Update paste, policy and rootwrap configurations 2016-09-20

Also update the rootwrap filter config file copy task to handle
looking up rootwrap filter files using 'with_fileglob' to avoid
having to maintain the task with each addition or removal of these
files.

Change-Id: I57ea565bfdcd1d5c02e5fa1fec499e420e67a083

files/rootwrap.d/functional-testing.filters

@@ -1,35 +0,0 @@
-# neutron-rootwrap command filters to support functional testing.  It
-# is NOT intended to be used outside of a test environment.
-#
-# This file should be owned by (and only-writeable by) the root user
-
-[Filters]
-# enable ping from namespace
-ping_filter: CommandFilter, ping, root
-ping6_filter: CommandFilter, ping6, root
-
-# enable curl from namespace
-curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+
-nc_filter: CommandFilter, nc, root
-# netcat has different binaries depending on linux distribution
-nc_kill: KillFilter, root, nc, -9
-ncbsd_kill: KillFilter, root, nc.openbsd, -9
-ncat_kill: KillFilter, root, ncat, -9
-ss_filter: CommandFilter, ss, root
-
-# enable neutron-linuxbridge-cleanup from namespace
-lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .*
-
-# enable dhclient from namespace
-dhclient_filter: CommandFilter, dhclient, root
-dhclient_kill: KillFilter, root, dhclient, -9
-
-# Actually, dhclient is used for test dhcp-agent and runs
-# in dhcp-agent namespace. If in that namespace resolv.conf file not exist
-# dhclient will override system /etc/resolv.conf
-# Filters below are limit functions mkdir, rm and touch
-# only to create and delete file resolv.conf in the that namespace
-mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+
-rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+
-touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
-touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf

files/rootwrap.d/vpnaas.filters

@@ -8,9 +8,11 @@
 
 [Filters]
 
+cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
+rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root

tasks/neutron_post_install.yml

@@ -84,22 +84,14 @@
        - item.value.service_conf is defined
        - item.value.group in group_names
 
-- name: Drop neutron rootwrap filters
+- name: Copy neutron rootwrap filters
   copy:
-    src: "{{ item.src }}"
+    src: "{{ item }}"
-    dest: "{{ item.dest }}"
+    dest: "{{ neutron_conf_dir }}/rootwrap.d/"
     owner: "root"
     group: "root"
-  with_items:
+  with_fileglob:
-    - { src: "rootwrap.d/debug.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/debug.filters" }
+    - rootwrap.d/*
-    - { src: "rootwrap.d/dibbler.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/dibbler.filters" }
-    - { src: "rootwrap.d/ebtables.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/ebtables.filters" }
-    - { src: "rootwrap.d/functional-testing.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/functional-testing.filters" }
-    - { src: "rootwrap.d/ipset-firewall.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/ipset-firewall.filters" }
-    - { src: "rootwrap.d/iptables-firewall.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/iptables-firewall.filters" }
-    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/openvswitch-plugin.filters" }
-    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/lbaas-haproxy.filters" }
-    - { src: "rootwrap.d/vpnaas.filters", dest: "{{ neutron_conf_dir }}/rootwrap.d/vpnaas.filters" }
   notify:
     - Restart neutron services