Update Master SHAs - 17 Jan 2016

This patch does the following: - updates the Master SHAs for new development work. - includes updates to policy, paste and rootwrap files as required - moves the Aodh repository to openstack_services as it now has implemented a stable branch - Updated the keystone-wsgi file as it was still running the code from liberty - add 2 package requirements to keystone which must be present for the new wsgi file. - updates tempest.conf.j2 to replace ssh_auth_method with auth_method, and change auth_method to 'keypair' (configured is no longer an a valid option) Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2015-11-16 14:29:03 -06:00 · 2015-11-16 14:29:03 -06:00 · c4f45f5f08
commit c4f45f5f08
parent 96abeb22b6
39 changed files with 671 additions and 148 deletions
--- a/playbooks/defaults/repo_packages/openstack_other.yml
+++ b/playbooks/defaults/repo_packages/openstack_other.yml
@ -27,23 +27,17 @@
 ## Tempest service
 tempest_git_repo: https://git.openstack.org/openstack/tempest
-tempest_git_install_branch: d289567c278edeac6ddaf0829e4159aef17c1552 # HEAD of "master" as of 24.10.2015
+tempest_git_install_branch: 5cc7ef78b4233444a4dcea1b1eb8f213c1548491 # HEAD of "master" as of 17.01.2016
 tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}"
 ## aodh service
 aodh_git_repo: https://git.openstack.org/openstack/aodh
 aodh_git_install_branch: 8c9d2c8804cfb37f7e064e1c0df4b43590f1a3ee # HEAD of "master" as of 24.10.2015
 aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}"
 ## NOVNC from source
 novncproxy_git_repo: https://github.com/kanaka/novnc
-novncproxy_git_install_branch: 6a90803feb124791960e3962e328aa3cfb729aeb # HEAD of "master" as of 24.10.2015
+novncproxy_git_install_branch: 670dbddb54264fd0082d0aca1b3acb0f1814b1d2 # HEAD of "master" as of 17.01.2016
 novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}"
 ## spice-html5 from source
 spicehtml5_git_repo: https://github.com/SPICE/spice-html5
-spicehtml5_git_install_branch: c1e736b083ff47639ecb73ea9be4d14b5002f93f # HEAD of "master" as of 24.10.2015
+spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 17.01.2016
 spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}"
--- a/playbooks/defaults/repo_packages/openstack_services.yml
+++ b/playbooks/defaults/repo_packages/openstack_services.yml
@ -31,71 +31,77 @@
 ## Global Requirements
 requirements_git_repo: https://git.openstack.org/openstack/requirements
-requirements_git_install_branch: 2854532c8549e82b180e348fd11a43bc13f8af6a # HEAD of "master" as of 24.10.2015
+requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
 requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}"
 ## Aodh service
 aodh_git_repo: https://git.openstack.org/openstack/aodh
 aodh_git_install_branch: 239e1f629b26557ceadb92de3d62edcd87489b9d # HEAD of "master" as of 17.01.2016
 aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}"
 ## Ceilometer service
 ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer
-ceilometer_git_install_branch: b34865f80818165187552e7feca4ead2e61a30d3 # HEAD of "master" as of 24.10.2015
+ceilometer_git_install_branch: 333024b69aa7810e78aef85e5171cfd6dbd6b740 # HEAD of "master" as of 17.01.2016
 ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}"
 ## Cinder service
 cinder_git_repo: https://git.openstack.org/openstack/cinder
-cinder_git_install_branch: 774c8a9dc4cfe559a1d2f3afd2380ea8f9cdd6ee # HEAD of "master" as of 24.10.2015
+cinder_git_install_branch: 94ae8598b96e2f86844fdf0f35a8b83a94c7b4c4 # HEAD of "master" as of 17.01.2016
 cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}"
 ## Glance service
 glance_git_repo: https://git.openstack.org/openstack/glance
-glance_git_install_branch: b7703a4aab4f4c6315a5f0a12620336f96532108 # HEAD of "master" as of 24.10.2015
+glance_git_install_branch: 7d5c3710ce2739a8ac356208d4e104f2ce3ec9ab # HEAD of "master" as of 17.01.2016
 glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}"
 ## Heat service
 heat_git_repo: https://git.openstack.org/openstack/heat
-heat_git_install_branch: cd1a61e3d794bd37dd964ba7c37f1d0cb2bb2e81 # HEAD of "master" as of 24.10.2015
+heat_git_install_branch: 7e3e4087f476a0431d1d278730b1736e02e5fd06 # HEAD of "master" as of 17.01.2016
 heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}"
 ## Horizon service
 horizon_git_repo: https://git.openstack.org/openstack/horizon
-horizon_git_install_branch: aa068eca807885182886b2a2f28591d6ac9e689e # HEAD of "master" as of 24.10.2015
+horizon_git_install_branch: 18f1605bddd428a014d0e43ef52d1af6305e1e03 # HEAD of "master" as of 17.01.2016
 horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}"
 ## Keystone service
 keystone_git_repo: https://git.openstack.org/openstack/keystone
-keystone_git_install_branch: ebe82fcd21116f4bdae9dc97407e04f5184dc9b0 # HEAD of "master" as of 24.10.2015
+keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016
 keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}"
 ## Neutron service
 neutron_git_repo: https://git.openstack.org/openstack/neutron
-neutron_git_install_branch: 554b5d96cdb8b0b8987f37b8ae0336e910c5675c # HEAD of "master" as of 24.10.2015
+neutron_git_install_branch: d6d43b32ca825b6c3c2c908f5ff7bc50c736546e # HEAD of "master" as of 17.01.2016
 neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}"
 neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas
-neutron_lbaas_git_install_branch: 8427934f76f1c213044a54da60c3b266930efef1 # HEAD of "master" as of 24.10.2015
+neutron_lbaas_git_install_branch: b5d4e5c0fe02a897ad2ab0bc548f695915998831 # HEAD of "master" as of 17.01.2016
 neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}"
 neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas
-neutron_vpnaas_git_install_branch: d4e477d2c515d80a66cf7e5f60a452edc89219d9 # HEAD of "master" as of 24.10.2015
+neutron_vpnaas_git_install_branch: 832b875b79d801e17a5b997054f30c9d88b36914 # HEAD of "master" as of 17.01.2016
 neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}"
 neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas
-neutron_fwaas_git_install_branch: 64c0e6a56cec1021b8af5b76e5da0485e37d5efb # HEAD of "master" as of 24.10.2015
+neutron_fwaas_git_install_branch: cb0093d185a97cafc320bd64d9b45dc737cdfdb2 # HEAD of "master" as of 17.01.2016
 neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}"
 ## Nova service
 nova_git_repo: https://git.openstack.org/openstack/nova
-nova_git_install_branch: 71d2ed17950edbeb97b479bf04958dbee8f23fc5 # HEAD of "master" as of 24.10.2015
+nova_git_install_branch: deb1ee440923b0b292f3536a2f8bda672c03984a # HEAD of "master" as of 17.01.2016
 nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}"
 ## Swift service
 swift_git_repo: https://git.openstack.org/openstack/swift
-swift_git_install_branch: a094560f0cef9a51f03b9f72dd516d4df717bec6 # HEAD of "master" as of 24.10.2015
+swift_git_install_branch: 4db7e2e2e4d80757a717485e3b639b16e0a66f68 # HEAD of "master" as of 17.01.2016
 swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}"
--- a/playbooks/defaults/repo_packages/python2_lxc.yml
+++ b/playbooks/defaults/repo_packages/python2_lxc.yml
@ -15,5 +15,5 @@
 ## Git Source for python2-lxc library
 git_repo: https://github.com/lxc/python2-lxc
-git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 14.10.2015
+git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 17.01.2016
 git_dest: "/opt/lxc_python2_{{ git_install_branch|replace('/', '_') }}"
--- a/playbooks/roles/os_aodh/templates/policy.json.j2
+++ b/playbooks/roles/os_aodh/templates/policy.json.j2
@ -1,21 +1,20 @@
 {
    "context_is_admin": "role:admin",
    "context_is_project": "project_id:%(target.project_id)s",
    "context_is_owner": "user_id:%(target.user_id)s",
    "segregation": "rule:context_is_admin",
-    "service_role": "role:service",
+    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "iaas_role": "role:iaas",
+    "default": "rule:admin_or_owner",
-    "telemetry:get_alarm": "rule:context_is_admin",
+    "telemetry:get_alarm": "rule:admin_or_owner",
-    "telemetry:query_alarm": "rule:context_is_admin",
+    "telemetry:get_alarms": "rule:admin_or_owner",
-    "telemetry:get_alarm_state": "rule:context_is_admin",
+    "telemetry:query_alarm": "rule:admin_or_owner",
    "telemetry:get_alarms": "rule:context_is_admin",
    "telemetry:create_alarm": "rule:context_is_admin",
    "telemetry:set_alarm": "rule:context_is_admin",
    "telemetry:delete_alarm": "rule:context_is_admin",
-    "telemetry:alarm_history": "rule:context_is_admin",
+    "telemetry:create_alarm": "",
-    "telemetry:change_alarm_state": "rule:context_is_admin",
+    "telemetry:change_alarm": "rule:admin_or_owner",
-    "telemetry:query_alarm_history": "rule:context_is_admin"
+    "telemetry:delete_alarm": "rule:admin_or_owner",
    "telemetry:get_alarm_state": "rule:admin_or_owner",
    "telemetry:change_alarm_state": "rule:admin_or_owner",
    "telemetry:alarm_history": "rule:admin_or_owner",
    "telemetry:query_alarm_history": "rule:admin_or_owner"
 }
--- a/playbooks/roles/os_ceilometer/defaults/main.yml
+++ b/playbooks/roles/os_ceilometer/defaults/main.yml
@ -134,8 +134,11 @@ ceilometer_service_names:
 ## Tunable overrides
 ceilometer_policy_overrides: {}
 ceilometer_rootwrap_conf_overrides: {}
 ceilometer_ceilometer_conf_overrides: {}
 ceilometer_api_paste_ini_overrides: {}
 ceilometer_event_definitions_yaml_overrides: {}
 ceilometer_event_pipeline_yaml_overrides: {}
 ceilometer_pipeline_yaml_overrides: {}
 ceilometer_gnocci_resources_yaml_overrides: {}
 ceilometer_osprofiler_event_definitions_yaml_overrides: {}
--- a/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters
+++ b/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters
@ -0,0 +1,7 @@
 # ceilometer-rootwrap command filters for IPMI capable nodes
 # This file should be owned by (and only-writeable by) the root user
 [Filters]
 # ceilometer/ipmi/nodemanager/node_manager.py: 'ipmitool'
 ipmitool: CommandFilter, ipmitool, root
--- a/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml
+++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml
@ -31,6 +31,10 @@
      dest: "/etc/ceilometer/api_paste.ini"
      config_overrides: "{{ ceilometer_api_paste_ini_overrides }}"
      config_type: "ini"
    - src: "rootwrap.conf.j2"
      dest: "/etc/ceilometer/rootwrap.conf"
      config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}"
      config_type: "ini"
    - src: "event_pipeline.yaml.j2"
      dest: "/etc/ceilometer/event_pipeline.yaml"
      config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}"
@ -43,6 +47,14 @@
      dest: "/etc/ceilometer/pipeline.yaml"
      config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}"
      config_type: "yaml"
    - src: "gnocchi_resources.yaml.j2"
      dest: "/etc/ceilometer/gnocchi_resources.yaml"
      config_overrides: "{{ ceilometer_gnocci_resources_yaml_overrides }}"
      config_type: "yaml"
    - src: "osprofiler_event_definitions.yaml.j2"
      dest: "/etc/ceilometer/osprofiler_event_definitions.yaml"
      config_overrides: "{{ ceilometer_osprofiler_event_definitions_yaml_overrides }}"
      config_type: "yaml"
    - src: "policy.json.j2"
      dest: "/etc/ceilometer/policy.json"
      config_overrides: "{{ ceilometer_policy_overrides }}"
@ -52,6 +64,19 @@
    - ceilometer-config
    - ceilometer-post-install
 - name: Drop rootwrap filters
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ ceilometer_system_user_name }}"
    group: "{{ ceilometer_system_group_name }}"
  with_items:
    - { src: "rootwrap.d/ipmi.filters", dest: "/etc/ceilometer/rootwrap.d/ipmi.filters" }
  notify:
    - Restart ceilometer services
  tags:
    - ceilometer-config
 - name: Get ceilometer command path
  command: which ceilometer
  register: ceilometer_command_path
--- a/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml
+++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml
@ -56,6 +56,7 @@
  with_items:
    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
    - { path: "/etc/ceilometer" }
    - { path: "/etc/ceilometer/rootwrap.d" }
    - { path: "{{ ceilometer_system_user_home }}" }
    - { path: "{{ ceilometer_system_user_home }}/.ssh", mode: "0700" }
    - { path: "/var/cache/ceilometer", mode: "0700" }
--- a/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2
+++ b/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2
@ -8,15 +8,9 @@
    instance_id:
      fields: payload.instance_id
    host:
-      fields: publisher_id
+      fields: publisher_id.`split(., 1, 1)`
      plugin:
        name: split
        parameters:
          segment: 1
          max_split: 1
    service:
-      fields: publisher_id
+      fields: publisher_id.`split(., 0, -1)`
      plugin: split
    memory_mb:
      type: int
      fields: payload.memory_mb
@ -96,6 +90,12 @@
      fields: payload.snapshot_id
    volume_id:
      fields: payload.volume_id
 - event_type: ['image_volume_cache.*']
  traits:
    image_id:
      fields: payload.image_id
    host:
      fields: payload.host
 - event_type: ['image.update', 'image.upload', 'image.delete']
  traits: &glance_crud
    project_id:
@ -331,6 +331,10 @@
      fields: ['payload.ipsec_site_connection.id', 'payload.id']
 - event_type: '*http.*'
  traits: &http_audit
    project_id:
      fields: payload.initiator.project_id
    user_id:
      fields: payload.initiator.id
    typeURI:
      fields: payload.typeURI
    eventType:
@ -366,4 +370,152 @@
    <<: *http_audit
    reason_code:
      fields: payload.reason.reasonCode
-
+- event_type: ['dns.domain.create', 'dns.domain.update', 'dns.domain.delete']
  traits: &dns_domain_traits
    status:
      fields: payload.status
    retry:
      fields: payload.retry
    description:
      fields: payload.description
    expire:
      fields: payload.expire
    email:
      fields: payload.email
    ttl:
      fields: payload.ttl
    action:
      fields: payload.action
    name:
      fields: payload.name
    resource_id:
      fields: payload.id
    created_at:
      fields: payload.created_at
    updated_at:
      fields: payload.updated_at
    version:
      fields: payload.version
    parent_domain_id:
      fields: parent_domain_id
    serial:
      fields: payload.serial
 - event_type: dns.domain.exists
  traits:
    <<: *dns_domain_traits
    audit_period_beginning:
      type: datetime
      fields: payload.audit_period_beginning
    audit_period_ending:
      type: datetime
      fields: payload.audit_period_ending
 - event_type: trove.*
  traits: &trove_base_traits
    state:
      fields: payload.state_description
    instance_type:
      fields: payload.instance_type
    user_id:
      fields: payload.user_id
    resource_id:
      fields: payload.instance_id
    instance_type_id:
      fields: payload.instance_type_id
    launched_at:
      type: datetime
      fields: payload.launched_at
    instance_name:
      fields: payload.instance_name
    state:
      fields: payload.state
    nova_instance_id:
      fields: payload.nova_instance_id
    service_id:
      fields: payload.service_id
    created_at:
      type: datetime
      fields: payload.created_at
    region:
      fields: payload.region
 - event_type: ['trove.instance.create', 'trove.instance.modify_volume', 'trove.instance.modify_flavor', 'trove.instance.delete']
  traits: &trove_common_traits
    name:
      fields: payload.name
    availability_zone:
      fields: payload.availability_zone
    instance_size:
      type: int
      fields: payload.instance_size
    volume_size:
      type: int
      fields: payload.volume_size
    nova_volume_id:
      fields: payload.nova_volume_id
 - event_type: trove.instance.create
  traits:
    <<: [*trove_base_traits, *trove_common_traits]
 - event_type: trove.instance.modify_volume
  traits:
    <<: [*trove_base_traits, *trove_common_traits]
    old_volume_size:
      type: int
      fields: payload.old_volume_size
    modify_at:
      type: datetime
      fields: payload.modify_at
 - event_type: trove.instance.modify_flavor
  traits:
    <<: [*trove_base_traits, *trove_common_traits]
    old_instance_size:
      type: int
      fields: payload.old_instance_size
    modify_at:
      type: datetime
      fields: payload.modify_at
 - event_type: trove.instance.delete
  traits:
    <<: [*trove_base_traits, *trove_common_traits]
    deleted_at:
      type: datetime
      fields: payload.deleted_at
 - event_type: trove.instance.exists
  traits:
    <<: *trove_base_traits
    display_name:
      fields: payload.display_name
    audit_period_beginning:
      type: datetime
      fields: payload.audit_period_beginning
    audit_period_ending:
      type: datetime
      fields: payload.audit_period_ending
 - event_type: profiler.*
  traits:
    project:
      fields: payload.project
    service:
      fields: payload.service
    name:
      fields: payload.name
    base_id:
      fields: payload.base_id
    trace_id:
      fields: payload.trace_id
    parent_id:
      fields: payload.parent_id
    timestamp:
      fields: payload.timestamp
    host:
      fields: payload.info.host
    path:
      fields: payload.info.request.path
    query:
      fields: payload.info.request.query
    method:
      fields: payload.info.request.method
    scheme:
      fields: payload.info.request.scheme
    db.statement:
      fields: payload.info.db.statement
    db.params:
      fields: payload.info.db.params
--- a/playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2
+++ b/playbooks/roles/os_ceilometer/templates/event_pipeline.yaml.j2
@ -10,4 +10,4 @@ sinks:
      transformers:
      triggers:
      publishers:
-          - direct://
+          - notifier://
--- a/playbooks/roles/os_ceilometer/templates/gnocchi_resources.yaml.j2
+++ b/playbooks/roles/os_ceilometer/templates/gnocchi_resources.yaml.j2
@ -0,0 +1,176 @@
 ---
 resources:
  - resource_type: identity
    archive_policy: low
    metrics:
      - 'identity.authenticate.success'
      - 'identity.authenticate.pending'
      - 'identity.authenticate.failure'
      - 'identity.user.created'
      - 'identity.user.deleted'
      - 'identity.user.updated'
      - 'identity.group.created'
      - 'identity.group.deleted'
      - 'identity.group.updated'
      - 'identity.role.created'
      - 'identity.role.deleted'
      - 'identity.role.updated'
      - 'identity.project.created'
      - 'identity.project.deleted'
      - 'identity.project.updated'
      - 'identity.trust.created'
      - 'identity.trust.deleted'
      - 'identity.role_assignment.created'
      - 'identity.role_assignment.deleted'
  - resource_type: ceph_account
    metrics:
      - 'radosgw.objects'
      - 'radosgw.objects.size'
      - 'radosgw.objects.containers'
      - 'radosgw.api.request'
      - 'radosgw.containers.objects'
      - 'radosgw.containers.objects.size'
  - resource_type: instance
    metrics:
      - 'instance'
      - 'memory'
      - 'memory.usage'
      - 'memory.resident'
      - 'vcpus'
      - 'cpu'
      - 'cpu.delta'
      - 'cpu_util'
      - 'disk.root.size'
      - 'disk.ephemeral.size'
      - 'disk.read.requests'
      - 'disk.read.requests.rate'
      - 'disk.write.requests'
      - 'disk.write.requests.rate'
      - 'disk.read.bytes'
      - 'disk.read.bytes.rate'
      - 'disk.write.bytes'
      - 'disk.write.bytes.rate'
      - 'disk.latency'
      - 'disk.iops'
      - 'disk.capacity'
      - 'disk.allocation'
      - 'disk.usage'
    attributes:
      host: resource_metadata.host
      image_ref: resource_metadata.image_ref
      display_name: resource_metadata.display_name
      flavor_id: resource_metadata.(instance_flavor_id|(flavor.id))
      server_group: resource_metadata.user_metadata.server_group
  - resource_type: instance_network_interface
    metrics:
      - 'network.outgoing.packets.rate'
      - 'network.incoming.packets.rate'
      - 'network.outgoing.packets'
      - 'network.incoming.packets'
      - 'network.outgoing.bytes.rate'
      - 'network.incoming.bytes.rate'
      - 'network.outgoing.bytes'
      - 'network.incoming.bytes'
    attributes:
      name: resource_metadata.vnic_name
      instance_id: resource_metadata.instance_id
  - resource_type: instance_disk
    metrics:
      - 'disk.device.read.requests'
      - 'disk.device.read.requests.rate'
      - 'disk.device.write.requests'
      - 'disk.device.write.requests.rate'
      - 'disk.device.read.bytes'
      - 'disk.device.read.bytes.rate'
      - 'disk.device.write.bytes'
      - 'disk.device.write.bytes.rate'
      - 'disk.device.latency'
      - 'disk.device.iops'
      - 'disk.device.capacity'
      - 'disk.device.allocation'
      - 'disk.device.usage'
    attributes:
      name: resource_metadata.disk_name
      instance_id: resource_metadata.instance_id
  - resource_type: image
    metrics:
      - 'image'
      - 'image.size'
      - 'image.download'
      - 'image.serve'
    attributes:
      name: resource_metadata.name
      container_format: resource_metadata.container_format
      disk_format: resource_metadata.disk_format
  - resource_type: ipmi
    metrics:
      - 'hardware.ipmi.node.power'
      - 'hardware.ipmi.node.temperature'
      - 'hardware.ipmi.node.inlet_temperature'
      - 'hardware.ipmi.node.outlet_temperature'
      - 'hardware.ipmi.node.fan'
      - 'hardware.ipmi.node.current'
      - 'hardware.ipmi.node.voltage'
      - 'hardware.ipmi.node.airflow'
      - 'hardware.ipmi.node.cups'
      - 'hardware.ipmi.node.cpu_util'
      - 'hardware.ipmi.node.mem_util'
      - 'hardware.ipmi.node.io_util'
  - resource_type: network
    metrics:
      - 'bandwidth'
      - 'network'
      - 'network.create'
      - 'network.update'
      - 'subnet'
      - 'subnet.create'
      - 'subnet.update'
      - 'port'
      - 'port.create'
      - 'port.update'
      - 'router'
      - 'router.create'
      - 'router.update'
      - 'ip.floating'
      - 'ip.floating.create'
      - 'ip.floating.update'
  - resource_type: stack
    metrics:
      - 'stack.create'
      - 'stack.update'
      - 'stack.delete'
      - 'stack.resume'
      - 'stack.suspend'
  - resource_type: swift_account
    metrics:
      - 'storage.objects.incoming.bytes'
      - 'storage.objects.outgoing.bytes'
      - 'storage.api.request'
      - 'storage.objects.size'
      - 'storage.objects'
      - 'storage.objects.containers'
      - 'storage.containers.objects'
      - 'storage.containers.objects.size'
  - resource_type: volume
    metrics:
      - 'volume'
      - 'volume.size'
      - 'volume.create'
      - 'volume.delete'
      - 'volume.update'
      - 'volume.resize'
      - 'volume.attach'
      - 'volume.detach'
    attributes:
      display_name: resource_metadata.display_name
--- a/playbooks/roles/os_ceilometer/templates/osprofiler_event_definitions.yaml.j2
+++ b/playbooks/roles/os_ceilometer/templates/osprofiler_event_definitions.yaml.j2
@ -0,0 +1,31 @@
 ---
 - event_type: profiler.*
  traits:
    project:
      fields: payload.project
    service:
      fields: payload.service
    name:
      fields: payload.name
    base_id:
      fields: payload.base_id
    trace_id:
      fields: payload.trace_id
    parent_id:
      fields: payload.parent_id
    timestamp:
      fields: payload.timestamp
    host:
      fields: payload.info.host
    path:
      fields: payload.info.request.path
    query:
      fields: payload.info.request.query
    method:
      fields: payload.info.request.method
    scheme:
      fields: payload.info.request.scheme
    db.statement:
      fields: payload.info.db.statement
    db.params:
      fields: payload.info.db.params
--- a/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2
+++ b/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2
@ -12,6 +12,7 @@ sources:
          - "cpu"
      sinks:
          - cpu_sink
          - cpu_delta_sink
    - name: disk_source
      interval: 600
      meters:
@ -50,6 +51,15 @@ sinks:
                    scale: "100.0 / (10**9 * (resource_metadata.cpu_number or 1))"
      publishers:
          - notifier://
    - name: cpu_delta_sink
      transformers:
          - name: "delta"
            parameters:
                target:
                    name: "cpu.delta"
                growth_only: True
      publishers:
          - notifier://
    - name: disk_sink
      transformers:
          - name: "rate_of_change"
@ -80,4 +90,3 @@ sinks:
                    type: "gauge"
      publishers:
          - notifier://
--- a/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2
+++ b/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2
@ -0,0 +1,27 @@
 # Configuration for ceilometer-rootwrap
 # This file should be owned by (and only-writeable by) the root user
 [DEFAULT]
 # List of directories to load filter definitions from (separated by ',').
 # These directories MUST all be only writeable by root !
 filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
 # List of directories to search executables in, in case filters do not
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
 exec_dirs={{ ceilometer_bin }},/sbin,/usr/sbin,/bin,/usr/bin
 # Enable logging to syslog
 # Default value is False
 use_syslog=False
 # Which syslog facility to use.
 # Valid values include auth, authpriv, syslog, user0, user1...
 # Default value is 'syslog'
 syslog_log_facility=syslog
 # Which messages to log.
 # INFO means log all usage
 # ERROR means only log unsuccessful attempts
 syslog_log_level=ERROR
--- a/playbooks/roles/os_cinder/files/rootwrap.d/volume.filters
+++ b/playbooks/roles/os_cinder/files/rootwrap.d/volume.filters
@ -27,23 +27,15 @@ lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
 # os-brick.filters file instead and clean out stale brick values from
 # this file.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
-
+drbdadm: CommandFilter, drbdadm, root
 # cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname
 pvresize: CommandFilter, pvresize, root
 # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
 vgcreate: CommandFilter, vgcreate, root
-# cinder/volumes/drivers/srb.py: 'vgremove', '-f', vgname
+# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
-vgremove: CommandFilter, vgremove, root
+# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
-
+lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
-# cinder/volumes/drivers/srb.py: 'vgchange', '-an', vgname
+lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
 # cinder/volumes/drivers/srb.py: 'vgchange', '-ay', vgname
 vgchange: CommandFilter, vgchange, root
 # cinder/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
 # cinder/volume/driver.py: 'lvcreate', '-L', ...
 lvcreate: CommandFilter, lvcreate, root
 # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
 dd: CommandFilter, dd, root
@ -54,13 +46,17 @@ lvremove: CommandFilter, lvremove, root
 # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
 lvrename: CommandFilter, lvrename, root
-# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
+# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
-# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
+# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
-lvextend: CommandFilter, lvextend, root
+lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
 lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
 # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
 lvchange: CommandFilter, lvchange, root
 # cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
 lvconvert: CommandFilter, lvconvert, root
 # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
 # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
 iscsiadm: CommandFilter, iscsiadm, root
--- a/playbooks/roles/os_cinder/templates/api-paste.ini.j2
+++ b/playbooks/roles/os_cinder/templates/api-paste.ini.j2
@ -10,32 +10,34 @@ use = call:cinder.api:root_app_factory
 [composite:openstack_volume_api_v1]
 use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
+noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv1
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
 [composite:openstack_volume_api_v2]
 use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
+noauth = cors request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = cors request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
 [filter:request_id]
 paste.filter_factory = oslo_middleware.request_id:RequestId.factory
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = cinder
 [filter:faultwrap]
 paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
 hmac_keys = {{ cinder_profiler_hmac_key }}
 enabled = yes
 [filter:noauth]
 paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
 [filter:sizelimit]
-paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
+paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
 [app:apiv1]
 paste.app_factory = cinder.api.v1.router:APIRouter.factory
@ -44,7 +46,7 @@ paste.app_factory = cinder.api.v1.router:APIRouter.factory
 paste.app_factory = cinder.api.v2.router:APIRouter.factory
 [pipeline:apiversions]
-pipeline = faultwrap osvolumeversionapp
+pipeline = cors faultwrap osvolumeversionapp
 [app:osvolumeversionapp]
 paste.app_factory = cinder.api.versions:Versions.factory
--- a/playbooks/roles/os_cinder/templates/policy.json.j2
+++ b/playbooks/roles/os_cinder/templates/policy.json.j2
@ -25,6 +25,7 @@
    "volume_extension:types_manage": "rule:admin_api",
    "volume_extension:types_extra_specs": "rule:admin_api",
    "volume_extension:access_types_extra_specs": "rule:admin_api",
    "volume_extension:volume_type_access": "rule:admin_or_owner",
    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
@ -35,6 +36,7 @@
    "volume_extension:quotas:show": "",
    "volume_extension:quotas:update": "rule:admin_api",
    "volume_extension:quotas:delete": "rule:admin_api",
    "volume_extension:quota_classes": "rule:admin_api",
    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
--- a/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2
+++ b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2
@ -1,38 +1,38 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context  rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context  rootapp
 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp
 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
-pipeline = healthcheck versionnegotiation osprofiler context rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context rootapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
+pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
@ -82,5 +82,27 @@ paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}
+hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
-enabled = yes
+enabled = yes  #DEPRECATED
 [filter:cors]
 paste.filter_factory =  oslo_middleware.cors:filter_factory
 oslo_config_project = glance
 oslo_config_program = glance-api
 # Basic Headers (Automatic)
 # Accept = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
 # Expose = Origin, Accept, Accept-Language, Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
 # Glance Headers
 # Accept = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding
 # Expose = X-Image-Meta-Checksum
 # Keystone Headers
 # Accept = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id
 # Expose = X-Auth-Token, X-Subject-Token, X-Service-Token
 # Request ID Middleware Headers
 # Accept = X-OpenStack-Request-ID
 # Expose = X-OpenStack-Request-ID
 latent_allow_headers = Content-MD5, X-Image-Meta-Checksum, X-Storage-Token, Accept-Encoding, X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
 latent_expose_headers = X-Image-Meta-Checksum, X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID
--- a/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2
+++ b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2
@ -31,5 +31,5 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}
+hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
-enabled = yes
+enabled = yes  #DEPRECATED
--- a/playbooks/roles/os_glance/templates/policy.json.j2
+++ b/playbooks/roles/os_glance/templates/policy.json.j2
@ -1,7 +1,5 @@
 {
    "context_is_admin":  "role:admin",
    "tenant_is_owner": "tenant:%(owner)s",
    "admin_or_owner": "role:admin OR rule:tenant_is_owner",
    "default": "",
    "add_image": "",
@ -9,7 +7,7 @@
    "get_image": "",
    "get_images": "",
    "modify_image": "",
-    "publicize_image": "rule:admin_or_owner",
+    "publicize_image": "role:admin",
    "copy_from": "",
    "download_image": "",
@ -19,11 +17,11 @@
    "get_image_location": "",
    "set_image_location": "",
-    "add_member": "rule:admin_or_owner",
+    "add_member": "",
-    "delete_member": "rule:admin_or_owner",
+    "delete_member": "",
    "get_member": "",
    "get_members": "",
-    "modify_member": "rule:admin_or_owner",
+    "modify_member": "",
    "manage_image_cache": "role:admin",
--- a/playbooks/roles/os_heat/templates/api-paste.ini.j2
+++ b/playbooks/roles/os_heat/templates/api-paste.ini.j2
@ -1,7 +1,7 @@
 # heat-api pipeline
 [pipeline:heat-api]
-pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
+pipeline = cors request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
 # heat-api pipeline for standalone heat
 # ie. uses alternative auth backend that authenticates users against keystone
@ -12,7 +12,7 @@ pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authto
 #   flavor = standalone
 #
 [pipeline:heat-api-standalone]
-pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
+pipeline = cors request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
 # heat-api pipeline for custom cloud backends
 # i.e. in heat.conf:
@ -20,25 +20,25 @@ pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword cont
 #   flavor = custombackend
 #
 [pipeline:heat-api-custombackend]
-pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app
+pipeline = cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
 # heat-api-cfn pipeline
 [pipeline:heat-api-cfn]
-pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
+pipeline = cors cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
 # heat-api-cfn pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
 [pipeline:heat-api-cfn-standalone]
-pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app
+pipeline = cors cfnversionnegotiation ec2authtoken context apicfnv1app
 # heat-api-cloudwatch pipeline
 [pipeline:heat-api-cloudwatch]
-pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
+pipeline = cors versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
 # heat-api-cloudwatch pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
 [pipeline:heat-api-cloudwatch-standalone]
-pipeline = versionnegotiation ec2authtoken context apicwapp
+pipeline = cors versionnegotiation ec2authtoken context apicwapp
 [app:apiv1app]
 paste.app_factory = heat.common.wsgi:app_factory
@ -56,6 +56,10 @@ heat.app_factory = heat.api.cloudwatch:API
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:version_negotiation_filter
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = heat
 [filter:faultwrap]
 paste.filter_factory = heat.common.wsgi:filter_factory
 heat.filter_factory = heat.api.openstack:faultwrap_filter
@ -100,5 +104,3 @@ paste.filter_factory = oslo_middleware.request_id:RequestId.factory
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
 hmac_keys = {{ heat_profiler_hmac_key }}
 enabled = {{ heat_profiler_enabled }}
--- a/playbooks/roles/os_heat/templates/policy.json.j2
+++ b/playbooks/roles/os_heat/templates/policy.json.j2
@ -62,6 +62,8 @@
    "stacks:delete_snapshot": "rule:deny_stack_user",
    "stacks:list_snapshots": "rule:deny_stack_user",
    "stacks:restore_snapshot": "rule:deny_stack_user",
    "stacks:list_outputs": "rule:deny_stack_user",
    "stacks:show_output": "rule:deny_stack_user",
    "software_configs:global_index": "rule:deny_everybody",
    "software_configs:index": "rule:deny_stack_user",
--- a/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2
+++ b/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2
@ -95,8 +95,8 @@ Resources:
            MasterUserPassword: {Ref: MasterUserPassword}
            WaitHandle: {Ref: WaitHandle}
          - |
-            #!/usr/bin/env bash
+            #!/bin/bash -v
-            set -v
+            #
            iptables -F
            # Helper function
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@ -356,11 +356,13 @@ keystone_requires_pip_packages:
 # Common pip packages
 keystone_pip_packages:
  - argparse
  - keystone
  - keystonemiddleware
  - ldappool
  - lxml
  - PyMySQL
  - oslo.log
  - oslo.middleware
  - pbr
  - pycrypto
--- a/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2
+++ b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2
@ -1,10 +1,10 @@
 # Keystone PasteDeploy configuration file.
 [filter:debug]
-use = egg:keystone#debug
+use = egg:oslo.middleware#debug
 [filter:request_id]
-use = egg:keystone#request_id
+use = egg:oslo.middleware#request_id
 [filter:build_auth_context]
 use = egg:keystone#build_auth_context
@ -30,29 +30,17 @@ use = egg:keystone#ec2_extension
 [filter:ec2_extension_v3]
 use = egg:keystone#ec2_extension_v3
 [filter:federation_extension]
 use = egg:keystone#federation_extension
 [filter:oauth1_extension]
 use = egg:keystone#oauth1_extension
 [filter:s3_extension]
 use = egg:keystone#s3_extension
 [filter:endpoint_filter_extension]
 use = egg:keystone#endpoint_filter_extension
 [filter:simple_cert_extension]
 use = egg:keystone#simple_cert_extension
 [filter:revoke_extension]
 use = egg:keystone#revoke_extension
 [filter:url_normalize]
 use = egg:keystone#url_normalize
 [filter:sizelimit]
-use = egg:keystone#sizelimit
+use = egg:oslo.middleware#sizelimit
 [app:public_service]
 use = egg:keystone#public_service
@ -76,7 +64,7 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
+pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
 [app:public_version_service]
 use = egg:keystone#public_version_service
--- a/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2
+++ b/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2
@ -19,12 +19,30 @@ activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
 execfile(activate_this, dict(__file__=activate_this))
 {% endif %}
 import os
 from oslo_log import log
 from oslo_log import versionutils
 from keystone.i18n import _LW
 from keystone.server import wsgi as wsgi_server
 name = os.path.basename(__file__)
 LOG = log.getLogger(__name__)
 def deprecation_warning():
    versionutils.report_deprecated_feature(
        LOG,
        _LW('httpd/keystone.py is deprecated as of Mitaka'
            ' in favor of keystone-wsgi-admin and keystone-wsgi-public'
            ' and may be removed in O.')
    )
 # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
 # The following is a reference to Python Paste Deploy documentation
 # http://pythonpaste.org/deploy/
-application = wsgi_server.initialize_application(name)
+application = wsgi_server.initialize_application(
    name,
    post_log_configured_function=deprecation_warning)
--- a/playbooks/roles/os_keystone/templates/policy.json.j2
+++ b/playbooks/roles/os_keystone/templates/policy.json.j2
@ -82,6 +82,7 @@
    "identity:revoke_grant": "rule:admin_required",
    "identity:list_role_assignments": "rule:admin_required",
    "identity:list_role_assignments_for_tree": "rule:admin_required",
    "identity:get_policy": "rule:admin_required",
    "identity:list_policies": "rule:admin_required",
@ -180,5 +181,6 @@
    "identity:create_domain_config": "rule:admin_required",
    "identity:get_domain_config": "rule:admin_required",
    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required"
+    "identity:delete_domain_config": "rule:admin_required",
    "identity:get_domain_config_default": "rule:admin_required"
 }
--- a/playbooks/roles/os_neutron/files/rootwrap.d/functional-testing.filters
+++ b/playbooks/roles/os_neutron/files/rootwrap.d/functional-testing.filters
@ -0,0 +1,35 @@
 # neutron-rootwrap command filters to support functional testing.  It
 # is NOT intended to be used outside of a test environment.
 #
 # This file should be owned by (and only-writeable by) the root user
 [Filters]
 # enable ping from namespace
 ping_filter: CommandFilter, ping, root
 ping6_filter: CommandFilter, ping6, root
 # enable curl from namespace
 curl_filter: RegExpFilter, /usr/bin/curl, root, curl, --max-time, \d+, -D-, http://[0-9a-z:./-]+
 nc_filter: CommandFilter, nc, root
 # netcat has different binaries depending on linux distribution
 nc_kill: KillFilter, root, nc, -9
 ncbsd_kill: KillFilter, root, nc.openbsd, -9
 ncat_kill: KillFilter, root, ncat, -9
 ss_filter: CommandFilter, ss, root
 # enable neutron-linuxbridge-cleanup from namespace
 lb_cleanup_filter: RegExpFilter, neutron-linuxbridge-cleanup, root, neutron-linuxbridge-cleanup, --config-file, .*
 # enable dhclient from namespace
 dhclient_filter: CommandFilter, dhclient, root
 dhclient_kill: KillFilter, root, dhclient, -9
 # Actually, dhclient is used for test dhcp-agent and runs
 # in dhcp-agent namespace. If in that namespace resolv.conf file not exist
 # dhclient will override system /etc/resolv.conf
 # Filters below are limit functions mkdir, rm and touch
 # only to create and delete file resolv.conf in the that namespace
 mkdir_filter: RegExpFilter, /bin/mkdir, root, mkdir, -p, /etc/netns/qdhcp-[0-9a-z./-]+
 rm_filter: RegExpFilter, /bin/rm, root, rm, -r, /etc/netns/qdhcp-[0-9a-z./-]+
 touch_filter: RegExpFilter, /bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
 touch_filter2: RegExpFilter, /usr/bin/touch, root, touch, /etc/netns/qdhcp-[0-9a-z./-]+/resolv.conf
--- a/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters
+++ b/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters
@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
 # neutron/agent/linux/iptables_manager.py
 #   "sysctl", "-w", ...
 sysctl: CommandFilter, sysctl, root
 # neutron/agent/linux/ip_conntrack.py
 conntrack: CommandFilter, conntrack, root
--- a/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters
+++ b/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters
@ -50,3 +50,8 @@ conntrack: CommandFilter, conntrack, root
 # keepalived state change monitor
 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
 # For creating namespace local /etc
 rt_tables_mkdir: RegExpFilter, mkdir, root, mkdir, -p, /etc/netns/qrouter-[^/].*
 rt_tables_chown: RegExpFilter, chown, root, chown, [1-9][0-9].*, /etc/netns/qrouter-[^/].*
 rt_tables_rmdir: RegExpFilter, rm, root, rm, -r, -f, /etc/netns/qrouter-[^/].*
--- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
+++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml
@ -93,12 +93,13 @@
  with_items:
    - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
    - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" }
    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
    - { src: "rootwrap.d/functional-testing.filters", dest: "/etc/neutron/rootwrap.d/functional-testing.filters" }
    - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
    - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
    - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
  notify:
    - Restart neutron services
  tags:
--- a/playbooks/roles/os_neutron/templates/api-paste.ini.j2
+++ b/playbooks/roles/os_neutron/templates/api-paste.ini.j2
@ -5,8 +5,8 @@ use = egg:Paste#urlmap
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
-noauth = request_id catch_errors extensions neutronapiapp_v2_0
+noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
-keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@ -14,6 +14,13 @@ paste.filter_factory = oslo_middleware:RequestId.factory
 [filter:catch_errors]
 paste.filter_factory = oslo_middleware:CatchErrors.factory
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = neutron
 latent_allow_headers = X-Auth-Token, X-Identity-Status, X-Roles, X-Service-Catalog, X-User-Id, X-Tenant-Id, X-OpenStack-Request-ID
 latent_expose_headers = X-Auth-Token, X-Subject-Token, X-Service-Token, X-OpenStack-Request-ID
 latent_allow_methods = GET, PUT, POST, DELETE, PATCH
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
--- a/playbooks/roles/os_neutron/templates/policy.json.j2
+++ b/playbooks/roles/os_neutron/templates/policy.json.j2
@ -22,8 +22,10 @@
    "create_subnetpool": "",
    "create_subnetpool:shared": "rule:admin_only",
    "create_subnetpool:is_default": "rule:admin_only",
    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
    "update_subnetpool": "rule:admin_or_owner",
    "update_subnetpool:is_default": "rule:admin_only",
    "delete_subnetpool": "rule:admin_or_owner",
    "create_address_scope": "",
@ -197,5 +199,9 @@
    "update_rbac_policy": "rule:admin_or_owner",
    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
    "get_rbac_policy": "rule:admin_or_owner",
-    "delete_rbac_policy": "rule:admin_or_owner"
+    "delete_rbac_policy": "rule:admin_or_owner",
    "create_flavor_service_profile": "rule:admin_only",
    "delete_flavor_service_profile": "rule:admin_only",
    "get_flavor_service_profile": "rule:regular_user"
 }
--- a/playbooks/roles/os_neutron/templates/rootwrap.conf.j2
+++ b/playbooks/roles/os_neutron/templates/rootwrap.conf.j2
@ -10,7 +10,7 @@ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs={{ neutron_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
 # Enable logging to syslog
 # Default value is False
--- a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters
+++ b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters
@ -203,7 +203,6 @@ multipath: CommandFilter, multipath, root
 # multipathd show status
 multipathd: CommandFilter, multipathd, root
 systool: CommandFilter, systool, root
 sginfo: CommandFilter, sginfo, root
 vgc-cluster: CommandFilter, vgc-cluster, root
 # os_brick/initiator/connector.py
 drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
--- a/playbooks/roles/os_nova/templates/api-paste.ini.j2
+++ b/playbooks/roles/os_nova/templates/api-paste.ini.j2
@ -6,7 +6,7 @@ use = egg:Paste#urlmap
 /: meta
 [pipeline:meta]
-pipeline = metaapp
+pipeline = cors metaapp
 [app:metaapp]
 paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
@ -23,7 +23,6 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 # this causes issues with your clients you can rollback to the
 # *frozen* v2 api by commenting out the above stanza and using the
 # following instead::
 # /v1.1: openstack_compute_api_legacy_v2
 # /v2: openstack_compute_api_legacy_v2
 # if rolling back to v2 fixes your issue please file a critical bug
 # at - https://bugs.launchpad.net/nova/+bugs
@ -33,26 +32,25 @@ use = call:nova.api.openstack.urlmap:urlmap_factory
 # API). It also provides new features via API microversions which are
 # opt into for clients. Unaware clients will receive the same frozen
 # v2 API feature set, but with some relaxed validation
 /v1.1: openstack_compute_api_v21_legacy_v2_compatible
 /v2: openstack_compute_api_v21_legacy_v2_compatible
 /v2.1: openstack_compute_api_v21
 # NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible
 [composite:openstack_compute_api_legacy_v2]
 use = call:nova.api.auth:pipeline_factory
-noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
+noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
-keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
+keystone_nolimit = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
+noauth2 = cors compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
 [composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+noauth2 = cors compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@ -91,6 +89,10 @@ paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
 # Shared #
 ##########
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = nova
 [filter:keystonecontext]
 paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
--- a/playbooks/roles/os_nova/templates/policy.json.j2
+++ b/playbooks/roles/os_nova/templates/policy.json.j2
@ -22,16 +22,14 @@
    "compute:update_instance_metadata": "",
    "compute:delete_instance_metadata": "",
    "compute:get_instance_faults": "",
    "compute:get_diagnostics": "",
    "compute:get_instance_diagnostics": "",
    "compute:start": "rule:admin_or_owner",
    "compute:stop": "rule:admin_or_owner",
-    "compute:get_lock": "",
+    "compute:lock": "rule:admin_or_owner",
-    "compute:lock": "",
+    "compute:unlock": "rule:admin_or_owner",
    "compute:unlock": "",
    "compute:unlock_override": "rule:admin_api",
    "compute:get_vnc_console": "",
@ -85,9 +83,6 @@
    "compute:security_groups:add_to_instance": "",
    "compute:security_groups:remove_from_instance": "",
    "compute:delete": "",
    "compute:soft_delete": "",
    "compute:force_delete": "",
    "compute:restore": "",
    "compute:volume_snapshot_create": "",
@ -334,6 +329,7 @@
    "os_compute_api:os-extended-availability-zone": "",
    "os_compute_api:os-extended-availability-zone:discoverable": "",
    "os_compute_api:extensions": "",
    "os_compute_api:extensions:discoverable": "",
    "os_compute_api:extension_info:discoverable": "",
    "os_compute_api:os-extended-volumes": "",
    "os_compute_api:os-extended-volumes:discoverable": "",
@ -345,6 +341,7 @@
    "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
    "os_compute_api:os-flavor-rxtx": "",
    "os_compute_api:os-flavor-rxtx:discoverable": "",
    "os_compute_api:flavors": "",
    "os_compute_api:flavors:discoverable": "",
    "os_compute_api:os-flavor-extra-specs:discoverable": "",
    "os_compute_api:os-flavor-extra-specs:index": "",
--- a/playbooks/roles/os_nova/templates/rootwrap.conf.j2
+++ b/playbooks/roles/os_nova/templates/rootwrap.conf.j2
@ -7,10 +7,10 @@
 filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
 # List of directories to search executables in, in case filters do not
-# explicitely specify a full path (separated by ',')
+# explicitly specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,{{ nova_bin }}
+exec_dirs={{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin
 # Enable logging to syslog
 # Default value is False
--- a/playbooks/roles/os_tempest/templates/tempest.conf.j2
+++ b/playbooks/roles/os_tempest/templates/tempest.conf.j2
@ -42,7 +42,7 @@ image_ssh_user = {{ tempest_compute_image_ssh_user }}
 image_ssh_password = {{ tempest_compute_image_ssh_password }}
 image_alt_ssh_user = {{ tempest_compute_image_alt_ssh_user }}
 ssh_user = {{ tempest_compute_ssh_user }}
-ssh_auth_method = configured
+auth_method = keypair
 fixed_network_name = private
 endpoint_type = internalURL
 floating_ip_range = 10.0.0.0/29