Include additional filters_path in rootwrap.conf

Neutron plugins (for ex. TaaS) using their own rootwrap filters install those filter files in /var/lib/openstack/etc/neutron/rootwrap.d directory. Therefore this path should be added to neutron values.conf file to let these plugins function correctly. Change-Id: Ia76153b50e2e22cb606b8c0f811119b3f71217d2
2019-10-03 10:15:12 -05:00 · 2019-10-03 10:15:12 -05:00 · adee9c4fe4
commit adee9c4fe4
parent 243f74f10d
3 changed files with 1 additions and 34 deletions
--- a/neutron/templates/daemonset-ovs-agent.yaml
+++ b/neutron/templates/daemonset-ovs-agent.yaml
@ -166,9 +166,6 @@ spec:
            {{- end }}
            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
            {{- if ( has "ovs_agent" $value.pods ) }}
-            {{- if and ( eq "taas" $key ) (not $envAll.Values.conf.plugins.taas.taas.enabled) }}
-                ## if taas is not enabled, do not include taas.filters
-            {{- else }}
            {{- $filePrefix := replace "_" "-"  $key }}
            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
            - name: neutron-etc
@ -177,7 +174,6 @@ spec:
              readOnly: true
            {{- end }}
            {{- end }}
-            {{- end }}
            - name: run
              mountPath: /run
 {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
@ -247,9 +243,6 @@ spec:
              readOnly: true
            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
            {{- if ( has "ovs_agent" $value.pods ) }}
-            {{- if and ( eq "taas" $key ) (not $envAll.Values.conf.plugins.taas.taas.enabled) }}
-                ## if taas is not enabled, do not include taas.filters
-            {{- else }}
            {{- $filePrefix := replace "_" "-"  $key }}
            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
            - name: neutron-etc
@ -258,7 +251,6 @@ spec:
              readOnly: true
            {{- end }}
            {{- end }}
-            {{- end }}
            - name: run
              mountPath: /run
 {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
--- a/neutron/templates/daemonset-sriov-agent.yaml
+++ b/neutron/templates/daemonset-sriov-agent.yaml
@ -117,9 +117,6 @@ spec:
              readOnly: true
            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
            {{- if ( has "sriov_agent" $value.pods ) }}
-            {{- if and ( eq "taas" $key ) (not $envAll.Values.conf.plugins.taas.taas.enabled) }}
-                ## if taas is not enabled, do not include taas.filters
-            {{- else }}
            {{- $filePrefix := replace "_" "-"  $key }}
            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
            - name: neutron-etc
@ -128,7 +125,6 @@ spec:
              readOnly: true
            {{- end }}
            {{- end }}
-            {{- end }}
            - name: run
              mountPath: /run
 {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
@ -196,9 +192,6 @@ spec:
              readOnly: true
            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
            {{- if ( has "sriov_agent" $value.pods ) }}
-            {{- if and ( eq "taas" $key ) (not $envAll.Values.conf.plugins.taas.taas.enabled) }}
-                ## if taas is not enabled, do not include taas.filters
-            {{- else }}
            {{- $filePrefix := replace "_" "-"  $key }}
            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
            - name: neutron-etc
@ -207,7 +200,6 @@ spec:
              readOnly: true
            {{- end }}
            {{- end }}
-            {{- end }}
            - name: run
              mountPath: /run
 {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1261,7 +1261,7 @@ conf:
    [DEFAULT]
    # List of directories to load filter definitions from (separated by ',').
    # These directories MUST all be only writeable by root !
-    filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
+    filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d

    # List of directories to search executables in, in case filters do not
    # explicitely specify a full path (separated by ',')
@ -1691,23 +1691,6 @@ conf:
        # NOTE: A second `--config-file` arg can also be added above. Since
        # many neutron components are installed like that (eg: by devstack).
        # Adjust to suit local requirements.
-    taas:
-      pods:
-        - ovs_agent
-        - sriov_agent
-      content: |
-        # neutron-rootwrap command filters for nodes on which neutron
-        # tap-as-a-service(taas) is eanbled.  Taas uses this command
-        # as part of its flow control.
-
-        # format seems to be
-        # cmd-name: filter-name, raw-command, user, args
-
-        [Filters]
-
-        # This is needed to allow taas to insert/remove vlan id to the
-        # target vf under /sys/class/net/[device-name]/device/sriov/[vf-index]/[mirror]
-        i40e_sysfs_command: RegExpFilter, i40e_sysfs_command, root, i40e_sysfs_command, \w+, .+, .+
    linux_vxlan:
      pods:
        - bagpipe_bgp