Update Kilo SHAs - 21 Jan 2016

Updates all repo SHAs to open up work on 11.2.8

This patch includes a normalisation of file names and updates
of paste, policy and rootwrap configurations.

It also updates tempest.conf.j2 to replace ssh_auth_method with
auth_method, and change auth_method to 'keypair' (configured is no
longer an a valid option).

The locally held temporary pin for django-compressor has been
removed as https://review.openstack.org/265025 is included in the
updated OpenStack sources.

Some projects name their paste config files with an underscore
instead of a dash. This patch ensures that the source-branch-updater
includes those files too when checking for updates.

The OpenStack updates include the following CVE fixes:

- OSSA-2016-001: Nova host data leak through snapshot
  https://security.openstack.org/ossa/OSSA-2016-001.html

- OSSA-2016-002: Xen connection password leak in logs via StorageError
  https://security.openstack.org/ossa/OSSA-2016-002.html

- OSSA-2016-003: Heat denial of service through template-validate
  https://security.openstack.org/ossa/OSSA-2016-003.html

Change-Id: I2c878646dd54f41637bd4830122f11e97e9f70f6
Related-Bug: #1532048
This commit is contained in:
Kevin Carter 2016-01-18 16:36:34 +00:00 committed by Jesse Pretorius (odyssey4me)
parent 9f9acac3e0
commit e6cc4d6bac
31 changed files with 451 additions and 47 deletions

View File

@ -27,16 +27,16 @@
## Tempest service
tempest_git_repo: https://git.openstack.org/openstack/tempest
tempest_git_install_branch: aa166794fe24b1da6a70be51c51f4d7f77e2712f # HEAD of "master" as of 07.12.2015
tempest_git_install_branch: b7d85910d5857487b7c01453b63aa51aa1583bcf # HEAD of "master" as of 21.01.2016
tempest_git_install_fragments: "yaprtignorerequirements=true"
tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}"
# NOVNC from source
novncproxy_git_repo: https://github.com/kanaka/novnc
novncproxy_git_install_branch: b2a813dc739c8b41dd647dc01c8f8f11d8996286 # HEAD of "master" as of 07.12.2015
novncproxy_git_install_branch: 670dbddb54264fd0082d0aca1b3acb0f1814b1d2 # HEAD of "master" as of 21.01.2016
novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}"
# spice-html5 from source
spicehtml5_git_repo: https://github.com/SPICE/spice-html5
spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 07.12.2015
spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 21.01.2016
spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}"

View File

@ -31,31 +31,31 @@
## Global Requirements
requirements_git_repo: https://git.openstack.org/openstack/requirements
requirements_git_install_branch: 817317e264ab89c646facabaa0c43f3c9de00ac4 # HEAD of "stable/kilo" as of 07.12.2015
requirements_git_install_branch: 0517298926fa413c3aa03d7e93d5a21bdb9d6ca9 # HEAD of "stable/kilo" as of 21.01.2016
requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}"
## Ceilometer service
ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer
ceilometer_git_install_branch: 0d79ea0edca9c175076742357c83aed07b48711b # HEAD of "stable/kilo" as of 07.12.2015
ceilometer_git_install_branch: e09a946ccfaf80a9bc4bbbbf327169c09974117c # HEAD of "stable/kilo" as of 21.01.2016
ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}"
## Cinder service
cinder_git_repo: https://git.openstack.org/openstack/cinder
cinder_git_install_branch: 7cce8719f23bd35c10144f8232c80e31ccef1019 # HEAD of "stable/kilo" as of 07.12.2015
cinder_git_install_branch: 7c05ae7d031827bbc069391e48dbdc6783481054 # HEAD of "stable/kilo" as of 21.01.2016
cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}"
## Glance service
glance_git_repo: https://git.openstack.org/openstack/glance
glance_git_install_branch: 417c02ae8ae362713dc7c46740f1af7e2a9d55c2 # HEAD of "stable/kilo" as of 07.12.2015
glance_git_install_branch: 0bac2bf693f054894f2e1b8149de8ecc7772f065 # HEAD of "stable/kilo" as of 21.01.2016
glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}"
## Heat service
heat_git_repo: https://git.openstack.org/openstack/heat
heat_git_install_branch: 4aa687ed79437d96dc65a0805fe8a3257156afbb # HEAD of "stable/kilo" as of 07.12.2015
heat_git_install_branch: f32bddcd12cd0c9e56f1daeb4519f610f729d2f7 # HEAD of "stable/kilo" as of 21.01.2016
heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}"
heat_repo_plugins:
- { path: "contrib", package: "extraroute" }
@ -63,41 +63,41 @@ heat_repo_plugins:
## Horizon service
horizon_git_repo: https://git.openstack.org/openstack/horizon
horizon_git_install_branch: 1d10078edbca1a2f5ab15af1ad837c4d687a9d45 # HEAD of "stable/kilo" as of 07.12.2015
horizon_git_install_branch: e3848cf0aa7a0da53989736d5d058883cecab0b5 # HEAD of "stable/kilo" as of 21.01.2016
horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}"
## Keystone service
keystone_git_repo: https://git.openstack.org/openstack/keystone
keystone_git_install_branch: 3182bf798ec680ab9070f00775a1f1c2499793fc # HEAD of "stable/kilo" as of 07.12.2015
keystone_git_install_branch: 9c9c1331e0c004897d5f4c5847f7143b56373f10 # HEAD of "stable/kilo" as of 21.01.2016
keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}"
## Neutron service
neutron_git_repo: https://git.openstack.org/openstack/neutron
neutron_git_install_branch: 671cca2fd41cea1c6741452f4a9ef6162be94406 # HEAD of "stable/kilo" as of 07.12.2015
neutron_git_install_branch: 608b54137fb67512c07099089ea7e074176e12df # HEAD of "stable/kilo" as of 21.01.2016
neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}"
neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas
neutron_lbaas_git_install_branch: f3289f6f32a504557d7e3776dfd56ecb98259ad7 # HEAD of "stable/kilo" as of 07.12.2015
neutron_lbaas_git_install_branch: 19b26518fdd738b848edbbac483f53d1326555af # HEAD of "stable/kilo" as of 21.01.2016
neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}"
neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas
neutron_vpnaas_git_install_branch: 27eaa2e9dccbefbfc04ac6a4a45acbc119e6e55c # HEAD of "stable/kilo" as of 07.12.2015
neutron_vpnaas_git_install_branch: 27eaa2e9dccbefbfc04ac6a4a45acbc119e6e55c # HEAD of "stable/kilo" as of 21.01.2016
neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}"
neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas
neutron_fwaas_git_install_branch: 70b567c08e4d3130d566c3614f91cc66411ce7b2 # HEAD of "stable/kilo" as of 07.12.2015
neutron_fwaas_git_install_branch: 70b567c08e4d3130d566c3614f91cc66411ce7b2 # HEAD of "stable/kilo" as of 21.01.2016
neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}"
## Nova service
nova_git_repo: https://git.openstack.org/openstack/nova
nova_git_install_branch: fc932f1fbcf6199839c31918125d7fe775c4b5f6 # HEAD of "stable/kilo" as of 07.12.2015
nova_git_install_branch: b974c6d1d5753f333d1d71f8190ddf3b4f8fbbf1 # HEAD of "stable/kilo" as of 21.01.2016
nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}"
## Swift service
swift_git_repo: https://git.openstack.org/openstack/swift
swift_git_install_branch: 2914514e2464c4a9227bbbf67f5a08eda7b7ad06 # HEAD of "stable/kilo" as of 07.12.2015
swift_git_install_branch: 036c2f348d24c01c7a4deba3e44889c45270b46d # HEAD of "stable/kilo" as of 21.01.2016
swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}"

View File

@ -15,5 +15,5 @@
## Git Source for python2-lxc library
git_repo: https://github.com/lxc/python2-lxc
git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 21.10.2015
git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 21.01.2016
git_dest: "/opt/lxc_python2_{{ git_install_branch|replace('/', '_') }}"

View File

@ -14,7 +14,7 @@
# limitations under the License.
## OpenStack Source Code Release
openstack_release: 11.2.7
openstack_release: 11.2.8
# Global minimum kernel requirement
openstack_host_required_kernel: 3.13.0-34-generic

View File

@ -104,9 +104,12 @@ ceilometer_service_names:
## Tunable overrides
ceilometer_policy_overrides: {}
ceilometer_rootwrap_conf_overrides: {}
ceilometer_ceilometer_conf_overrides: {}
ceilometer_api_paste_ini_overrides: {}
ceilometer_event_definitions_yaml_overrides: {}
ceilometer_event_pipeline_yaml_overrides: {}
ceilometer_pipeline_yaml_overrides: {}
ceilometer_deprecated_pipeline_yaml_overrides: {}
ceilometer_gabbi_pipeline_yaml_overrides: {}

View File

@ -0,0 +1,7 @@
# ceilometer-rootwrap command filters for IPMI capable nodes
# This file should be owned by (and only-writeable by) the root user
[Filters]
# ceilometer/ipmi/nodemanager/node_manager.py: 'ipmitool'
ipmitool: CommandFilter, ipmitool, root

View File

@ -31,6 +31,10 @@
dest: "/etc/ceilometer/api_paste.ini"
config_overrides: "{{ ceilometer_api_paste_ini_overrides }}"
config_type: "ini"
- src: "rootwrap.conf.j2"
dest: "/etc/ceilometer/rootwrap.conf"
config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}"
config_type: "ini"
- src: "event_pipeline.yaml.j2"
dest: "/etc/ceilometer/event_pipeline.yaml"
config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}"
@ -43,6 +47,14 @@
dest: "/etc/ceilometer/pipeline.yaml"
config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}"
config_type: "yaml"
- src: "deprecated_pipeline.yaml.j2"
dest: "/etc/ceilometer/deprecated_pipeline.yaml"
config_overrides: "{{ ceilometer_deprecated_pipeline_yaml_overrides }}"
config_type: "yaml"
- src: "gabbi_pipeline.yaml.j2"
dest: "/etc/ceilometer/gabbi_pipeline.yaml"
config_overrides: "{{ ceilometer_gabbi_pipeline_yaml_overrides }}"
config_type: "yaml"
- src: "policy.json.j2"
dest: "/etc/ceilometer/policy.json"
config_overrides: "{{ ceilometer_policy_overrides }}"
@ -52,3 +64,15 @@
- ceilometer-config
- ceilometer-post-install
- name: Drop rootwrap filters
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ ceilometer_system_user_name }}"
group: "{{ ceilometer_system_group_name }}"
with_items:
- { src: "rootwrap.d/ipmi.filters", dest: "/etc/ceilometer/rootwrap.d/ipmi.filters" }
notify:
- Restart ceilometer services
tags:
- ceilometer-config

View File

@ -55,6 +55,7 @@
mode: "{{ item.mode|default('0755') }}"
with_items:
- { path: "/etc/ceilometer" }
- { path: "/etc/ceilometer/rootwrap.d" }
- { path: "{{ ceilometer_system_user_home }}" }
- { path: "{{ ceilometer_system_user_home }}/.ssh", mode: "0700" }
- { path: "/var/cache/ceilometer", mode: "0700" }

View File

@ -15,3 +15,4 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
[filter:request_id]
paste.filter_factory = oslo.middleware:RequestId.factory

View File

@ -0,0 +1,73 @@
---
-
name: meter_pipeline
interval: 600
meters:
- "*"
resources:
transformers:
publishers:
- rpc://
-
name: cpu_pipeline
interval: 600
meters:
- "cpu"
transformers:
- name: "rate_of_change"
parameters:
target:
name: "cpu_util"
unit: "%"
type: "gauge"
scale: "100.0 / (10**9 * (resource_metadata.cpu_number or 1))"
publishers:
- rpc://
-
name: disk_pipeline
interval: 600
meters:
- "disk.read.bytes"
- "disk.read.requests"
- "disk.write.bytes"
- "disk.write.requests"
- "disk.device.read.bytes"
- "disk.device.read.requests"
- "disk.device.write.bytes"
- "disk.device.write.requests"
transformers:
- name: "rate_of_change"
parameters:
source:
map_from:
name: "(disk\\.device|disk)\\.(read|write)\\.(bytes|requests)"
unit: "(B|request)"
target:
map_to:
name: "\\1.\\2.\\3.rate"
unit: "\\1/s"
type: "gauge"
publishers:
- rpc://
-
name: network_pipeline
interval: 600
meters:
- "network.incoming.bytes"
- "network.incoming.packets"
- "network.outgoing.bytes"
- "network.outgoing.packets"
transformers:
- name: "rate_of_change"
parameters:
source:
map_from:
name: "network\\.(incoming|outgoing)\\.(bytes|packets)"
unit: "(B|packet)"
target:
map_to:
name: "network.\\1.\\2.rate"
unit: "\\1/s"
type: "gauge"
publishers:
- rpc://

View File

@ -366,4 +366,3 @@
<<: *http_audit
reason_code:
fields: payload.reason.reasonCode

View File

@ -0,0 +1,19 @@
# A limited pipeline for use with the Gabbi spike.
# direct writes to the the metering database without using an
# intermediary dispatcher.
#
# This is one of several things that will need some extensive
# tidying to be more right.
---
sources:
- name: meter_source
interval: 1
meters:
- "*"
sinks:
- meter_sink
sinks:
- name: meter_sink
transformers:
publishers:
- direct://

View File

@ -80,4 +80,3 @@ sinks:
type: "gauge"
publishers:
- notifier://

View File

@ -0,0 +1,27 @@
# Configuration for ceilometer-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, user0, user1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

View File

@ -35,7 +35,7 @@
dest: "/etc/cinder/rootwrap.conf"
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
config_type: "ini"
- src: "policy.json"
- src: "policy.json.j2"
dest: "/etc/cinder/policy.json"
config_overrides: "{{ cinder_policy_overrides }}"
config_type: "json"

View File

@ -35,7 +35,7 @@ enabled = yes
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
[filter:sizelimit]
paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
[app:apiv1]
paste.app_factory = cinder.api.v1.router:APIRouter.factory

View File

@ -12,7 +12,7 @@ pipeline = versionnegotiation osprofiler unauthenticated-context cache cachemana
# Use this pipeline for keystone auth
[pipeline:glance-api-keystone]
pipeline = versionnegotiation osprofiler authtoken context rootapp
pipeline = versionnegotiation osprofiler authtoken context rootapp
# Use this pipeline for keystone auth with image caching
[pipeline:glance-api-keystone+caching]

View File

@ -0,0 +1,23 @@
# Use this pipeline for no auth - DEFAULT
[pipeline:glance-search]
pipeline = unauthenticated-context rootapp
[pipeline:glance-search-keystone]
pipeline = authtoken context rootapp
[composite:rootapp]
paste.composite_factory = glance.api:root_app_factory
/v0.1: apiv0_1app
[app:apiv0_1app]
paste.app_factory = glance.search.api.v0_1.router:API.factory
[filter:unauthenticated-context]
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
delay_auth_decision = true
[filter:context]
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory

View File

@ -1,7 +1,5 @@
{
"context_is_admin": "role:admin",
"tenant_is_owner": "tenant:%(owner)s",
"admin_or_owner": "role:admin OR rule:tenant_is_owner",
"default": "",
"add_image": "",
@ -9,7 +7,7 @@
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "rule:admin_or_owner",
"publicize_image": "role:admin",
"copy_from": "",
"download_image": "",
@ -19,11 +17,11 @@
"get_image_location": "",
"set_image_location": "",
"add_member": "rule:admin_or_owner",
"delete_member": "rule:admin_or_owner",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "rule:admin_or_owner",
"modify_member": "",
"manage_image_cache": "role:admin",

View File

@ -101,4 +101,4 @@ paste.filter_factory = oslo.middleware.request_id:RequestId.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = {{ heat_profiler_hmac_key }}
enabled = {{ heat_profiler_enabled }}
enabled = yes

View File

@ -95,8 +95,8 @@ Resources:
MasterUserPassword: {Ref: MasterUserPassword}
WaitHandle: {Ref: WaitHandle}
- |
#!/usr/bin/env bash
set -v
#!/bin/bash -v
#
iptables -F
# Helper function

View File

@ -0,0 +1,17 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# cisco-apic filters
lldpctl: CommandFilter, lldpctl, root
# ip_lib filters
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root

View File

@ -99,6 +99,7 @@
- { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
- { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
- { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
- { src: "rootwrap.d/cisco-apic.filters", dest: "/etc/neutron/rootwrap.d/cisco-apic.filters" }
notify:
- Restart neutron services
tags:

View File

@ -27,4 +27,4 @@ paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_
paste.app_factory = neutron.api.versions:Versions.factory
[app:neutronapiapp_v2_0]
paste.app_factory = neutron.api.v2.router:APIRouter.factory
paste.app_factory = neutron.api.v2.router:APIRouter.factory

View File

@ -31,6 +31,9 @@ qemu-nbd: CommandFilter, qemu-nbd, root
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
losetup: CommandFilter, losetup, root
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
blkid: CommandFilter, blkid, root
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
@ -45,7 +48,6 @@ mkdir: CommandFilter, mkdir, root
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
# nova/utils.py: 'chown', owner_uid, path
chown: CommandFilter, chown, root
# nova/virt/disk/vfs/localfs.py: 'chmod'
@ -84,6 +86,9 @@ tunctl: CommandFilter, tunctl, root
# nova/network/linux_net.py: 'ovs-vsctl', ....
ovs-vsctl: CommandFilter, ovs-vsctl, root
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
vrouter-port-control: CommandFilter, vrouter-port-control, root
# nova/network/linux_net.py: 'ovs-ofctl', ....
ovs-ofctl: CommandFilter, ovs-ofctl, root
@ -164,11 +169,9 @@ qemu-img: CommandFilter, qemu-img, root
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
readlink: CommandFilter, readlink, root
# nova/virt/disk/api.py: 'touch', target
touch: CommandFilter, touch, root
# nova/virt/disk/api.py:
mkfs.ext3: CommandFilter, mkfs.ext3, root
mkfs.ext4: CommandFilter, mkfs.ext4, root
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
# nova/virt/libvirt/connection.py:
@ -203,7 +206,7 @@ systool: CommandFilter, systool, root
# nova/virt/libvirt/volume.py:
sginfo: CommandFilter, sginfo, root
sg_scan: CommandFilter, sg_scan, root
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.*
# nova/volume/encryptors.py:
# nova/virt/libvirt/dmcrypt.py:
@ -226,3 +229,9 @@ cp: CommandFilter, cp, root
# nova/virt/xenapi/vm_utils.py:
sync: CommandFilter, sync, root
# nova/virt/libvirt/imagebackend.py:
ploop: CommandFilter, ploop, root
# nova/virt/libvirt/utils.py: 'xend', 'status'
xend: CommandFilter, xend, root

View File

@ -182,5 +182,212 @@
"network:create_private_dns_domain": "",
"network:create_public_dns_domain": "",
"network:delete_dns_domain": "",
"network:attach_external_network": "rule:admin_api"
"network:attach_external_network": "rule:admin_api",
"os_compute_api:servers:start": "rule:admin_or_owner",
"os_compute_api:servers:stop": "rule:admin_or_owner",
"os_compute_api:os-access-ips:discoverable": "",
"os_compute_api:os-access-ips": "",
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-admin-actions:discoverable": "",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
"os_compute_api:os-admin-password": "",
"os_compute_api:os-admin-password:discoverable": "",
"os_compute_api:os-aggregates:discoverable": "",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-agents": "rule:admin_api",
"os_compute_api:os-agents:discoverable": "",
"os_compute_api:os-attach-interfaces": "",
"os_compute_api:os-attach-interfaces:discoverable": "",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-baremetal-nodes:discoverable": "",
"os_compute_api:os-block-device-mapping-v1:discoverable": "",
"os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api",
"os_compute_api:os-cells:update": "rule:admin_api",
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
"os_compute_api:os-cells:discoverable": "",
"os_compute_api:os-certificates:create": "",
"os_compute_api:os-certificates:show": "",
"os_compute_api:os-certificates:discoverable": "",
"os_compute_api:os-cloudpipe": "rule:admin_api",
"os_compute_api:os-cloudpipe:discoverable": "",
"os_compute_api:os-consoles:discoverable": "",
"os_compute_api:os-consoles:create": "",
"os_compute_api:os-consoles:delete": "",
"os_compute_api:os-consoles:index": "",
"os_compute_api:os-consoles:show": "",
"os_compute_api:os-console-output:discoverable": "",
"os_compute_api:os-console-output": "",
"os_compute_api:os-remote-consoles": "",
"os_compute_api:os-remote-consoles:discoverable": "",
"os_compute_api:os-create-backup:discoverable": "",
"os_compute_api:os-create-backup": "rule:admin_or_owner",
"os_compute_api:os-deferred-delete": "",
"os_compute_api:os-deferred-delete:discoverable": "",
"os_compute_api:os-disk-config": "",
"os_compute_api:os-disk-config:discoverable": "",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:os-evacuate:discoverable": "",
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
"os_compute_api:os-extended-server-attributes:discoverable": "",
"os_compute_api:os-extended-status": "",
"os_compute_api:os-extended-status:discoverable": "",
"os_compute_api:os-extended-availability-zone": "",
"os_compute_api:os-extended-availability-zone:discoverable": "",
"os_compute_api:extension_info:discoverable": "",
"os_compute_api:os-extended-volumes": "",
"os_compute_api:os-extended-volumes:discoverable": "",
"os_compute_api:os-fixed-ips": "rule:admin_api",
"os_compute_api:os-fixed-ips:discoverable": "",
"os_compute_api:os-flavor-access": "",
"os_compute_api:os-flavor-access:discoverable": "",
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-rxtx": "",
"os_compute_api:os-flavor-rxtx:discoverable": "",
"os_compute_api:flavors:discoverable": "",
"os_compute_api:os-flavor-extra-specs:discoverable": "",
"os_compute_api:os-flavor-extra-specs:index": "",
"os_compute_api:os-flavor-extra-specs:show": "",
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
"os_compute_api:os-flavor-manage:discoverable": "",
"os_compute_api:os-flavor-manage": "rule:admin_api",
"os_compute_api:os-floating-ip-dns": "",
"os_compute_api:os-floating-ip-dns:discoverable": "",
"os_compute_api:os-floating-ip-pools": "",
"os_compute_api:os-floating-ip-pools:discoverable": "",
"os_compute_api:os-floating-ips": "",
"os_compute_api:os-floating-ips:discoverable": "",
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
"os_compute_api:os-floating-ips-bulk:discoverable": "",
"os_compute_api:os-fping": "",
"os_compute_api:os-fping:discoverable": "",
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
"os_compute_api:os-hide-server-addresses": "is_admin:False",
"os_compute_api:os-hide-server-addresses:discoverable": "",
"os_compute_api:os-hosts": "rule:admin_api",
"os_compute_api:os-hosts:discoverable": "",
"os_compute_api:os-hypervisors": "rule:admin_api",
"os_compute_api:os-hypervisors:discoverable": "",
"os_compute_api:images:discoverable": "",
"os_compute_api:image-size": "",
"os_compute_api:image-size:discoverable": "",
"os_compute_api:os-instance-actions": "",
"os_compute_api:os-instance-actions:discoverable": "",
"os_compute_api:os-instance-actions:events": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log:discoverable": "",
"os_compute_api:ips:discoverable": "",
"os_compute_api:ips:index": "rule:admin_or_owner",
"os_compute_api:ips:show": "rule:admin_or_owner",
"os_compute_api:os-keypairs:discoverable": "",
"os_compute_api:os-keypairs": "",
"os_compute_api:os-keypairs:index": "",
"os_compute_api:os-keypairs:show": "",
"os_compute_api:os-keypairs:create": "",
"os_compute_api:os-keypairs:delete": "",
"os_compute_api:limits:discoverable": "",
"os_compute_api:os-lock-server:discoverable": "",
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
"os_compute_api:os-migrate-server:discoverable": "",
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
"os_compute_api:os-multinic": "",
"os_compute_api:os-multinic:discoverable": "",
"os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-networks:view": "",
"os_compute_api:os-networks:discoverable": "",
"os_compute_api:os-networks-associate": "rule:admin_api",
"os_compute_api:os-networks-associate:discoverable": "",
"os_compute_api:os-pause-server:discoverable": "",
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
"os_compute_api:os-pci:pci_servers": "",
"os_compute_api:os-pci:discoverable": "",
"os_compute_api:os-pci:index": "rule:admin_api",
"os_compute_api:os-pci:detail": "rule:admin_api",
"os_compute_api:os-pci:show": "rule:admin_api",
"os_compute_api:os-personality:discoverable": "",
"os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "",
"os_compute_api:os-quota-sets:discoverable": "",
"os_compute_api:os-quota-sets:show": "",
"os_compute_api:os-quota-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
"os_compute_api:os-quota-class-sets": "",
"os_compute_api:os-quota-class-sets:discoverable": "",
"os_compute_api:os-rescue": "",
"os_compute_api:os-rescue:discoverable": "",
"os_compute_api:os-scheduler-hints:discoverable": "",
"os_compute_api:os-security-group-default-rules:discoverable": "",
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
"os_compute_api:os-security-groups": "",
"os_compute_api:os-security-groups:discoverable": "",
"os_compute_api:os-server-diagnostics": "rule:admin_api",
"os_compute_api:os-server-diagnostics:discoverable": "",
"os_compute_api:os-server-password": "",
"os_compute_api:os-server-password:discoverable": "",
"os_compute_api:os-server-usage": "",
"os_compute_api:os-server-usage:discoverable": "",
"os_compute_api:os-server-groups": "",
"os_compute_api:os-server-groups:discoverable": "",
"os_compute_api:os-services": "rule:admin_api",
"os_compute_api:os-services:discoverable": "",
"os_compute_api:server-metadata:discoverable": "",
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
"os_compute_api:servers:discoverable": "",
"os_compute_api:os-shelve:shelve": "",
"os_compute_api:os-shelve:shelve:discoverable": "",
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-simple-tenant-usage:discoverable": "",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
"os_compute_api:os-suspend-server:discoverable": "",
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks:discoverable": "",
"os_compute_api:os-shelve:unshelve": "",
"os_compute_api:os-user-data:discoverable": "",
"os_compute_api:os-virtual-interfaces": "",
"os_compute_api:os-virtual-interfaces:discoverable": "",
"os_compute_api:os-volumes": "",
"os_compute_api:os-volumes:discoverable": "",
"os_compute_api:os-volumes-attachments:index": "",
"os_compute_api:os-volumes-attachments:show": "",
"os_compute_api:os-volumes-attachments:create": "",
"os_compute_api:os-volumes-attachments:update": "",
"os_compute_api:os-volumes-attachments:delete": "",
"os_compute_api:os-volumes-attachments:discoverable": "",
"os_compute_api:os-availability-zone:list": "",
"os_compute_api:os-availability-zone:discoverable": "",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-used-limits:discoverable": "",
"os_compute_api:os-migrations:index": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "",
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:discoverable": "",
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:os-server-external-events:create": "rule:admin_api"
}

View File

@ -17,7 +17,7 @@ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, user0, user1...
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog

View File

@ -41,7 +41,7 @@ flavor_ref_alt = 202
image_ssh_user = {{ tempest_compute_image_ssh_user }}
image_ssh_password = {{ tempest_compute_image_ssh_password }}
image_alt_ssh_user = {{ tempest_compute_image_alt_ssh_user }}
ssh_auth_method = configured
auth_method = keypair
fixed_network_name = private
endpoint_type = internalURL
floating_ip_range = 10.0.0.0/29

View File

@ -5,7 +5,3 @@ pip>=6.0
PrettyTable>=0.7,<0.8 # scripts/inventory-manage.py
pycrypto>=2.6 # ansible
PyYAML>=3.1.0 # ansible
# Temporary pin of <2.0 for django-compressor:
# https://bugs.launchpad.net/horizon/+bug/1532048
# https://review.openstack.org/265025
django_compressor>=1.4,<2.0

View File

@ -95,11 +95,11 @@ for repo in $(grep 'git_repo\:' ${SERVICE_FILE}); do
cp {} "playbooks/roles/os_${repo_name}/templates/policy.json.j2" \;
# Tweak the paste files
find ${repo_tmp_path}/etc -name "*-paste.ini" -exec \
find ${repo_tmp_path}/etc -name "*[_-]paste.ini" -exec \
sed -i.bak "s|hmac_keys = SECRET_KEY|hmac_keys = {{ ${repo_name}_profiler_hmac_key }}|" {} \;
# Update the paste files
find ${repo_tmp_path}/etc -name "*-paste.ini" -exec \
find ${repo_tmp_path}/etc -name "*[_-]paste.ini" -exec \
bash -c "name=\"{}\"; cp \${name} \"playbooks/roles/os_${repo_name}/templates/\$(basename \${name}).j2\"" \;
# Update the rootwrap conf files