From f6457c31bf5712ade1890ba96525a131bc82bb83 Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Tue, 20 Sep 2016 14:54:23 +0100
Subject: [PATCH] Update paste, policy and rootwrap configurations 2016-09-20

Also update the rootwrap filter config file copy task to handle
looking up rootwrap filter files using 'with_fileglob' to avoid
having to maintain the task with each addition or removal of these
files.

Change-Id: I57ea565bfdcd1d5c02e5fa1fec499e420e67a083
---
 files/rootwrap.d/functional-testing.filters | 35 ---------------------
 files/rootwrap.d/vpnaas.filters             |  2 ++
 tasks/neutron_post_install.yml              | 18 +++--------
 3 files changed, 7 insertions(+), 48 deletions(-)
 delete mode 100644 files/rootwrap.d/functional-testing.filters

diff --git a/files/rootwrap.d/functional-testing.filters b/files/rootwrap.d/functional-testing.filters
deleted file mode 100644
index 40a45047..00000000
--- a/files/rootwrap.d/functional-testing.filters
+++ /dev/null
@@ -1,35 +0,0 @@
-# neutron-rootwrap command filters to support functional testing.  It
-# is NOT intended to be used outside of a test environment.
-#
-# This file should be owned by (and only-writeable by) the root user
-
-[Filters]
-# enable ping from namespace
-ping_filter: CommandFilter, ping, root
-ping6_filter: CommandFilter, ping6, root
-
-# enable curl from namespace
-curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+
-nc_filter: CommandFilter, nc, root
-# netcat has different binaries depending on linux distribution
-nc_kill: KillFilter, root, nc, -9
-ncbsd_kill: KillFilter, root, nc.openbsd, -9
-ncat_kill: KillFilter, root, ncat, -9
-ss_filter: CommandFilter, ss, root
-
-# enable neutron-linuxbridge-cleanup from namespace
-lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .*
-
-# enable dhclient from namespace
-dhclient_filter: CommandFilter, dhclient, root
-dhclient_kill: KillFilter, root, dhclient, -9
-
-# Actually, dhclient is used for test dhcp-agent and runs
-# in dhcp-agent namespace. If in that namespace resolv.conf file not exist
-# dhclient will override system /etc/resolv.conf
-# Filters below are limit functions mkdir, rm and touch
-# only to create and delete file resolv.conf in the that namespace
-mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+
-rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+
-touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
-touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
diff --git a/files/rootwrap.d/vpnaas.filters b/files/rootwrap.d/vpnaas.filters
index d834404a..4d72d7df 100644
--- a/files/rootwrap.d/vpnaas.filters
+++ b/files/rootwrap.d/vpnaas.filters
@@ -8,9 +8,11 @@
 
 [Filters]
 
+cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
+rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml
index e38e19cd..95915374 100644
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@@ -84,22 +84,14 @@
        - item.value.service_conf is defined
        - item.value.group in group_names
 
-- name: Drop neutron rootwrap filters
+- name: Copy neutron rootwrap filters
   copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
+    src: "{{ item }}"
+    dest: "{{ neutron_conf_dir }}/rootwrap.d/"
     owner: "root"
     group: "root"
-  with_items:
-    - { src: "rootwrap.d/debug.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/debug.filters" }
-    - { src: "rootwrap.d/dibbler.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/dibbler.filters" }
-    - { src: "rootwrap.d/ebtables.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/ebtables.filters" }
-    - { src: "rootwrap.d/functional-testing.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/functional-testing.filters" }
-    - { src: "rootwrap.d/ipset-firewall.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/ipset-firewall.filters" }
-    - { src: "rootwrap.d/iptables-firewall.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/iptables-firewall.filters" }
-    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/openvswitch-plugin.filters" }
-    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/lbaas-haproxy.filters" }
-    - { src: "rootwrap.d/vpnaas.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/vpnaas.filters" }
+  with_fileglob:
+    - rootwrap.d/*
   notify:
     - Restart neutron services