From 9258649674b94fcdcf8239201bc37bfab0b479fb Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 17 May 2018 01:28:36 -0500 Subject: [PATCH] Neutron: provide config support for queens This PS updates the neutron config to support up to the queens release of OpenStack. Change-Id: I02ffbb1d85134605e665b6bef4379d45af134b58 Signed-off-by: Pete Birley --- neutron/values.yaml | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/neutron/values.yaml b/neutron/values.yaml index c7b440bb5e..87b9565a8b 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1151,6 +1151,10 @@ conf: route: CommandFilter, route, root radvd: CommandFilter, radvd, root + # haproxy + haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* + kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP + # metadata proxy metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root # RHEL invocation of the metadata proxy will report /usr/bin/python @@ -1165,6 +1169,15 @@ conf: find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* ip_exec: IpNetnsExecFilter, ip, root + # l3_tc_lib + l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+ + l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress + l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb + l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1 + l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32 + l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1 + l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1 + # For ip monitor kill_ip_monitor: KillFilter, root, ip, -9 @@ -1377,6 +1390,49 @@ conf: ip: IpFilter, ip, root find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* ip_exec: IpNetnsExecFilter, ip, root + + # needed for FDB extension + bridge: CommandFilter, bridge, root + privsep: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # Command filters to allow privsep daemon to be started via rootwrap. + # + # This file should be owned by (and only-writeable by) the root user + + [Filters] + + # By installing the following, the local admin is asserting that: + # + # 1. The python module load path used by privsep-helper + # command as root (as started by sudo/rootwrap) is trusted. + # 2. Any oslo.config files matching the --config-file + # arguments below are trusted. + # 3. Users allowed to run sudo/rootwrap with this configuration(*) are + # also allowed to invoke python "entrypoint" functions from + # --privsep_context with the additional (possibly root) privileges + # configured for that context. + # + # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root + # + # In particular, the oslo.config and python module path must not + # be writeable by the unprivileged user. + + # oslo.privsep default neutron context + privsep: PathFilter, privsep-helper, root, + --config-file, /etc, + --privsep_context, neutron.privileged.default, + --privsep_sock_path, / + + # NOTE: A second `--config-file` arg can also be added above. Since + # many neutron components are installed like that (eg: by devstack). + # Adjust to suit local requirements. neutron: DEFAULT: #NOTE(portdirect): the bind port should not be defined, and is manipulated