Updated repository for minimum viable kilo install

* Updated Keystone wsgi and paste files from upstream.
* Updated all clients in the openstack_client.yml file.
* Kilo services are tracking the head of master.
* Removed pinned middleware because they're pinned else where.
* Added additional service references for neutron vpnaas, fwaas, and
  lbaas which have now been moved into their own repos and no longer
  exist within the core neutron repository.
* The neutron vpnaas, fwaas, and lbaas have been removed from the
  basic plugins being loaded and a comment has been added to describe
  how one might add them back in.
* Updated rootwrap filters for neutron dhcp and l3.
* Updated heat policy.json
* Added the `python-libguestfs` to the nova-compute installation
  packages.
* Updates all services to point to the latest kilo tag

Services updated due to deprecated configs:
* Keystone
* Glance
* Nova
* Neutron (is still using the deprecated nova auth plugin)
* Heat
* Tempest

Items for future work post initial release:
* roles/os_neutron/files/post-up-checksum-rules:25:
  TODO(cloudnull) remove this script once the bug is fixed.
* roles/rabbitmq_server/tasks/rabbitmq_cluster_join.yml:17:
  TODO(someone): implement a more robust way of checking

Implements: blueprint minimal-kilo

Closes-Bug: 1428421
Closes-Bug: 1428431
Closes-Bug: 1428437
Closes-Bug: 1428445
Closes-Bug: 1428451
Closes-Bug: 1428469
Closes-Bug: 1428639

Change-Id: I28a305d9e40a9cf70148ef7d7b00d467a65ca076

defaults/main.yml

@@ -38,10 +38,14 @@ neutron_db_plugin: /etc/neutron/plugins/ml2/ml2_conf.ini
 
 ## Plugins
 neutron_plugin_core: neutron.plugins.ml2.plugin.Ml2Plugin
+# Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
+# neutron_plugin_base:
+#   - neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
+#   - neutron.services.metering.metering_plugin.MeteringPlugin
+#   - neutron.services.loadbalancer.plugin.LoadBalancerPlugin
+#   - neutron.services.vpn.plugin.VPNDriverPlugin
 neutron_plugin_base:
   - neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
-  - neutron.services.loadbalancer.plugin.LoadBalancerPlugin
-  - neutron.services.vpn.plugin.VPNDriverPlugin
   - neutron.services.metering.metering_plugin.MeteringPlugin
 neutron_plugin_loaded_base: "{% for plugin in neutron_plugin_base %}{{ plugin }}{% if not loop.last %},{% endif %}{% endfor %}"
 

files/api-paste.ini

@@ -9,10 +9,10 @@ noauth = request_id catch_errors extensions neutronapiapp_v2_0
 keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
 
 [filter:request_id]
-paste.filter_factory = neutron.openstack.common.middleware.request_id:RequestIdMiddleware.factory
+paste.filter_factory = oslo.middleware:RequestId.factory
 
 [filter:catch_errors]
-paste.filter_factory = neutron.openstack.common.middleware.catch_errors:CatchErrorsMiddleware.factory
+paste.filter_factory = oslo.middleware:CatchErrors.factory
 
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory

files/policy.json

@@ -1,11 +1,14 @@
 {
     "context_is_admin":  "role:admin",
     "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "context_is_advsvc":  "role:advsvc",
     "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
     "shared_firewalls": "field:firewalls:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "shared_subnetpools": "field:subnetpools:shared=True",
     "external": "field:networks:router:external=True",
     "default": "rule:admin_or_owner",
 
@@ -14,8 +17,14 @@
     "update_subnet": "rule:admin_or_network_owner",
     "delete_subnet": "rule:admin_or_network_owner",
 
+    "create_subnetpool": "",
+    "create_subnetpool:shared": "rule:admin_only",
+    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
+    "update_subnetpool": "rule:admin_or_owner",
+    "delete_subnetpool": "rule:admin_or_owner",
+
     "create_network": "",
-    "get_network": "rule:admin_or_owner or rule:shared or rule:external",
+    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
     "get_network:router:external": "rule:regular_user",
     "get_network:segments": "rule:admin_only",
     "get_network:provider:network_type": "rule:admin_only",
@@ -38,25 +47,26 @@
     "delete_network": "rule:admin_or_owner",
 
     "create_port": "",
-    "create_port:mac_address": "rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:admin_or_network_owner",
-    "create_port:port_security_enabled": "rule:admin_or_network_owner",
+    "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
-    "create_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_or_owner",
+    "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
-    "update_port": "rule:admin_or_owner",
-    "update_port:fixed_ips": "rule:admin_or_network_owner",
-    "update_port:port_security_enabled": "rule:admin_or_network_owner",
+    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
-    "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_or_owner",
+    "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
@@ -73,6 +83,9 @@
     "add_router_interface": "rule:admin_or_owner",
     "remove_router_interface": "rule:admin_or_owner",
 
+    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+
     "create_firewall": "",
     "get_firewall": "rule:admin_or_owner",
     "create_firewall:shared": "rule:admin_only",
@@ -82,7 +95,7 @@
     "delete_firewall": "rule:admin_or_owner",
 
     "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
     "create_firewall_policy:shared": "rule:admin_or_owner",
     "update_firewall_policy": "rule:admin_or_owner",
     "delete_firewall_policy": "rule:admin_or_owner",
@@ -109,8 +122,11 @@
     "get_l3-agents": "rule:admin_only",
     "get_loadbalancer-agent": "rule:admin_only",
     "get_loadbalancer-pools": "rule:admin_only",
+    "get_agent-loadbalancers": "rule:admin_only",
+    "get_loadbalancer-hosting-agent": "rule:admin_only",
 
     "create_floatingip": "rule:regular_user",
+    "create_floatingip:floating_ip_address": "rule:admin_only",
     "update_floatingip": "rule:admin_or_owner",
     "delete_floatingip": "rule:admin_or_owner",
     "get_floatingip": "rule:admin_or_owner",

files/rootwrap.d/dhcp.filters

@@ -9,7 +9,7 @@
 [Filters]
 
 # dhcp-agent
-dnsmasq: EnvFilter, dnsmasq, root, NEUTRON_NETWORK_ID=
+dnsmasq: CommandFilter, dnsmasq, root
 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
 # it looks like these are the only signals needed, per
 # neutron/agent/linux/dhcp.py
@@ -23,16 +23,14 @@ dhcp_release: CommandFilter, dhcp_release, root
 
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
-metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
-metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
-kill_metadata6: KillFilter, root, python2.6, -9
 
 # ip_lib
 ip: IpFilter, ip, root
+find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
 ip_exec: IpNetnsExecFilter, ip, root

files/rootwrap.d/l3.filters

@@ -18,22 +18,23 @@ radvd: CommandFilter, radvd, root
 
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
-metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
-metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
-kill_metadata6: KillFilter, root, python2.6, -9
 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -9, -HUP
 kill_radvd: KillFilter, root, /sbin/radvd, -9, -HUP
 
 # ip_lib
 ip: IpFilter, ip, root
+find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
 ip_exec: IpNetnsExecFilter, ip, root
 
+# For ip monitor
+kill_ip_monitor: KillFilter, root, ip, -9
+
 # ovs_lib (if OVSInterfaceDriver is used)
 ovs-vsctl: CommandFilter, ovs-vsctl, root
 
@@ -49,3 +50,6 @@ kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
 
 # l3 agent to delete floatingip's conntrack state
 conntrack: CommandFilter, conntrack, root
+
+# keepalived state change monitor
+keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root

templates/neutron.conf.j2

@@ -12,7 +12,6 @@ use_syslog = False
 
 log_file = /var/log/neutron/neutron.log
 auth_strategy = keystone
-lock_path = /var/lock/neutron
 network_device_mtu = {{ neutron_network_device_mtu }}
 allow_overlapping_ips = True
 
@@ -62,13 +61,6 @@ dhcp_delete_namespaces = True
 dhcp_lease_duration = 86400
 
 
-## RabbitMQ
-rabbit_port = {{ rabbitmq_port }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
-rabbit_hosts = {{ rabbitmq_servers }}
-
-
 ## Notifications
 notify_nova_on_port_status_changes = True
 notify_nova_on_port_data_changes = True
@@ -119,6 +111,17 @@ check_revocations_for_cached = False
 connection = mysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ galera_address }}/{{ neutron_galera_database }}?charset=utf8
 
 
+[oslo_messaging_rabbit]
+rabbit_port = {{ rabbitmq_port }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}
+rabbit_hosts = {{ rabbitmq_servers }}
+
+
+[oslo_concurrency]
+lock_path = /var/lock/neutron
+
+
 [service_providers]
 service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
 service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default