Remove not needed rootwrap filters

This patch moves all remaining filters to a single file. Since [1],
the number of processes executed using rootwrap have been reduced to
a small set.

[1]https://storyboard.openstack.org/#!/story/2007686

Story: #2007686
Task: #41284

Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6

etc/neutron/rootwrap.d/debug.filters

@@ -1,12 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# "sleep" command, only for testing
-sleep: RegExpFilter, sleep, root, sleep, \d+

etc/neutron/rootwrap.d/dhcp.filters

@@ -1,21 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# dhcp-agent
-dnsmasq: CommandFilter, dnsmasq, root
-
-mm-ctl: CommandFilter, mm-ctl, root
-
-# haproxy
-haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
-
-# ip_lib
-ip: IpFilter, ip, root
-ip_exec: IpNetnsExecFilter, ip, root

etc/neutron/rootwrap.d/dibbler.filters

@@ -1,16 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# Filters for the dibbler-based reference implementation of the pluggable
-# Prefix Delegation driver. Other implementations using an alternative agent
-# should include a similar filter in this folder.
-
-# prefix_delegation_agent
-dibbler-client: CommandFilter, dibbler-client, root

etc/neutron/rootwrap.d/ipset-firewall.filters

@@ -1,12 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-# neutron/agent/linux/iptables_firewall.py
-#   "ipset", "-A", ...
-ipset: CommandFilter, ipset, root

etc/neutron/rootwrap.d/l3.filters

@@ -1,32 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# l3_agent
-route: CommandFilter, route, root
-radvd: CommandFilter, radvd, root
-
-# haproxy
-haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
-
-# ip_lib
-ip: IpFilter, ip, root
-ip_exec: IpNetnsExecFilter, ip, root
-
-# iptables_manager
-iptables-save: CommandFilter, iptables-save, root
-iptables-restore: CommandFilter, iptables-restore, root
-ip6tables-save: CommandFilter, ip6tables-save, root
-ip6tables-restore: CommandFilter, ip6tables-restore, root
-
-# Keepalived
-keepalived: CommandFilter, keepalived, root
-
-# keepalived state change monitor
-keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root

etc/neutron/rootwrap.d/linuxbridge-plugin.filters

@@ -1,13 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# ip_lib
-ip: IpFilter, ip, root
-ip_exec: IpNetnsExecFilter, ip, root

etc/neutron/rootwrap.d/openvswitch-plugin.filters

@@ -1,18 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# openvswitch-agent
-# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
-ovs-ofctl: CommandFilter, ovs-ofctl, root
-ovsdb-client: CommandFilter, ovsdb-client, root
-
-# ip_lib
-ip: IpFilter, ip, root
-ip_exec: IpNetnsExecFilter, ip, root

etc/neutron/rootwrap.d/rootwrap.filters

@@ -20,6 +20,7 @@
 # In particular, the oslo.config and python module path must not
 # be writeable by the unprivileged user.
 
+# PRIVSEP
 # oslo.privsep default neutron context
 privsep: PathFilter, privsep-helper, root,
  --config-file, /etc/(?!\.\.).*,
@@ -29,3 +30,28 @@ privsep: PathFilter, privsep-helper, root,
 # NOTE: A second `--config-file` arg can also be added above. Since
 # many neutron components are installed like that (eg: by devstack).
 # Adjust to suit local requirements.
+
+# DEBUG
+sleep: RegExpFilter, sleep, root, sleep, \d+
+
+# EXECUTE COMMANDS IN A NAMESPACE
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
+
+# METADATA PROXY
+haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
+
+# DHCP
+dnsmasq: CommandFilter, dnsmasq, root
+
+# DIBBLER
+dibbler-client: CommandFilter, dibbler-client, root
+
+# L3
+radvd: CommandFilter, radvd, root
+keepalived: CommandFilter, keepalived, root
+keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+
+# OPEN VSWITCH
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+ovsdb-client: CommandFilter, ovsdb-client, root