From 53aa7ba4e3c698fd51dfe5c361efa6d40ebdcad6 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Mon, 16 Nov 2015 14:29:03 -0600
Subject: [PATCH] Update Master SHAs - 17 Jan 2016

This patch does the following:
- updates the Master SHAs for new development work.
- includes updates to policy, paste and rootwrap files as required
- moves the Aodh repository to openstack_services as it now has
  implemented a stable branch
- Updated the keystone-wsgi file as it was still running the code from
  liberty
- add 2 package requirements to keystone which must be present for the
  new wsgi file.
- updates tempest.conf.j2 to replace ssh_auth_method with auth_method,
  and change auth_method to 'keypair' (configured is no longer an
  a valid option)

Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 files/rootwrap.d/functional-testing.filters | 35 +++++++++++++++++++++
 files/rootwrap.d/iptables-firewall.filters  |  7 +++++
 files/rootwrap.d/l3.filters                 |  5 +++
 tasks/neutron_post_install.yml              |  3 +-
 templates/api-paste.ini.j2                  | 11 +++++--
 templates/policy.json.j2                    |  8 ++++-
 templates/rootwrap.conf.j2                  |  2 +-
 7 files changed, 66 insertions(+), 5 deletions(-)
 create mode 100644 files/rootwrap.d/functional-testing.filters

diff --git a/files/rootwrap.d/functional-testing.filters b/files/rootwrap.d/functional-testing.filters
new file mode 100644
index 00000000..40a45047
--- /dev/null
+++ b/files/rootwrap.d/functional-testing.filters
@@ -0,0 +1,35 @@
+# neutron-rootwrap command filters to support functional testing.  It
+# is NOT intended to be used outside of a test environment.
+#
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# enable ping from namespace
+ping_filter: CommandFilter, ping, root
+ping6_filter: CommandFilter, ping6, root
+
+# enable curl from namespace
+curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+
+nc_filter: CommandFilter, nc, root
+# netcat has different binaries depending on linux distribution
+nc_kill: KillFilter, root, nc, -9
+ncbsd_kill: KillFilter, root, nc.openbsd, -9
+ncat_kill: KillFilter, root, ncat, -9
+ss_filter: CommandFilter, ss, root
+
+# enable neutron-linuxbridge-cleanup from namespace
+lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .*
+
+# enable dhclient from namespace
+dhclient_filter: CommandFilter, dhclient, root
+dhclient_kill: KillFilter, root, dhclient, -9
+
+# Actually, dhclient is used for test dhcp-agent and runs
+# in dhcp-agent namespace. If in that namespace resolv.conf file not exist
+# dhclient will override system /etc/resolv.conf
+# Filters below are limit functions mkdir, rm and touch
+# only to create and delete file resolv.conf in the that namespace
+mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+
+rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+
+touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
+touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
diff --git a/files/rootwrap.d/iptables-firewall.filters b/files/rootwrap.d/iptables-firewall.filters
index b8a6ab5b..29c78dae 100644
--- a/files/rootwrap.d/iptables-firewall.filters
+++ b/files/rootwrap.d/iptables-firewall.filters
@@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root
\ No newline at end of file
diff --git a/files/rootwrap.d/l3.filters b/files/rootwrap.d/l3.filters
index 0fdf60cd..f1abc26a 100644
--- a/files/rootwrap.d/l3.filters
+++ b/files/rootwrap.d/l3.filters
@@ -50,3 +50,8 @@ conntrack: CommandFilter, conntrack, root
 
 # keepalived state change monitor
 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+
+# For creating namespace local /etc
+rt_tables_mkdir: RegExpFilter, mkdir, root, mkdir, -p, /etc/netns/qrouter-[^/].*
+rt_tables_chown: RegExpFilter, chown, root, chown, [1-9][0-9].*, /etc/netns/qrouter-[^/].*
+rt_tables_rmdir: RegExpFilter, rm, root, rm, -r, -f, /etc/netns/qrouter-[^/].*
diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml
index c8513e19..ddbb4fa1 100644
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@@ -93,12 +93,13 @@
   with_items:
     - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
     - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
+    - { src: "rootwrap.d/functional-testing.filters", dest: "/etc/neutron/rootwrap.d/functional-testing.filters" }
     - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
     - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
     - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
     - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
     - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
-    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
   notify:
     - Restart neutron services
   tags:
diff --git a/templates/api-paste.ini.j2 b/templates/api-paste.ini.j2
index 4fb3ddba..4884fe38 100644
--- a/templates/api-paste.ini.j2
+++ b/templates/api-paste.ini.j2
@@ -5,8 +5,8 @@ use = egg:Paste#urlmap
 
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
-noauth = request_id catch_errors extensions neutronapiapp_v2_0
-keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
+keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
 
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@@ -14,6 +14,13 @@ paste.filter_factory = oslo_middleware:RequestId.factory
 [filter:catch_errors]
 paste.filter_factory = oslo_middleware:CatchErrors.factory
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = neutron
+latent_allow_headers = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
+latent_expose_headers = X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID
+latent_allow_methods = GET, PUT, POST, DELETE, PATCH
+
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
 
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index 4aab8d51..c551eb81 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -22,8 +22,10 @@
 
     "create_subnetpool": "",
     "create_subnetpool:shared": "rule:admin_only",
+    "create_subnetpool:is_default": "rule:admin_only",
     "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
     "update_subnetpool": "rule:admin_or_owner",
+    "update_subnetpool:is_default": "rule:admin_only",
     "delete_subnetpool": "rule:admin_or_owner",
 
     "create_address_scope": "",
@@ -197,5 +199,9 @@
     "update_rbac_policy": "rule:admin_or_owner",
     "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
     "get_rbac_policy": "rule:admin_or_owner",
-    "delete_rbac_policy": "rule:admin_or_owner"
+    "delete_rbac_policy": "rule:admin_or_owner",
+
+    "create_flavor_service_profile": "rule:admin_only",
+    "delete_flavor_service_profile": "rule:admin_only",
+    "get_flavor_service_profile": "rule:regular_user"
 }
diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2
index cca669a3..9ce7c606 100644
--- a/templates/rootwrap.conf.j2
+++ b/templates/rootwrap.conf.j2
@@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
 
 # Enable logging to syslog
 # Default value is False