/neutron/** rwk, /run/udev/* r, + /run/uuidd/request rw, /sys/kernel/uevent_seqnum r, # Allow unconfined sudo to support oslo.rootwrap @@ -41,6 +43,8 @@ # Required for assessment of current state of networking /proc/sys/net/** r, + /proc/version r, + {% if ubuntu_release <= '12.04' %} /proc/*/mounts r, /proc/*/status r, diff --git a/tests/basic_deployment.py b/tests/basic_deployment.py index 9ba2adf0..e13f2ad0 100644 --- a/tests/basic_deployment.py +++ b/tests/basic_deployment.py @@ -797,6 +797,8 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment): expected['DEFAULT']['device_driver'] = \ ('neutron_lbaas.drivers.haproxy.namespace_driver.' 'HaproxyNSDriver') + expected['DEFAULT'].pop('periodic_interval') + expected['DEFAULT'].pop('ovs_use_veth') elif self._get_openstack_release() >= self.trusty_kilo: expected['DEFAULT']['device_driver'] = \ ('neutron_lbaas.services.loadbalancer.drivers.haproxy.' @@ -1041,7 +1043,6 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment): conf_file = '/etc/neutron/neutron.conf' services = { 'neutron-dhcp-agent': conf_file, - 'neutron-lbaas-agent': conf_file, 'neutron-metadata-agent': conf_file, 'neutron-metering-agent': conf_file, 'neutron-openvswitch-agent': conf_file, @@ -1049,6 +1050,10 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment): if self._get_openstack_release() <= self.trusty_juno: services.update({'neutron-vpn-agent': conf_file}) + if self._get_openstack_release() < self.xenial_newton: + services.update({'neutron-lbaas-agent': conf_file}) + if self._get_openstack_release() >= self.xenial_newton: + services.update({'neutron-lbaasv2-agent': conf_file}) # Make config change, check for svc restart, conf file mod time change u.log.debug('Making config change on {}...'.format(juju_service)) @@ -1101,6 +1106,11 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment): if self._get_openstack_release() >= self.xenial_mitaka: services['neutron-l3-agent'] = ( '/etc/apparmor.d/usr.bin.neutron-l3-agent') + if self._get_openstack_release() >= self.xenial_newton: + services.pop('neutron-lbaas-agent') + services['neutron-lbaasv2-agent'] = ('/etc/apparmor.d/' + 'usr.bin.neutron-lbaasv2-' + 'agent') sentry = self.neutron_gateway_sentry juju_service = 'neutron-gateway' diff --git a/unit_tests/test_neutron_utils.py b/unit_tests/test_neutron_utils.py index a04fccf1..86652cb4 100644 --- a/unit_tests/test_neutron_utils.py +++ b/unit_tests/test_neutron_utils.py @@ -552,7 +552,7 @@ class TestNeutronUtils(CharmTestCase): neutron_utils.PHY_NIC_MTU_CONF: ['os-charm-phy-nic-mtu'], neutron_utils.NEUTRON_DHCP_AA_PROFILE_PATH: ['neutron-dhcp-agent'], neutron_utils.NEUTRON_L3_AA_PROFILE_PATH: ['neutron-vpn-agent'], - neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH: + neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH: ['neutron-lbaasv2-agent'], neutron_utils.NEUTRON_METADATA_AA_PROFILE_PATH: ['neutron-metadata-agent'], @@ -637,12 +637,14 @@ class TestNeutronUtils(CharmTestCase): def test_resolve_config_files_ovs_liberty(self): self._set_distrib_codename('trusty') + self.os_release.return_value = 'liberty' self.is_relation_made = False actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS, 'liberty') actual_configs = actual_map[neutron_utils.OVS].keys() INC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF] - EXC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF] + EXC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF, + neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH] for config in INC_CONFIG: self.assertTrue(config in actual_configs) for config in EXC_CONFIG: @@ -650,12 +652,14 @@ class TestNeutronUtils(CharmTestCase): def test_resolve_config_files_ovs_mitaka(self): self._set_distrib_codename('trusty') + self.os_release.return_value = 'mitaka' self.is_relation_made = False actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS, 'mitaka') actual_configs = actual_map[neutron_utils.OVS].keys() INC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF] - EXC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF] + EXC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF, + neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH] for config in INC_CONFIG: self.assertTrue(config in actual_configs) for config in EXC_CONFIG: @@ -663,23 +667,40 @@ class TestNeutronUtils(CharmTestCase): def test_resolve_config_files_ovs_trusty(self): self._set_distrib_codename('trusty') + self.os_release.return_value = 'mitaka' self.is_relation_made = False actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS, 'mitaka') actual_configs = actual_map[neutron_utils.OVS].keys() INC_CONFIG = [neutron_utils.EXT_PORT_CONF, - neutron_utils.PHY_NIC_MTU_CONF] + neutron_utils.PHY_NIC_MTU_CONF, + neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH] for config in INC_CONFIG: self.assertTrue(config in actual_configs) def test_resolve_config_files_ovs_xenial(self): self._set_distrib_codename('xenial') + self.os_release.return_value = 'mitaka' self.is_relation_made = False actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS, 'mitaka') actual_configs = actual_map[neutron_utils.OVS].keys() EXC_CONFIG = [neutron_utils.EXT_PORT_CONF, - neutron_utils.PHY_NIC_MTU_CONF] + neutron_utils.PHY_NIC_MTU_CONF, + neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH] + for config in EXC_CONFIG: + self.assertTrue(config not in actual_configs) + + def test_resolve_config_files_ovs_newton(self): + self._set_distrib_codename('xenial') + self.os_release.return_value = 'newton' + self.is_relation_made = False + actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS, + 'newton') + actual_configs = actual_map[neutron_utils.OVS].keys() + EXC_CONFIG = [neutron_utils.EXT_PORT_CONF, + neutron_utils.PHY_NIC_MTU_CONF, + neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH] for config in EXC_CONFIG: self.assertTrue(config not in actual_configs)