diff --git a/playbooks/defaults/repo_packages/openstack_other.yml b/playbooks/defaults/repo_packages/openstack_other.yml index 087ce718c7..9f14284955 100644 --- a/playbooks/defaults/repo_packages/openstack_other.yml +++ b/playbooks/defaults/repo_packages/openstack_other.yml @@ -27,23 +27,17 @@ ## Tempest service tempest_git_repo: https://git.openstack.org/openstack/tempest -tempest_git_install_branch: d289567c278edeac6ddaf0829e4159aef17c1552 # HEAD of "master" as of 24.10.2015 +tempest_git_install_branch: 5cc7ef78b4233444a4dcea1b1eb8f213c1548491 # HEAD of "master" as of 17.01.2016 tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}" -## aodh service -aodh_git_repo: https://git.openstack.org/openstack/aodh -aodh_git_install_branch: 8c9d2c8804cfb37f7e064e1c0df4b43590f1a3ee # HEAD of "master" as of 24.10.2015 -aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}" - - ## NOVNC from source novncproxy_git_repo: https://github.com/kanaka/novnc -novncproxy_git_install_branch: 6a90803feb124791960e3962e328aa3cfb729aeb # HEAD of "master" as of 24.10.2015 +novncproxy_git_install_branch: 670dbddb54264fd0082d0aca1b3acb0f1814b1d2 # HEAD of "master" as of 17.01.2016 novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}" ## spice-html5 from source spicehtml5_git_repo: https://github.com/SPICE/spice-html5 -spicehtml5_git_install_branch: c1e736b083ff47639ecb73ea9be4d14b5002f93f # HEAD of "master" as of 24.10.2015 +spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 17.01.2016 spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}" diff --git a/playbooks/defaults/repo_packages/openstack_services.yml b/playbooks/defaults/repo_packages/openstack_services.yml index c993fc85fd..04102aafd9 100644 --- a/playbooks/defaults/repo_packages/openstack_services.yml +++ b/playbooks/defaults/repo_packages/openstack_services.yml @@ -31,71 +31,77 @@ ## Global Requirements requirements_git_repo: https://git.openstack.org/openstack/requirements -requirements_git_install_branch: 2854532c8549e82b180e348fd11a43bc13f8af6a # HEAD of "master" as of 24.10.2015 +requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016 requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}" +## Aodh service +aodh_git_repo: https://git.openstack.org/openstack/aodh +aodh_git_install_branch: 239e1f629b26557ceadb92de3d62edcd87489b9d # HEAD of "master" as of 17.01.2016 +aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}" + + ## Ceilometer service ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer -ceilometer_git_install_branch: b34865f80818165187552e7feca4ead2e61a30d3 # HEAD of "master" as of 24.10.2015 +ceilometer_git_install_branch: 333024b69aa7810e78aef85e5171cfd6dbd6b740 # HEAD of "master" as of 17.01.2016 ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}" ## Cinder service cinder_git_repo: https://git.openstack.org/openstack/cinder -cinder_git_install_branch: 774c8a9dc4cfe559a1d2f3afd2380ea8f9cdd6ee # HEAD of "master" as of 24.10.2015 +cinder_git_install_branch: 94ae8598b96e2f86844fdf0f35a8b83a94c7b4c4 # HEAD of "master" as of 17.01.2016 cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}" ## Glance service glance_git_repo: https://git.openstack.org/openstack/glance -glance_git_install_branch: b7703a4aab4f4c6315a5f0a12620336f96532108 # HEAD of "master" as of 24.10.2015 +glance_git_install_branch: 7d5c3710ce2739a8ac356208d4e104f2ce3ec9ab # HEAD of "master" as of 17.01.2016 glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}" ## Heat service heat_git_repo: https://git.openstack.org/openstack/heat -heat_git_install_branch: cd1a61e3d794bd37dd964ba7c37f1d0cb2bb2e81 # HEAD of "master" as of 24.10.2015 +heat_git_install_branch: 7e3e4087f476a0431d1d278730b1736e02e5fd06 # HEAD of "master" as of 17.01.2016 heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}" ## Horizon service horizon_git_repo: https://git.openstack.org/openstack/horizon -horizon_git_install_branch: aa068eca807885182886b2a2f28591d6ac9e689e # HEAD of "master" as of 24.10.2015 +horizon_git_install_branch: 18f1605bddd428a014d0e43ef52d1af6305e1e03 # HEAD of "master" as of 17.01.2016 horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}" ## Keystone service keystone_git_repo: https://git.openstack.org/openstack/keystone -keystone_git_install_branch: ebe82fcd21116f4bdae9dc97407e04f5184dc9b0 # HEAD of "master" as of 24.10.2015 +keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016 keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}" ## Neutron service neutron_git_repo: https://git.openstack.org/openstack/neutron -neutron_git_install_branch: 554b5d96cdb8b0b8987f37b8ae0336e910c5675c # HEAD of "master" as of 24.10.2015 +neutron_git_install_branch: d6d43b32ca825b6c3c2c908f5ff7bc50c736546e # HEAD of "master" as of 17.01.2016 neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}" neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas -neutron_lbaas_git_install_branch: 8427934f76f1c213044a54da60c3b266930efef1 # HEAD of "master" as of 24.10.2015 +neutron_lbaas_git_install_branch: b5d4e5c0fe02a897ad2ab0bc548f695915998831 # HEAD of "master" as of 17.01.2016 neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}" neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas -neutron_vpnaas_git_install_branch: d4e477d2c515d80a66cf7e5f60a452edc89219d9 # HEAD of "master" as of 24.10.2015 +neutron_vpnaas_git_install_branch: 832b875b79d801e17a5b997054f30c9d88b36914 # HEAD of "master" as of 17.01.2016 neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}" neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas -neutron_fwaas_git_install_branch: 64c0e6a56cec1021b8af5b76e5da0485e37d5efb # HEAD of "master" as of 24.10.2015 +neutron_fwaas_git_install_branch: cb0093d185a97cafc320bd64d9b45dc737cdfdb2 # HEAD of "master" as of 17.01.2016 neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}" ## Nova service nova_git_repo: https://git.openstack.org/openstack/nova -nova_git_install_branch: 71d2ed17950edbeb97b479bf04958dbee8f23fc5 # HEAD of "master" as of 24.10.2015 +nova_git_install_branch: deb1ee440923b0b292f3536a2f8bda672c03984a # HEAD of "master" as of 17.01.2016 nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}" ## Swift service swift_git_repo: https://git.openstack.org/openstack/swift -swift_git_install_branch: a094560f0cef9a51f03b9f72dd516d4df717bec6 # HEAD of "master" as of 24.10.2015 +swift_git_install_branch: 4db7e2e2e4d80757a717485e3b639b16e0a66f68 # HEAD of "master" as of 17.01.2016 swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}" diff --git a/playbooks/defaults/repo_packages/python2_lxc.yml b/playbooks/defaults/repo_packages/python2_lxc.yml index 9af029f92b..bda68abe52 100644 --- a/playbooks/defaults/repo_packages/python2_lxc.yml +++ b/playbooks/defaults/repo_packages/python2_lxc.yml @@ -15,5 +15,5 @@ ## Git Source for python2-lxc library git_repo: https://github.com/lxc/python2-lxc -git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 14.10.2015 +git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 17.01.2016 git_dest: "/opt/lxc_python2_{{ git_install_branch|replace('/', '_') }}" diff --git a/playbooks/roles/os_aodh/templates/policy.json.j2 b/playbooks/roles/os_aodh/templates/policy.json.j2 index 4950c516f5..4fd873e9f0 100644 --- a/playbooks/roles/os_aodh/templates/policy.json.j2 +++ b/playbooks/roles/os_aodh/templates/policy.json.j2 @@ -1,21 +1,20 @@ { "context_is_admin": "role:admin", - "context_is_project": "project_id:%(target.project_id)s", - "context_is_owner": "user_id:%(target.user_id)s", "segregation": "rule:context_is_admin", - "service_role": "role:service", - "iaas_role": "role:iaas", + "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", + "default": "rule:admin_or_owner", - "telemetry:get_alarm": "rule:context_is_admin", - "telemetry:query_alarm": "rule:context_is_admin", - "telemetry:get_alarm_state": "rule:context_is_admin", - "telemetry:get_alarms": "rule:context_is_admin", - "telemetry:create_alarm": "rule:context_is_admin", - "telemetry:set_alarm": "rule:context_is_admin", - "telemetry:delete_alarm": "rule:context_is_admin", + "telemetry:get_alarm": "rule:admin_or_owner", + "telemetry:get_alarms": "rule:admin_or_owner", + "telemetry:query_alarm": "rule:admin_or_owner", - "telemetry:alarm_history": "rule:context_is_admin", - "telemetry:change_alarm_state": "rule:context_is_admin", - "telemetry:query_alarm_history": "rule:context_is_admin" + "telemetry:create_alarm": "", + "telemetry:change_alarm": "rule:admin_or_owner", + "telemetry:delete_alarm": "rule:admin_or_owner", + + "telemetry:get_alarm_state": "rule:admin_or_owner", + "telemetry:change_alarm_state": "rule:admin_or_owner", + + "telemetry:alarm_history": "rule:admin_or_owner", + "telemetry:query_alarm_history": "rule:admin_or_owner" } - diff --git a/playbooks/roles/os_ceilometer/defaults/main.yml b/playbooks/roles/os_ceilometer/defaults/main.yml index 05022b607c..1e74497473 100644 --- a/playbooks/roles/os_ceilometer/defaults/main.yml +++ b/playbooks/roles/os_ceilometer/defaults/main.yml @@ -134,8 +134,11 @@ ceilometer_service_names: ## Tunable overrides ceilometer_policy_overrides: {} +ceilometer_rootwrap_conf_overrides: {} ceilometer_ceilometer_conf_overrides: {} ceilometer_api_paste_ini_overrides: {} ceilometer_event_definitions_yaml_overrides: {} ceilometer_event_pipeline_yaml_overrides: {} ceilometer_pipeline_yaml_overrides: {} +ceilometer_gnocci_resources_yaml_overrides: {} +ceilometer_osprofiler_event_definitions_yaml_overrides: {} diff --git a/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters b/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters new file mode 100644 index 0000000000..2ef74b04ea --- /dev/null +++ b/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters @@ -0,0 +1,7 @@ +# ceilometer-rootwrap command filters for IPMI capable nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# ceilometer/ipmi/nodemanager/node_manager.py: 'ipmitool' +ipmitool: CommandFilter, ipmitool, root + diff --git a/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml b/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml index 73d8dc291c..099294ba29 100644 --- a/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml +++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml @@ -31,6 +31,10 @@ dest: "/etc/ceilometer/api_paste.ini" config_overrides: "{{ ceilometer_api_paste_ini_overrides }}" config_type: "ini" + - src: "rootwrap.conf.j2" + dest: "/etc/ceilometer/rootwrap.conf" + config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}" + config_type: "ini" - src: "event_pipeline.yaml.j2" dest: "/etc/ceilometer/event_pipeline.yaml" config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}" @@ -43,6 +47,14 @@ dest: "/etc/ceilometer/pipeline.yaml" config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}" config_type: "yaml" + - src: "gnocchi_resources.yaml.j2" + dest: "/etc/ceilometer/gnocchi_resources.yaml" + config_overrides: "{{ ceilometer_gnocci_resources_yaml_overrides }}" + config_type: "yaml" + - src: "osprofiler_event_definitions.yaml.j2" + dest: "/etc/ceilometer/osprofiler_event_definitions.yaml" + config_overrides: "{{ ceilometer_osprofiler_event_definitions_yaml_overrides }}" + config_type: "yaml" - src: "policy.json.j2" dest: "/etc/ceilometer/policy.json" config_overrides: "{{ ceilometer_policy_overrides }}" @@ -52,6 +64,19 @@ - ceilometer-config - ceilometer-post-install +- name: Drop rootwrap filters + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ ceilometer_system_user_name }}" + group: "{{ ceilometer_system_group_name }}" + with_items: + - { src: "rootwrap.d/ipmi.filters", dest: "/etc/ceilometer/rootwrap.d/ipmi.filters" } + notify: + - Restart ceilometer services + tags: + - ceilometer-config + - name: Get ceilometer command path command: which ceilometer register: ceilometer_command_path diff --git a/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml b/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml index 5288dabf1f..bec4f3263f 100644 --- a/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml +++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml @@ -56,6 +56,7 @@ with_items: - { path: "/openstack", mode: "0755", owner: "root", group: "root" } - { path: "/etc/ceilometer" } + - { path: "/etc/ceilometer/rootwrap.d" } - { path: "{{ ceilometer_system_user_home }}" } - { path: "{{ ceilometer_system_user_home }}/.ssh", mode: "0700" } - { path: "/var/cache/ceilometer", mode: "0700" } diff --git a/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 b/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 index a5ab2e2c9d..763ff49f46 100644 --- a/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 +++ b/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 @@ -8,15 +8,9 @@ instance_id: fields: payload.instance_id host: - fields: publisher_id - plugin: - name: split - parameters: - segment: 1 - max_split: 1 + fields: publisher_id.`split(., 1, 1)` service: - fields: publisher_id - plugin: split + fields: publisher_id.`split(., 0, -1)` memory_mb: type: int fields: payload.memory_mb @@ -96,6 +90,12 @@ fields: payload.snapshot_id volume_id: fields: payload.volume_id +- event_type: ['image_volume_cache.*'] + traits: + image_id: + fields: payload.image_id + host: + fields: payload.host - event_type: ['image.update', 'image.upload', 'image.delete'] traits: &glance_crud project_id: @@ -331,6 +331,10 @@ fields: ['payload.ipsec_site_connection.id', 'payload.id'] - event_type: '*http.*' traits: &http_audit + project_id: + fields: payload.initiator.project_id + user_id: + fields: payload.initiator.id typeURI: fields: payload.typeURI eventType: @@ -366,4 +370,152 @@ <<: *http_audit reason_code: fields: payload.reason.reasonCode - +- event_type: ['dns.domain.create', 'dns.domain.update', 'dns.domain.delete'] + traits: &dns_domain_traits + status: + fields: payload.status + retry: + fields: payload.retry + description: + fields: payload.description + expire: + fields: payload.expire + email: + fields: payload.email + ttl: + fields: payload.ttl + action: + fields: payload.action + name: + fields: payload.name + resource_id: + fields: payload.id + created_at: + fields: payload.created_at + updated_at: + fields: payload.updated_at + version: + fields: payload.version + parent_domain_id: + fields: parent_domain_id + serial: + fields: payload.serial +- event_type: dns.domain.exists + traits: + <<: *dns_domain_traits + audit_period_beginning: + type: datetime + fields: payload.audit_period_beginning + audit_period_ending: + type: datetime + fields: payload.audit_period_ending +- event_type: trove.* + traits: &trove_base_traits + state: + fields: payload.state_description + instance_type: + fields: payload.instance_type + user_id: + fields: payload.user_id + resource_id: + fields: payload.instance_id + instance_type_id: + fields: payload.instance_type_id + launched_at: + type: datetime + fields: payload.launched_at + instance_name: + fields: payload.instance_name + state: + fields: payload.state + nova_instance_id: + fields: payload.nova_instance_id + service_id: + fields: payload.service_id + created_at: + type: datetime + fields: payload.created_at + region: + fields: payload.region +- event_type: ['trove.instance.create', 'trove.instance.modify_volume', 'trove.instance.modify_flavor', 'trove.instance.delete'] + traits: &trove_common_traits + name: + fields: payload.name + availability_zone: + fields: payload.availability_zone + instance_size: + type: int + fields: payload.instance_size + volume_size: + type: int + fields: payload.volume_size + nova_volume_id: + fields: payload.nova_volume_id +- event_type: trove.instance.create + traits: + <<: [*trove_base_traits, *trove_common_traits] +- event_type: trove.instance.modify_volume + traits: + <<: [*trove_base_traits, *trove_common_traits] + old_volume_size: + type: int + fields: payload.old_volume_size + modify_at: + type: datetime + fields: payload.modify_at +- event_type: trove.instance.modify_flavor + traits: + <<: [*trove_base_traits, *trove_common_traits] + old_instance_size: + type: int + fields: payload.old_instance_size + modify_at: + type: datetime + fields: payload.modify_at +- event_type: trove.instance.delete + traits: + <<: [*trove_base_traits, *trove_common_traits] + deleted_at: + type: datetime + fields: payload.deleted_at +- event_type: trove.instance.exists + traits: + <<: *trove_base_traits + display_name: + fields: payload.display_name + audit_period_beginning: + type: datetime + fields: payload.audit_period_beginning + audit_period_ending: + type: datetime + fields: payload.audit_period_ending +- event_type: profiler.* + traits: + project: + fields: payload.project + service: + fields: payload.service + name: + fields: payload.name + base_id: + fields: payload.base_id + trace_id: + fields: payload.trace_id + parent_id: + fields: payload.parent_id + timestamp: + fields: payload.timestamp + host: + fields: payload.info.host + path: + fields: payload.info.request.path + query: + fields: payload.info.request.query + method: + fields: payload.info.request.method + scheme: + fields: payload.info.request.scheme + db.statement: + fields: payload.info.db.statement + db.params: + fields: payload.info.db.params diff --git a/playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2 b/playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2 index d6c5e25695..10275f7492 100644 --- a/playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2 +++ b/playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2 @@ -10,4 +10,4 @@ sinks: transformers: triggers: publishers: - - direct:// + - notifier:// diff --git a/playbooks/roles/os_ceilometer/templates/gnocchi_resources.yaml.j2 b/playbooks/roles/os_ceilometer/templates/gnocchi_resources.yaml.j2 new file mode 100644 index 0000000000..578756116c --- /dev/null +++ b/playbooks/roles/os_ceilometer/templates/gnocchi_resources.yaml.j2 @@ -0,0 +1,176 @@ +--- + +resources: + - resource_type: identity + archive_policy: low + metrics: + - 'identity.authenticate.success' + - 'identity.authenticate.pending' + - 'identity.authenticate.failure' + - 'identity.user.created' + - 'identity.user.deleted' + - 'identity.user.updated' + - 'identity.group.created' + - 'identity.group.deleted' + - 'identity.group.updated' + - 'identity.role.created' + - 'identity.role.deleted' + - 'identity.role.updated' + - 'identity.project.created' + - 'identity.project.deleted' + - 'identity.project.updated' + - 'identity.trust.created' + - 'identity.trust.deleted' + - 'identity.role_assignment.created' + - 'identity.role_assignment.deleted' + + - resource_type: ceph_account + metrics: + - 'radosgw.objects' + - 'radosgw.objects.size' + - 'radosgw.objects.containers' + - 'radosgw.api.request' + - 'radosgw.containers.objects' + - 'radosgw.containers.objects.size' + + - resource_type: instance + metrics: + - 'instance' + - 'memory' + - 'memory.usage' + - 'memory.resident' + - 'vcpus' + - 'cpu' + - 'cpu.delta' + - 'cpu_util' + - 'disk.root.size' + - 'disk.ephemeral.size' + - 'disk.read.requests' + - 'disk.read.requests.rate' + - 'disk.write.requests' + - 'disk.write.requests.rate' + - 'disk.read.bytes' + - 'disk.read.bytes.rate' + - 'disk.write.bytes' + - 'disk.write.bytes.rate' + - 'disk.latency' + - 'disk.iops' + - 'disk.capacity' + - 'disk.allocation' + - 'disk.usage' + attributes: + host: resource_metadata.host + image_ref: resource_metadata.image_ref + display_name: resource_metadata.display_name + flavor_id: resource_metadata.(instance_flavor_id|(flavor.id)) + server_group: resource_metadata.user_metadata.server_group + + - resource_type: instance_network_interface + metrics: + - 'network.outgoing.packets.rate' + - 'network.incoming.packets.rate' + - 'network.outgoing.packets' + - 'network.incoming.packets' + - 'network.outgoing.bytes.rate' + - 'network.incoming.bytes.rate' + - 'network.outgoing.bytes' + - 'network.incoming.bytes' + attributes: + name: resource_metadata.vnic_name + instance_id: resource_metadata.instance_id + + - resource_type: instance_disk + metrics: + - 'disk.device.read.requests' + - 'disk.device.read.requests.rate' + - 'disk.device.write.requests' + - 'disk.device.write.requests.rate' + - 'disk.device.read.bytes' + - 'disk.device.read.bytes.rate' + - 'disk.device.write.bytes' + - 'disk.device.write.bytes.rate' + - 'disk.device.latency' + - 'disk.device.iops' + - 'disk.device.capacity' + - 'disk.device.allocation' + - 'disk.device.usage' + attributes: + name: resource_metadata.disk_name + instance_id: resource_metadata.instance_id + + - resource_type: image + metrics: + - 'image' + - 'image.size' + - 'image.download' + - 'image.serve' + attributes: + name: resource_metadata.name + container_format: resource_metadata.container_format + disk_format: resource_metadata.disk_format + + - resource_type: ipmi + metrics: + - 'hardware.ipmi.node.power' + - 'hardware.ipmi.node.temperature' + - 'hardware.ipmi.node.inlet_temperature' + - 'hardware.ipmi.node.outlet_temperature' + - 'hardware.ipmi.node.fan' + - 'hardware.ipmi.node.current' + - 'hardware.ipmi.node.voltage' + - 'hardware.ipmi.node.airflow' + - 'hardware.ipmi.node.cups' + - 'hardware.ipmi.node.cpu_util' + - 'hardware.ipmi.node.mem_util' + - 'hardware.ipmi.node.io_util' + + - resource_type: network + metrics: + - 'bandwidth' + - 'network' + - 'network.create' + - 'network.update' + - 'subnet' + - 'subnet.create' + - 'subnet.update' + - 'port' + - 'port.create' + - 'port.update' + - 'router' + - 'router.create' + - 'router.update' + - 'ip.floating' + - 'ip.floating.create' + - 'ip.floating.update' + + - resource_type: stack + metrics: + - 'stack.create' + - 'stack.update' + - 'stack.delete' + - 'stack.resume' + - 'stack.suspend' + + - resource_type: swift_account + metrics: + - 'storage.objects.incoming.bytes' + - 'storage.objects.outgoing.bytes' + - 'storage.api.request' + - 'storage.objects.size' + - 'storage.objects' + - 'storage.objects.containers' + - 'storage.containers.objects' + - 'storage.containers.objects.size' + + - resource_type: volume + metrics: + - 'volume' + - 'volume.size' + - 'volume.create' + - 'volume.delete' + - 'volume.update' + - 'volume.resize' + - 'volume.attach' + - 'volume.detach' + attributes: + display_name: resource_metadata.display_name diff --git a/playbooks/roles/os_ceilometer/templates/osprofiler_event_definitions.yaml.j2 b/playbooks/roles/os_ceilometer/templates/osprofiler_event_definitions.yaml.j2 new file mode 100644 index 0000000000..d2a8753962 --- /dev/null +++ b/playbooks/roles/os_ceilometer/templates/osprofiler_event_definitions.yaml.j2 @@ -0,0 +1,31 @@ +--- +- event_type: profiler.* + traits: + project: + fields: payload.project + service: + fields: payload.service + name: + fields: payload.name + base_id: + fields: payload.base_id + trace_id: + fields: payload.trace_id + parent_id: + fields: payload.parent_id + timestamp: + fields: payload.timestamp + host: + fields: payload.info.host + path: + fields: payload.info.request.path + query: + fields: payload.info.request.query + method: + fields: payload.info.request.method + scheme: + fields: payload.info.request.scheme + db.statement: + fields: payload.info.db.statement + db.params: + fields: payload.info.db.params diff --git a/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 b/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 index ca1086a725..a5bd5148e7 100644 --- a/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 +++ b/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 @@ -12,6 +12,7 @@ sources: - "cpu" sinks: - cpu_sink + - cpu_delta_sink - name: disk_source interval: 600 meters: @@ -50,6 +51,15 @@ sinks: scale: "100.0 / (10**9 * (resource_metadata.cpu_number or 1))" publishers: - notifier:// + - name: cpu_delta_sink + transformers: + - name: "delta" + parameters: + target: + name: "cpu.delta" + growth_only: True + publishers: + - notifier:// - name: disk_sink transformers: - name: "rate_of_change" @@ -80,4 +90,3 @@ sinks: type: "gauge" publishers: - notifier:// - diff --git a/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 b/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 new file mode 100644 index 0000000000..cee5c61ad7 --- /dev/null +++ b/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 @@ -0,0 +1,27 @@ +# Configuration for ceilometer-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs={{ ceilometer_bin }},/sbin,/usr/sbin,/bin,/usr/bin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, user0, user1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/playbooks/roles/os_cinder/files/rootwrap.d/volume.filters b/playbooks/roles/os_cinder/files/rootwrap.d/volume.filters index 9e7ab384c4..ceee5c87ae 100644 --- a/playbooks/roles/os_cinder/files/rootwrap.d/volume.filters +++ b/playbooks/roles/os_cinder/files/rootwrap.d/volume.filters @@ -27,23 +27,15 @@ lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay # os-brick.filters file instead and clean out stale brick values from # this file. scsi_id: CommandFilter, /lib/udev/scsi_id, root - -# cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname -pvresize: CommandFilter, pvresize, root +drbdadm: CommandFilter, drbdadm, root # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list vgcreate: CommandFilter, vgcreate, root -# cinder/volumes/drivers/srb.py: 'vgremove', '-f', vgname -vgremove: CommandFilter, vgremove, root - -# cinder/volumes/drivers/srb.py: 'vgchange', '-an', vgname -# cinder/volumes/drivers/srb.py: 'vgchange', '-ay', vgname -vgchange: CommandFilter, vgchange, root - -# cinder/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. -# cinder/volume/driver.py: 'lvcreate', '-L', ... -lvcreate: CommandFilter, lvcreate, root +# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. +# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ... +lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate +lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,... dd: CommandFilter, dd, root @@ -54,13 +46,17 @@ lvremove: CommandFilter, lvremove, root # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'... lvrename: CommandFilter, lvrename, root -# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... -# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... -lvextend: CommandFilter, lvextend, root +# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... +# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... +lvextend: EnvFilter, env, root, LC_ALL=C, lvextend +lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' lvchange: CommandFilter, lvchange, root +# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name +lvconvert: CommandFilter, lvconvert, root + # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',... # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ... iscsiadm: CommandFilter, iscsiadm, root diff --git a/playbooks/roles/os_cinder/templates/api-paste.ini.j2 b/playbooks/roles/os_cinder/templates/api-paste.ini.j2 index 0d79c81395..b0f7b367b0 100644 --- a/playbooks/roles/os_cinder/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_cinder/templates/api-paste.ini.j2 @@ -10,32 +10,34 @@ use = call:cinder.api:root_app_factory [composite:openstack_volume_api_v1] use = call:cinder.api.middleware.auth:pipeline_factory -noauth = request_id faultwrap sizelimit osprofiler noauth apiv1 -keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 -keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 +noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv1 +keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 +keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 [composite:openstack_volume_api_v2] use = call:cinder.api.middleware.auth:pipeline_factory -noauth = request_id faultwrap sizelimit osprofiler noauth apiv2 -keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 -keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 +noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv2 +keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 +keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 [filter:request_id] paste.filter_factory = oslo_middleware.request_id:RequestId.factory +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = cinder + [filter:faultwrap] paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ cinder_profiler_hmac_key }} -enabled = yes [filter:noauth] paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory [filter:sizelimit] -paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory +paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory [app:apiv1] paste.app_factory = cinder.api.v1.router:APIRouter.factory @@ -44,7 +46,7 @@ paste.app_factory = cinder.api.v1.router:APIRouter.factory paste.app_factory = cinder.api.v2.router:APIRouter.factory [pipeline:apiversions] -pipeline = faultwrap osvolumeversionapp +pipeline = cors faultwrap osvolumeversionapp [app:osvolumeversionapp] paste.app_factory = cinder.api.versions:Versions.factory diff --git a/playbooks/roles/os_cinder/templates/policy.json.j2 b/playbooks/roles/os_cinder/templates/policy.json.j2 index 4c8a8aa507..bcb53c48a2 100644 --- a/playbooks/roles/os_cinder/templates/policy.json.j2 +++ b/playbooks/roles/os_cinder/templates/policy.json.j2 @@ -25,6 +25,7 @@ "volume_extension:types_manage": "rule:admin_api", "volume_extension:types_extra_specs": "rule:admin_api", + "volume_extension:access_types_extra_specs": "rule:admin_api", "volume_extension:volume_type_access": "rule:admin_or_owner", "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", @@ -35,6 +36,7 @@ "volume_extension:quotas:show": "", "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quotas:delete": "rule:admin_api", "volume_extension:quota_classes": "rule:admin_api", "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", diff --git a/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 index d4f36a267f..e6f10e8287 100644 --- a/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 +++ b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 @@ -1,38 +1,38 @@ # Use this pipeline for no auth or image caching - DEFAULT [pipeline:glance-api] -pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp +pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp # Use this pipeline for image caching and no auth [pipeline:glance-api-caching] -pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp +pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp # Use this pipeline for caching w/ management interface but no auth [pipeline:glance-api-cachemanagement] -pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp +pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp # Use this pipeline for keystone auth [pipeline:glance-api-keystone] -pipeline = healthcheck versionnegotiation osprofiler authtoken context rootapp +pipeline = cors healthcheck versionnegotiation osprofiler authtoken context rootapp # Use this pipeline for keystone auth with image caching [pipeline:glance-api-keystone+caching] -pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp +pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp # Use this pipeline for keystone auth with caching and cache management [pipeline:glance-api-keystone+cachemanagement] -pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp +pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user. [pipeline:glance-api-trusted-auth] -pipeline = healthcheck versionnegotiation osprofiler context rootapp +pipeline = cors healthcheck versionnegotiation osprofiler context rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user and uses cache management [pipeline:glance-api-trusted-auth+cachemanagement] -pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp +pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp [composite:rootapp] paste.composite_factory = glance.api:root_app_factory @@ -82,5 +82,27 @@ paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ glance_profiler_hmac_key }} -enabled = yes +hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED +enabled = yes #DEPRECATED + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = glance +oslo_config_program = glance-api +# Basic Headers (Automatic) +# Accept = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma +# Expose = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma + +# Glance Headers +# Accept = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding +# Expose = X-Image-Meta-Checksum + +# Keystone Headers +# Accept = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id +# Expose = X-Auth-Token, X-Subject-Token, X-Service-Token + +# Request ID Middleware Headers +# Accept = X-OpenStack-Request-ID +# Expose = X-OpenStack-Request-ID +latent_allow_headers = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding, X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID +latent_expose_headers = X-Image-Meta-Checksum, X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID diff --git a/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 index ae6755298b..496529a3b1 100644 --- a/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 +++ b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 @@ -31,5 +31,5 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ glance_profiler_hmac_key }} -enabled = yes +hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED +enabled = yes #DEPRECATED diff --git a/playbooks/roles/os_glance/templates/policy.json.j2 b/playbooks/roles/os_glance/templates/policy.json.j2 index 3a3042e0dd..4bbc8b46c6 100644 --- a/playbooks/roles/os_glance/templates/policy.json.j2 +++ b/playbooks/roles/os_glance/templates/policy.json.j2 @@ -1,7 +1,5 @@ { "context_is_admin": "role:admin", - "tenant_is_owner": "tenant:%(owner)s", - "admin_or_owner": "role:admin OR rule:tenant_is_owner", "default": "", "add_image": "", @@ -9,7 +7,7 @@ "get_image": "", "get_images": "", "modify_image": "", - "publicize_image": "rule:admin_or_owner", + "publicize_image": "role:admin", "copy_from": "", "download_image": "", @@ -19,11 +17,11 @@ "get_image_location": "", "set_image_location": "", - "add_member": "rule:admin_or_owner", - "delete_member": "rule:admin_or_owner", + "add_member": "", + "delete_member": "", "get_member": "", "get_members": "", - "modify_member": "rule:admin_or_owner", + "modify_member": "", "manage_image_cache": "role:admin", diff --git a/playbooks/roles/os_heat/templates/api-paste.ini.j2 b/playbooks/roles/os_heat/templates/api-paste.ini.j2 index f0eedb8ed7..b0613156ab 100644 --- a/playbooks/roles/os_heat/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_heat/templates/api-paste.ini.j2 @@ -1,7 +1,7 @@ # heat-api pipeline [pipeline:heat-api] -pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app +pipeline = cors request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app # heat-api pipeline for standalone heat # ie. uses alternative auth backend that authenticates users against keystone @@ -12,7 +12,7 @@ pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authto # flavor = standalone # [pipeline:heat-api-standalone] -pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app +pipeline = cors request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app # heat-api pipeline for custom cloud backends # i.e. in heat.conf: @@ -20,25 +20,25 @@ pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword cont # flavor = custombackend # [pipeline:heat-api-custombackend] -pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app +pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app # heat-api-cfn pipeline [pipeline:heat-api-cfn] -pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app +pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app # heat-api-cfn pipeline for standalone heat # relies exclusively on authenticating with ec2 signed requests [pipeline:heat-api-cfn-standalone] -pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app +pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app # heat-api-cloudwatch pipeline [pipeline:heat-api-cloudwatch] -pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp +pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp # heat-api-cloudwatch pipeline for standalone heat # relies exclusively on authenticating with ec2 signed requests [pipeline:heat-api-cloudwatch-standalone] -pipeline = versionnegotiation ec2authtoken context apicwapp +pipeline = cors versionnegotiation ec2authtoken context apicwapp [app:apiv1app] paste.app_factory = heat.common.wsgi:app_factory @@ -56,6 +56,10 @@ heat.app_factory = heat.api.cloudwatch:API paste.filter_factory = heat.common.wsgi:filter_factory heat.filter_factory = heat.api.openstack:version_negotiation_filter +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = heat + [filter:faultwrap] paste.filter_factory = heat.common.wsgi:filter_factory heat.filter_factory = heat.api.openstack:faultwrap_filter @@ -100,5 +104,3 @@ paste.filter_factory = oslo_middleware.request_id:RequestId.factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ heat_profiler_hmac_key }} -enabled = {{ heat_profiler_enabled }} diff --git a/playbooks/roles/os_heat/templates/policy.json.j2 b/playbooks/roles/os_heat/templates/policy.json.j2 index 1c8cd02719..1be98e8f76 100644 --- a/playbooks/roles/os_heat/templates/policy.json.j2 +++ b/playbooks/roles/os_heat/templates/policy.json.j2 @@ -62,6 +62,8 @@ "stacks:delete_snapshot": "rule:deny_stack_user", "stacks:list_snapshots": "rule:deny_stack_user", "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", "software_configs:global_index": "rule:deny_everybody", "software_configs:index": "rule:deny_stack_user", diff --git a/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 b/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 index b7c53bdd69..30173442e6 100644 --- a/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 +++ b/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 @@ -95,8 +95,8 @@ Resources: MasterUserPassword: {Ref: MasterUserPassword} WaitHandle: {Ref: WaitHandle} - | - #!/usr/bin/env bash - set -v + #!/bin/bash -v + # iptables -F # Helper function diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml index 204b9ae90a..6737ab0720 100644 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ b/playbooks/roles/os_keystone/defaults/main.yml @@ -356,11 +356,13 @@ keystone_requires_pip_packages: # Common pip packages keystone_pip_packages: + - argparse - keystone - keystonemiddleware - ldappool - lxml - PyMySQL + - oslo.log - oslo.middleware - pbr - pycrypto diff --git a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 index 70db3823dd..0d731d0a7f 100644 --- a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 +++ b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2 @@ -1,10 +1,10 @@ # Keystone PasteDeploy configuration file. [filter:debug] -use = egg:keystone#debug +use = egg:oslo.middleware#debug [filter:request_id] -use = egg:keystone#request_id +use = egg:oslo.middleware#request_id [filter:build_auth_context] use = egg:keystone#build_auth_context @@ -30,29 +30,17 @@ use = egg:keystone#ec2_extension [filter:ec2_extension_v3] use = egg:keystone#ec2_extension_v3 -[filter:federation_extension] -use = egg:keystone#federation_extension - -[filter:oauth1_extension] -use = egg:keystone#oauth1_extension - [filter:s3_extension] use = egg:keystone#s3_extension -[filter:endpoint_filter_extension] -use = egg:keystone#endpoint_filter_extension - [filter:simple_cert_extension] use = egg:keystone#simple_cert_extension -[filter:revoke_extension] -use = egg:keystone#revoke_extension - [filter:url_normalize] use = egg:keystone#url_normalize [filter:sizelimit] -use = egg:keystone#sizelimit +use = egg:oslo.middleware#sizelimit [app:public_service] use = egg:keystone#public_service @@ -76,7 +64,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3 +pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service diff --git a/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 b/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 index 7c39db6e38..400ee7f8b4 100644 --- a/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 +++ b/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2 @@ -19,12 +19,30 @@ activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py") execfile(activate_this, dict(__file__=activate_this)) {% endif %} +import os + +from oslo_log import log +from oslo_log import versionutils + +from keystone.i18n import _LW from keystone.server import wsgi as wsgi_server name = os.path.basename(__file__) +LOG = log.getLogger(__name__) + + +def deprecation_warning(): + versionutils.report_deprecated_feature( + LOG, + _LW('httpd/keystone.py is deprecated as of Mitaka' + ' in favor of keystone-wsgi-admin and keystone-wsgi-public' + ' and may be removed in O.') + ) # NOTE(ldbragst): 'application' is required in this context by WSGI spec. # The following is a reference to Python Paste Deploy documentation # http://pythonpaste.org/deploy/ -application = wsgi_server.initialize_application(name) +application = wsgi_server.initialize_application( + name, + post_log_configured_function=deprecation_warning) diff --git a/playbooks/roles/os_keystone/templates/policy.json.j2 b/playbooks/roles/os_keystone/templates/policy.json.j2 index ebb94b02d0..47aa9efd81 100644 --- a/playbooks/roles/os_keystone/templates/policy.json.j2 +++ b/playbooks/roles/os_keystone/templates/policy.json.j2 @@ -82,6 +82,7 @@ "identity:revoke_grant": "rule:admin_required", "identity:list_role_assignments": "rule:admin_required", + "identity:list_role_assignments_for_tree": "rule:admin_required", "identity:get_policy": "rule:admin_required", "identity:list_policies": "rule:admin_required", @@ -180,5 +181,6 @@ "identity:create_domain_config": "rule:admin_required", "identity:get_domain_config": "rule:admin_required", "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required" + "identity:delete_domain_config": "rule:admin_required", + "identity:get_domain_config_default": "rule:admin_required" } diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/functional-testing.filters b/playbooks/roles/os_neutron/files/rootwrap.d/functional-testing.filters new file mode 100644 index 0000000000..40a4504795 --- /dev/null +++ b/playbooks/roles/os_neutron/files/rootwrap.d/functional-testing.filters @@ -0,0 +1,35 @@ +# neutron-rootwrap command filters to support functional testing. It +# is NOT intended to be used outside of a test environment. +# +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# enable ping from namespace +ping_filter: CommandFilter, ping, root +ping6_filter: CommandFilter, ping6, root + +# enable curl from namespace +curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+ +nc_filter: CommandFilter, nc, root +# netcat has different binaries depending on linux distribution +nc_kill: KillFilter, root, nc, -9 +ncbsd_kill: KillFilter, root, nc.openbsd, -9 +ncat_kill: KillFilter, root, ncat, -9 +ss_filter: CommandFilter, ss, root + +# enable neutron-linuxbridge-cleanup from namespace +lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .* + +# enable dhclient from namespace +dhclient_filter: CommandFilter, dhclient, root +dhclient_kill: KillFilter, root, dhclient, -9 + +# Actually, dhclient is used for test dhcp-agent and runs +# in dhcp-agent namespace. If in that namespace resolv.conf file not exist +# dhclient will override system /etc/resolv.conf +# Filters below are limit functions mkdir, rm and touch +# only to create and delete file resolv.conf in the that namespace +mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+ +rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+ +touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf +touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters b/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters index b8a6ab5b3b..29c78dae3f 100644 --- a/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters +++ b/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters @@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root # "iptables", "-A", ... iptables: CommandFilter, iptables, root ip6tables: CommandFilter, ip6tables, root + +# neutron/agent/linux/iptables_manager.py +# "sysctl", "-w", ... +sysctl: CommandFilter, sysctl, root + +# neutron/agent/linux/ip_conntrack.py +conntrack: CommandFilter, conntrack, root \ No newline at end of file diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters b/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters index 0fdf60cd1e..f1abc26a93 100644 --- a/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters +++ b/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters @@ -50,3 +50,8 @@ conntrack: CommandFilter, conntrack, root # keepalived state change monitor keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root + +# For creating namespace local /etc +rt_tables_mkdir: RegExpFilter, mkdir, root, mkdir, -p, /etc/netns/qrouter-[^/].* +rt_tables_chown: RegExpFilter, chown, root, chown, [1-9][0-9].*, /etc/netns/qrouter-[^/].* +rt_tables_rmdir: RegExpFilter, rm, root, rm, -r, -f, /etc/netns/qrouter-[^/].* diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml index c8513e195c..ddbb4fa169 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml @@ -93,12 +93,13 @@ with_items: - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" } - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" } + - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } + - { src: "rootwrap.d/functional-testing.filters", dest: "/etc/neutron/rootwrap.d/functional-testing.filters" } - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" } - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" } - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" } - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" } - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } - - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } notify: - Restart neutron services tags: diff --git a/playbooks/roles/os_neutron/templates/api-paste.ini.j2 b/playbooks/roles/os_neutron/templates/api-paste.ini.j2 index 4fb3ddbae3..4884fe382c 100644 --- a/playbooks/roles/os_neutron/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_neutron/templates/api-paste.ini.j2 @@ -5,8 +5,8 @@ use = egg:Paste#urlmap [composite:neutronapi_v2_0] use = call:neutron.auth:pipeline_factory -noauth = request_id catch_errors extensions neutronapiapp_v2_0 -keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 +noauth = cors request_id catch_errors extensions neutronapiapp_v2_0 +keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory @@ -14,6 +14,13 @@ paste.filter_factory = oslo_middleware:RequestId.factory [filter:catch_errors] paste.filter_factory = oslo_middleware:CatchErrors.factory +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = neutron +latent_allow_headers = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID +latent_expose_headers = X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID +latent_allow_methods = GET, PUT, POST, DELETE, PATCH + [filter:keystonecontext] paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory diff --git a/playbooks/roles/os_neutron/templates/policy.json.j2 b/playbooks/roles/os_neutron/templates/policy.json.j2 index 4aab8d5190..c551eb8185 100644 --- a/playbooks/roles/os_neutron/templates/policy.json.j2 +++ b/playbooks/roles/os_neutron/templates/policy.json.j2 @@ -22,8 +22,10 @@ "create_subnetpool": "", "create_subnetpool:shared": "rule:admin_only", + "create_subnetpool:is_default": "rule:admin_only", "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", "update_subnetpool": "rule:admin_or_owner", + "update_subnetpool:is_default": "rule:admin_only", "delete_subnetpool": "rule:admin_or_owner", "create_address_scope": "", @@ -197,5 +199,9 @@ "update_rbac_policy": "rule:admin_or_owner", "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", "get_rbac_policy": "rule:admin_or_owner", - "delete_rbac_policy": "rule:admin_or_owner" + "delete_rbac_policy": "rule:admin_or_owner", + + "create_flavor_service_profile": "rule:admin_only", + "delete_flavor_service_profile": "rule:admin_only", + "get_flavor_service_profile": "rule:regular_user" } diff --git a/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 b/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 index cca669a346..9ce7c6064e 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 +++ b/playbooks/roles/os_neutron/templates/rootwrap.conf.j2 @@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin +exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin # Enable logging to syslog # Default value is False diff --git a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters index 2a38cca54b..6d65fb0f74 100644 --- a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters +++ b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters @@ -203,7 +203,6 @@ multipath: CommandFilter, multipath, root # multipathd show status multipathd: CommandFilter, multipathd, root systool: CommandFilter, systool, root -sginfo: CommandFilter, sginfo, root vgc-cluster: CommandFilter, vgc-cluster, root # os_brick/initiator/connector.py drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid diff --git a/playbooks/roles/os_nova/templates/api-paste.ini.j2 b/playbooks/roles/os_nova/templates/api-paste.ini.j2 index b53206c6ad..951ae72c5e 100644 --- a/playbooks/roles/os_nova/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_nova/templates/api-paste.ini.j2 @@ -6,7 +6,7 @@ use = egg:Paste#urlmap /: meta [pipeline:meta] -pipeline = metaapp +pipeline = cors metaapp [app:metaapp] paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory @@ -23,7 +23,6 @@ use = call:nova.api.openstack.urlmap:urlmap_factory # this causes issues with your clients you can rollback to the # *frozen* v2 api by commenting out the above stanza and using the # following instead:: -# /v1.1: openstack_compute_api_legacy_v2 # /v2: openstack_compute_api_legacy_v2 # if rolling back to v2 fixes your issue please file a critical bug # at - https://bugs.launchpad.net/nova/+bugs @@ -33,26 +32,25 @@ use = call:nova.api.openstack.urlmap:urlmap_factory # API). It also provides new features via API microversions which are # opt into for clients. Unaware clients will receive the same frozen # v2 API feature set, but with some relaxed validation -/v1.1: openstack_compute_api_v21_legacy_v2_compatible /v2: openstack_compute_api_v21_legacy_v2_compatible /v2.1: openstack_compute_api_v21 # NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible [composite:openstack_compute_api_legacy_v2] use = call:nova.api.auth:pipeline_factory -noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2 -keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2 -keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2 +noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2 +keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2 +keystone_nolimit = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2 [composite:openstack_compute_api_v21] use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 -keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21 +noauth2 = cors compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 +keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21 [composite:openstack_compute_api_v21_legacy_v2_compatible] use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21 -keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 +noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21 +keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory @@ -91,6 +89,10 @@ paste.app_factory = nova.api.openstack.compute.versions:Versions.factory # Shared # ########## +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = nova + [filter:keystonecontext] paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory diff --git a/playbooks/roles/os_nova/templates/policy.json.j2 b/playbooks/roles/os_nova/templates/policy.json.j2 index 5f6023e5c3..071b0568e5 100644 --- a/playbooks/roles/os_nova/templates/policy.json.j2 +++ b/playbooks/roles/os_nova/templates/policy.json.j2 @@ -22,16 +22,14 @@ "compute:update_instance_metadata": "", "compute:delete_instance_metadata": "", - "compute:get_instance_faults": "", "compute:get_diagnostics": "", "compute:get_instance_diagnostics": "", "compute:start": "rule:admin_or_owner", "compute:stop": "rule:admin_or_owner", - "compute:get_lock": "", - "compute:lock": "", - "compute:unlock": "", + "compute:lock": "rule:admin_or_owner", + "compute:unlock": "rule:admin_or_owner", "compute:unlock_override": "rule:admin_api", "compute:get_vnc_console": "", @@ -85,9 +83,6 @@ "compute:security_groups:add_to_instance": "", "compute:security_groups:remove_from_instance": "", - "compute:delete": "", - "compute:soft_delete": "", - "compute:force_delete": "", "compute:restore": "", "compute:volume_snapshot_create": "", @@ -334,6 +329,7 @@ "os_compute_api:os-extended-availability-zone": "", "os_compute_api:os-extended-availability-zone:discoverable": "", "os_compute_api:extensions": "", + "os_compute_api:extensions:discoverable": "", "os_compute_api:extension_info:discoverable": "", "os_compute_api:os-extended-volumes": "", "os_compute_api:os-extended-volumes:discoverable": "", @@ -345,6 +341,7 @@ "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", "os_compute_api:os-flavor-rxtx": "", "os_compute_api:os-flavor-rxtx:discoverable": "", + "os_compute_api:flavors": "", "os_compute_api:flavors:discoverable": "", "os_compute_api:os-flavor-extra-specs:discoverable": "", "os_compute_api:os-flavor-extra-specs:index": "", diff --git a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 b/playbooks/roles/os_nova/templates/rootwrap.conf.j2 index 2cd5e53646..d1250009a9 100644 --- a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 +++ b/playbooks/roles/os_nova/templates/rootwrap.conf.j2 @@ -7,10 +7,10 @@ filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap # List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') +# explicitly specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,{{ nova_bin }} +exec_dirs={{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin # Enable logging to syslog # Default value is False diff --git a/playbooks/roles/os_tempest/templates/tempest.conf.j2 b/playbooks/roles/os_tempest/templates/tempest.conf.j2 index 27840ed7b8..22f411614e 100644 --- a/playbooks/roles/os_tempest/templates/tempest.conf.j2 +++ b/playbooks/roles/os_tempest/templates/tempest.conf.j2 @@ -42,7 +42,7 @@ image_ssh_user = {{ tempest_compute_image_ssh_user }} image_ssh_password = {{ tempest_compute_image_ssh_password }} image_alt_ssh_user = {{ tempest_compute_image_alt_ssh_user }} ssh_user = {{ tempest_compute_ssh_user }} -ssh_auth_method = configured +auth_method = keypair fixed_network_name = private endpoint_type = internalURL floating_ip_range = 10.0.0.0/29