Update Master SHAs - 17 Jan 2016

This patch does the following: - updates the Master SHAs for new development work. - includes updates to policy, paste and rootwrap files as required - moves the Aodh repository to openstack_services as it now has implemented a stable branch - Updated the keystone-wsgi file as it was still running the code from liberty - add 2 package requirements to keystone which must be present for the new wsgi file. - updates tempest.conf.j2 to replace ssh_auth_method with auth_method, and change auth_method to 'keypair' (configured is no longer an a valid option) Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2015-11-16 14:29:03 -06:00 · 2015-11-16 14:29:03 -06:00 · 53aa7ba4e3
commit 53aa7ba4e3
parent 27be6c31f8
7 changed files with 66 additions and 5 deletions
--- a/files/rootwrap.d/functional-testing.filters
+++ b/files/rootwrap.d/functional-testing.filters
@ -0,0 +1,35 @@
+# neutron-rootwrap command filters to support functional testing.  It
+# is NOT intended to be used outside of a test environment.
+#
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# enable ping from namespace
+ping_filter: CommandFilter, ping, root
+ping6_filter: CommandFilter, ping6, root
+
+# enable curl from namespace
+curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+
+nc_filter: CommandFilter, nc, root
+# netcat has different binaries depending on linux distribution
+nc_kill: KillFilter, root, nc, -9
+ncbsd_kill: KillFilter, root, nc.openbsd, -9
+ncat_kill: KillFilter, root, ncat, -9
+ss_filter: CommandFilter, ss, root
+
+# enable neutron-linuxbridge-cleanup from namespace
+lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .*
+
+# enable dhclient from namespace
+dhclient_filter: CommandFilter, dhclient, root
+dhclient_kill: KillFilter, root, dhclient, -9
+
+# Actually, dhclient is used for test dhcp-agent and runs
+# in dhcp-agent namespace. If in that namespace resolv.conf file not exist
+# dhclient will override system /etc/resolv.conf
+# Filters below are limit functions mkdir, rm and touch
+# only to create and delete file resolv.conf in the that namespace
+mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+
+rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+
+touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
+touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
--- a/files/rootwrap.d/iptables-firewall.filters
+++ b/files/rootwrap.d/iptables-firewall.filters
@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root
--- a/files/rootwrap.d/l3.filters
+++ b/files/rootwrap.d/l3.filters
@ -50,3 +50,8 @@ conntrack: CommandFilter, conntrack, root

 # keepalived state change monitor
 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+
+# For creating namespace local /etc
+rt_tables_mkdir: RegExpFilter, mkdir, root, mkdir, -p, /etc/netns/qrouter-[^/].*
+rt_tables_chown: RegExpFilter, chown, root, chown, [1-9][0-9].*, /etc/netns/qrouter-[^/].*
+rt_tables_rmdir: RegExpFilter, rm, root, rm, -r, -f, /etc/netns/qrouter-[^/].*
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@ -93,12 +93,13 @@
  with_items:
    - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
    - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
+    - { src: "rootwrap.d/functional-testing.filters", dest: "/etc/neutron/rootwrap.d/functional-testing.filters" }
    - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
    - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
    - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
-    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
  notify:
    - Restart neutron services
  tags:
--- a/templates/api-paste.ini.j2
+++ b/templates/api-paste.ini.j2
@ -5,8 +5,8 @@ use = egg:Paste#urlmap

 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
-noauth = request_id catch_errors extensions neutronapiapp_v2_0
-keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
+keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0

 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@ -14,6 +14,13 @@ paste.filter_factory = oslo_middleware:RequestId.factory
 [filter:catch_errors]
 paste.filter_factory = oslo_middleware:CatchErrors.factory

+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = neutron
+latent_allow_headers = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
+latent_expose_headers = X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID
+latent_allow_methods = GET, PUT, POST, DELETE, PATCH
+
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory

--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -22,8 +22,10 @@

    "create_subnetpool": "",
    "create_subnetpool:shared": "rule:admin_only",
+    "create_subnetpool:is_default": "rule:admin_only",
    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
    "update_subnetpool": "rule:admin_or_owner",
+    "update_subnetpool:is_default": "rule:admin_only",
    "delete_subnetpool": "rule:admin_or_owner",

    "create_address_scope": "",
@ -197,5 +199,9 @@
    "update_rbac_policy": "rule:admin_or_owner",
    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
    "get_rbac_policy": "rule:admin_or_owner",
-    "delete_rbac_policy": "rule:admin_or_owner"
+    "delete_rbac_policy": "rule:admin_or_owner",
+
+    "create_flavor_service_profile": "rule:admin_only",
+    "delete_flavor_service_profile": "rule:admin_only",
+    "get_flavor_service_profile": "rule:regular_user"
 }
--- a/templates/rootwrap.conf.j2
+++ b/templates/rootwrap.conf.j2
@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin

 # Enable logging to syslog
 # Default value is False