From e6cc4d6bac24f9ee3f52fe81097473c96b6015e1 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 18 Jan 2016 16:36:34 +0000 Subject: [PATCH] Update Kilo SHAs - 21 Jan 2016 Updates all repo SHAs to open up work on 11.2.8 This patch includes a normalisation of file names and updates of paste, policy and rootwrap configurations. It also updates tempest.conf.j2 to replace ssh_auth_method with auth_method, and change auth_method to 'keypair' (configured is no longer an a valid option). The locally held temporary pin for django-compressor has been removed as https://review.openstack.org/265025 is included in the updated OpenStack sources. Some projects name their paste config files with an underscore instead of a dash. This patch ensures that the source-branch-updater includes those files too when checking for updates. The OpenStack updates include the following CVE fixes: - OSSA-2016-001: Nova host data leak through snapshot https://security.openstack.org/ossa/OSSA-2016-001.html - OSSA-2016-002: Xen connection password leak in logs via StorageError https://security.openstack.org/ossa/OSSA-2016-002.html - OSSA-2016-003: Heat denial of service through template-validate https://security.openstack.org/ossa/OSSA-2016-003.html Change-Id: I2c878646dd54f41637bd4830122f11e97e9f70f6 Related-Bug: #1532048 --- .../repo_packages/openstack_other.yml | 6 +- .../repo_packages/openstack_services.yml | 26 +-- .../defaults/repo_packages/python2_lxc.yml | 2 +- playbooks/inventory/group_vars/all.yml | 2 +- .../roles/os_ceilometer/defaults/main.yml | 3 + .../files/rootwrap.d/ipmi.filters | 7 + .../tasks/ceilometer_post_install.yml | 24 ++ .../tasks/ceilometer_pre_install.yml | 1 + .../os_ceilometer/templates/api_paste.ini.j2 | 1 + .../templates/deprecated_pipeline.yaml.j2 | 73 ++++++ .../templates/event_definitions.yaml.j2 | 1 - .../templates/gabbi_pipeline.yaml.j2 | 19 ++ .../os_ceilometer/templates/pipeline.yaml.j2 | 1 - .../os_ceilometer/templates/rootwrap.conf.j2 | 27 +++ .../os_cinder/tasks/cinder_post_install.yml | 2 +- .../os_cinder/templates/api-paste.ini.j2 | 2 +- .../templates/{policy.json => policy.json.j2} | 0 .../templates/glance-api-paste.ini.j2 | 2 +- .../templates/glance-search-paste.ini.j2 | 23 ++ .../roles/os_glance/templates/policy.json.j2 | 10 +- .../roles/os_heat/templates/api-paste.ini.j2 | 2 +- .../templates/AWS_RDS_DBInstance.yaml.j2 | 4 +- .../files/rootwrap.d/cisco-apic.filters | 17 ++ .../os_neutron/tasks/neutron_post_install.yml | 1 + .../os_neutron/templates/api-paste.ini.j2 | 2 +- .../os_nova/files/rootwrap.d/compute.filters | 19 +- .../roles/os_nova/templates/policy.json.j2 | 209 +++++++++++++++++- .../roles/os_nova/templates/rootwrap.conf.j2 | 2 +- .../os_tempest/templates/tempest.conf.j2 | 2 +- requirements.txt | 4 - scripts/sources-branch-updater.sh | 4 +- 31 files changed, 451 insertions(+), 47 deletions(-) create mode 100644 playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters create mode 100644 playbooks/roles/os_ceilometer/templates/deprecated_pipeline.yaml.j2 create mode 100644 playbooks/roles/os_ceilometer/templates/gabbi_pipeline.yaml.j2 create mode 100644 playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 rename playbooks/roles/os_cinder/templates/{policy.json => policy.json.j2} (100%) create mode 100755 playbooks/roles/os_glance/templates/glance-search-paste.ini.j2 create mode 100644 playbooks/roles/os_neutron/files/rootwrap.d/cisco-apic.filters diff --git a/playbooks/defaults/repo_packages/openstack_other.yml b/playbooks/defaults/repo_packages/openstack_other.yml index 246a0b6125..d5557958f5 100644 --- a/playbooks/defaults/repo_packages/openstack_other.yml +++ b/playbooks/defaults/repo_packages/openstack_other.yml @@ -27,16 +27,16 @@ ## Tempest service tempest_git_repo: https://git.openstack.org/openstack/tempest -tempest_git_install_branch: aa166794fe24b1da6a70be51c51f4d7f77e2712f # HEAD of "master" as of 07.12.2015 +tempest_git_install_branch: b7d85910d5857487b7c01453b63aa51aa1583bcf # HEAD of "master" as of 21.01.2016 tempest_git_install_fragments: "yaprtignorerequirements=true" tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}" # NOVNC from source novncproxy_git_repo: https://github.com/kanaka/novnc -novncproxy_git_install_branch: b2a813dc739c8b41dd647dc01c8f8f11d8996286 # HEAD of "master" as of 07.12.2015 +novncproxy_git_install_branch: 670dbddb54264fd0082d0aca1b3acb0f1814b1d2 # HEAD of "master" as of 21.01.2016 novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}" # spice-html5 from source spicehtml5_git_repo: https://github.com/SPICE/spice-html5 -spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 07.12.2015 +spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 21.01.2016 spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}" diff --git a/playbooks/defaults/repo_packages/openstack_services.yml b/playbooks/defaults/repo_packages/openstack_services.yml index 333c4d432c..8dfa8f091d 100644 --- a/playbooks/defaults/repo_packages/openstack_services.yml +++ b/playbooks/defaults/repo_packages/openstack_services.yml @@ -31,31 +31,31 @@ ## Global Requirements requirements_git_repo: https://git.openstack.org/openstack/requirements -requirements_git_install_branch: 817317e264ab89c646facabaa0c43f3c9de00ac4 # HEAD of "stable/kilo" as of 07.12.2015 +requirements_git_install_branch: 0517298926fa413c3aa03d7e93d5a21bdb9d6ca9 # HEAD of "stable/kilo" as of 21.01.2016 requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}" ## Ceilometer service ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer -ceilometer_git_install_branch: 0d79ea0edca9c175076742357c83aed07b48711b # HEAD of "stable/kilo" as of 07.12.2015 +ceilometer_git_install_branch: e09a946ccfaf80a9bc4bbbbf327169c09974117c # HEAD of "stable/kilo" as of 21.01.2016 ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}" ## Cinder service cinder_git_repo: https://git.openstack.org/openstack/cinder -cinder_git_install_branch: 7cce8719f23bd35c10144f8232c80e31ccef1019 # HEAD of "stable/kilo" as of 07.12.2015 +cinder_git_install_branch: 7c05ae7d031827bbc069391e48dbdc6783481054 # HEAD of "stable/kilo" as of 21.01.2016 cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}" ## Glance service glance_git_repo: https://git.openstack.org/openstack/glance -glance_git_install_branch: 417c02ae8ae362713dc7c46740f1af7e2a9d55c2 # HEAD of "stable/kilo" as of 07.12.2015 +glance_git_install_branch: 0bac2bf693f054894f2e1b8149de8ecc7772f065 # HEAD of "stable/kilo" as of 21.01.2016 glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}" ## Heat service heat_git_repo: https://git.openstack.org/openstack/heat -heat_git_install_branch: 4aa687ed79437d96dc65a0805fe8a3257156afbb # HEAD of "stable/kilo" as of 07.12.2015 +heat_git_install_branch: f32bddcd12cd0c9e56f1daeb4519f610f729d2f7 # HEAD of "stable/kilo" as of 21.01.2016 heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}" heat_repo_plugins: - { path: "contrib", package: "extraroute" } @@ -63,41 +63,41 @@ heat_repo_plugins: ## Horizon service horizon_git_repo: https://git.openstack.org/openstack/horizon -horizon_git_install_branch: 1d10078edbca1a2f5ab15af1ad837c4d687a9d45 # HEAD of "stable/kilo" as of 07.12.2015 +horizon_git_install_branch: e3848cf0aa7a0da53989736d5d058883cecab0b5 # HEAD of "stable/kilo" as of 21.01.2016 horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}" ## Keystone service keystone_git_repo: https://git.openstack.org/openstack/keystone -keystone_git_install_branch: 3182bf798ec680ab9070f00775a1f1c2499793fc # HEAD of "stable/kilo" as of 07.12.2015 +keystone_git_install_branch: 9c9c1331e0c004897d5f4c5847f7143b56373f10 # HEAD of "stable/kilo" as of 21.01.2016 keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}" ## Neutron service neutron_git_repo: https://git.openstack.org/openstack/neutron -neutron_git_install_branch: 671cca2fd41cea1c6741452f4a9ef6162be94406 # HEAD of "stable/kilo" as of 07.12.2015 +neutron_git_install_branch: 608b54137fb67512c07099089ea7e074176e12df # HEAD of "stable/kilo" as of 21.01.2016 neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}" neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas -neutron_lbaas_git_install_branch: f3289f6f32a504557d7e3776dfd56ecb98259ad7 # HEAD of "stable/kilo" as of 07.12.2015 +neutron_lbaas_git_install_branch: 19b26518fdd738b848edbbac483f53d1326555af # HEAD of "stable/kilo" as of 21.01.2016 neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}" neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas -neutron_vpnaas_git_install_branch: 27eaa2e9dccbefbfc04ac6a4a45acbc119e6e55c # HEAD of "stable/kilo" as of 07.12.2015 +neutron_vpnaas_git_install_branch: 27eaa2e9dccbefbfc04ac6a4a45acbc119e6e55c # HEAD of "stable/kilo" as of 21.01.2016 neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}" neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas -neutron_fwaas_git_install_branch: 70b567c08e4d3130d566c3614f91cc66411ce7b2 # HEAD of "stable/kilo" as of 07.12.2015 +neutron_fwaas_git_install_branch: 70b567c08e4d3130d566c3614f91cc66411ce7b2 # HEAD of "stable/kilo" as of 21.01.2016 neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}" ## Nova service nova_git_repo: https://git.openstack.org/openstack/nova -nova_git_install_branch: fc932f1fbcf6199839c31918125d7fe775c4b5f6 # HEAD of "stable/kilo" as of 07.12.2015 +nova_git_install_branch: b974c6d1d5753f333d1d71f8190ddf3b4f8fbbf1 # HEAD of "stable/kilo" as of 21.01.2016 nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}" ## Swift service swift_git_repo: https://git.openstack.org/openstack/swift -swift_git_install_branch: 2914514e2464c4a9227bbbf67f5a08eda7b7ad06 # HEAD of "stable/kilo" as of 07.12.2015 +swift_git_install_branch: 036c2f348d24c01c7a4deba3e44889c45270b46d # HEAD of "stable/kilo" as of 21.01.2016 swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}" diff --git a/playbooks/defaults/repo_packages/python2_lxc.yml b/playbooks/defaults/repo_packages/python2_lxc.yml index 0654f6e946..bdeba4eab6 100644 --- a/playbooks/defaults/repo_packages/python2_lxc.yml +++ b/playbooks/defaults/repo_packages/python2_lxc.yml @@ -15,5 +15,5 @@ ## Git Source for python2-lxc library git_repo: https://github.com/lxc/python2-lxc -git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 21.10.2015 +git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 21.01.2016 git_dest: "/opt/lxc_python2_{{ git_install_branch|replace('/', '_') }}" diff --git a/playbooks/inventory/group_vars/all.yml b/playbooks/inventory/group_vars/all.yml index 748a50c2aa..c249e530ae 100644 --- a/playbooks/inventory/group_vars/all.yml +++ b/playbooks/inventory/group_vars/all.yml @@ -14,7 +14,7 @@ # limitations under the License. ## OpenStack Source Code Release -openstack_release: 11.2.7 +openstack_release: 11.2.8 # Global minimum kernel requirement openstack_host_required_kernel: 3.13.0-34-generic diff --git a/playbooks/roles/os_ceilometer/defaults/main.yml b/playbooks/roles/os_ceilometer/defaults/main.yml index d53c765238..6708b4c902 100644 --- a/playbooks/roles/os_ceilometer/defaults/main.yml +++ b/playbooks/roles/os_ceilometer/defaults/main.yml @@ -104,9 +104,12 @@ ceilometer_service_names: ## Tunable overrides ceilometer_policy_overrides: {} +ceilometer_rootwrap_conf_overrides: {} ceilometer_ceilometer_conf_overrides: {} ceilometer_api_paste_ini_overrides: {} ceilometer_event_definitions_yaml_overrides: {} ceilometer_event_pipeline_yaml_overrides: {} ceilometer_pipeline_yaml_overrides: {} +ceilometer_deprecated_pipeline_yaml_overrides: {} +ceilometer_gabbi_pipeline_yaml_overrides: {} diff --git a/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters b/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters new file mode 100644 index 0000000000..2ef74b04ea --- /dev/null +++ b/playbooks/roles/os_ceilometer/files/rootwrap.d/ipmi.filters @@ -0,0 +1,7 @@ +# ceilometer-rootwrap command filters for IPMI capable nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# ceilometer/ipmi/nodemanager/node_manager.py: 'ipmitool' +ipmitool: CommandFilter, ipmitool, root + diff --git a/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml b/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml index abc7773a5a..998afe9ce5 100644 --- a/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml +++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_post_install.yml @@ -31,6 +31,10 @@ dest: "/etc/ceilometer/api_paste.ini" config_overrides: "{{ ceilometer_api_paste_ini_overrides }}" config_type: "ini" + - src: "rootwrap.conf.j2" + dest: "/etc/ceilometer/rootwrap.conf" + config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}" + config_type: "ini" - src: "event_pipeline.yaml.j2" dest: "/etc/ceilometer/event_pipeline.yaml" config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}" @@ -43,6 +47,14 @@ dest: "/etc/ceilometer/pipeline.yaml" config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}" config_type: "yaml" + - src: "deprecated_pipeline.yaml.j2" + dest: "/etc/ceilometer/deprecated_pipeline.yaml" + config_overrides: "{{ ceilometer_deprecated_pipeline_yaml_overrides }}" + config_type: "yaml" + - src: "gabbi_pipeline.yaml.j2" + dest: "/etc/ceilometer/gabbi_pipeline.yaml" + config_overrides: "{{ ceilometer_gabbi_pipeline_yaml_overrides }}" + config_type: "yaml" - src: "policy.json.j2" dest: "/etc/ceilometer/policy.json" config_overrides: "{{ ceilometer_policy_overrides }}" @@ -52,3 +64,15 @@ - ceilometer-config - ceilometer-post-install +- name: Drop rootwrap filters + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ ceilometer_system_user_name }}" + group: "{{ ceilometer_system_group_name }}" + with_items: + - { src: "rootwrap.d/ipmi.filters", dest: "/etc/ceilometer/rootwrap.d/ipmi.filters" } + notify: + - Restart ceilometer services + tags: + - ceilometer-config diff --git a/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml b/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml index cfde633c97..ee8e2461ed 100644 --- a/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml +++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_pre_install.yml @@ -55,6 +55,7 @@ mode: "{{ item.mode|default('0755') }}" with_items: - { path: "/etc/ceilometer" } + - { path: "/etc/ceilometer/rootwrap.d" } - { path: "{{ ceilometer_system_user_home }}" } - { path: "{{ ceilometer_system_user_home }}/.ssh", mode: "0700" } - { path: "/var/cache/ceilometer", mode: "0700" } diff --git a/playbooks/roles/os_ceilometer/templates/api_paste.ini.j2 b/playbooks/roles/os_ceilometer/templates/api_paste.ini.j2 index 38a6a59a6d..702ce2875f 100644 --- a/playbooks/roles/os_ceilometer/templates/api_paste.ini.j2 +++ b/playbooks/roles/os_ceilometer/templates/api_paste.ini.j2 @@ -15,3 +15,4 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory [filter:request_id] paste.filter_factory = oslo.middleware:RequestId.factory + diff --git a/playbooks/roles/os_ceilometer/templates/deprecated_pipeline.yaml.j2 b/playbooks/roles/os_ceilometer/templates/deprecated_pipeline.yaml.j2 new file mode 100644 index 0000000000..6e4597fc29 --- /dev/null +++ b/playbooks/roles/os_ceilometer/templates/deprecated_pipeline.yaml.j2 @@ -0,0 +1,73 @@ +--- +- + name: meter_pipeline + interval: 600 + meters: + - "*" + resources: + transformers: + publishers: + - rpc:// +- + name: cpu_pipeline + interval: 600 + meters: + - "cpu" + transformers: + - name: "rate_of_change" + parameters: + target: + name: "cpu_util" + unit: "%" + type: "gauge" + scale: "100.0 / (10**9 * (resource_metadata.cpu_number or 1))" + publishers: + - rpc:// +- + name: disk_pipeline + interval: 600 + meters: + - "disk.read.bytes" + - "disk.read.requests" + - "disk.write.bytes" + - "disk.write.requests" + - "disk.device.read.bytes" + - "disk.device.read.requests" + - "disk.device.write.bytes" + - "disk.device.write.requests" + transformers: + - name: "rate_of_change" + parameters: + source: + map_from: + name: "(disk\\.device|disk)\\.(read|write)\\.(bytes|requests)" + unit: "(B|request)" + target: + map_to: + name: "\\1.\\2.\\3.rate" + unit: "\\1/s" + type: "gauge" + publishers: + - rpc:// +- + name: network_pipeline + interval: 600 + meters: + - "network.incoming.bytes" + - "network.incoming.packets" + - "network.outgoing.bytes" + - "network.outgoing.packets" + transformers: + - name: "rate_of_change" + parameters: + source: + map_from: + name: "network\\.(incoming|outgoing)\\.(bytes|packets)" + unit: "(B|packet)" + target: + map_to: + name: "network.\\1.\\2.rate" + unit: "\\1/s" + type: "gauge" + publishers: + - rpc:// diff --git a/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 b/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 index a5ab2e2c9d..e872331af4 100644 --- a/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 +++ b/playbooks/roles/os_ceilometer/templates/event_definitions.yaml.j2 @@ -366,4 +366,3 @@ <<: *http_audit reason_code: fields: payload.reason.reasonCode - diff --git a/playbooks/roles/os_ceilometer/templates/gabbi_pipeline.yaml.j2 b/playbooks/roles/os_ceilometer/templates/gabbi_pipeline.yaml.j2 new file mode 100644 index 0000000000..e90516f0be --- /dev/null +++ b/playbooks/roles/os_ceilometer/templates/gabbi_pipeline.yaml.j2 @@ -0,0 +1,19 @@ +# A limited pipeline for use with the Gabbi spike. +# direct writes to the the metering database without using an +# intermediary dispatcher. +# +# This is one of several things that will need some extensive +# tidying to be more right. +--- +sources: + - name: meter_source + interval: 1 + meters: + - "*" + sinks: + - meter_sink +sinks: + - name: meter_sink + transformers: + publishers: + - direct:// diff --git a/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 b/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 index ca1086a725..12b45f2e08 100644 --- a/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 +++ b/playbooks/roles/os_ceilometer/templates/pipeline.yaml.j2 @@ -80,4 +80,3 @@ sinks: type: "gauge" publishers: - notifier:// - diff --git a/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 b/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 new file mode 100644 index 0000000000..c79065c764 --- /dev/null +++ b/playbooks/roles/os_ceilometer/templates/rootwrap.conf.j2 @@ -0,0 +1,27 @@ +# Configuration for ceilometer-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, user0, user1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml index d364a72f5e..5f237094df 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_post_install.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_post_install.yml @@ -35,7 +35,7 @@ dest: "/etc/cinder/rootwrap.conf" config_overrides: "{{ cinder_rootwrap_conf_overrides }}" config_type: "ini" - - src: "policy.json" + - src: "policy.json.j2" dest: "/etc/cinder/policy.json" config_overrides: "{{ cinder_policy_overrides }}" config_type: "json" diff --git a/playbooks/roles/os_cinder/templates/api-paste.ini.j2 b/playbooks/roles/os_cinder/templates/api-paste.ini.j2 index 0d79c81395..20be8bd0a9 100644 --- a/playbooks/roles/os_cinder/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_cinder/templates/api-paste.ini.j2 @@ -35,7 +35,7 @@ enabled = yes paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory [filter:sizelimit] -paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory +paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory [app:apiv1] paste.app_factory = cinder.api.v1.router:APIRouter.factory diff --git a/playbooks/roles/os_cinder/templates/policy.json b/playbooks/roles/os_cinder/templates/policy.json.j2 similarity index 100% rename from playbooks/roles/os_cinder/templates/policy.json rename to playbooks/roles/os_cinder/templates/policy.json.j2 diff --git a/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 index 029221ccf7..04909abc7b 100644 --- a/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 +++ b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 @@ -12,7 +12,7 @@ pipeline = versionnegotiation osprofiler unauthenticated-context cache cachemana # Use this pipeline for keystone auth [pipeline:glance-api-keystone] -pipeline = versionnegotiation osprofiler authtoken context rootapp +pipeline = versionnegotiation osprofiler authtoken context rootapp # Use this pipeline for keystone auth with image caching [pipeline:glance-api-keystone+caching] diff --git a/playbooks/roles/os_glance/templates/glance-search-paste.ini.j2 b/playbooks/roles/os_glance/templates/glance-search-paste.ini.j2 new file mode 100755 index 0000000000..fb2eb71280 --- /dev/null +++ b/playbooks/roles/os_glance/templates/glance-search-paste.ini.j2 @@ -0,0 +1,23 @@ +# Use this pipeline for no auth - DEFAULT +[pipeline:glance-search] +pipeline = unauthenticated-context rootapp + +[pipeline:glance-search-keystone] +pipeline = authtoken context rootapp + +[composite:rootapp] +paste.composite_factory = glance.api:root_app_factory +/v0.1: apiv0_1app + +[app:apiv0_1app] +paste.app_factory = glance.search.api.v0_1.router:API.factory + +[filter:unauthenticated-context] +paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory + +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory +delay_auth_decision = true + +[filter:context] +paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory diff --git a/playbooks/roles/os_glance/templates/policy.json.j2 b/playbooks/roles/os_glance/templates/policy.json.j2 index 3a3042e0dd..4bbc8b46c6 100644 --- a/playbooks/roles/os_glance/templates/policy.json.j2 +++ b/playbooks/roles/os_glance/templates/policy.json.j2 @@ -1,7 +1,5 @@ { "context_is_admin": "role:admin", - "tenant_is_owner": "tenant:%(owner)s", - "admin_or_owner": "role:admin OR rule:tenant_is_owner", "default": "", "add_image": "", @@ -9,7 +7,7 @@ "get_image": "", "get_images": "", "modify_image": "", - "publicize_image": "rule:admin_or_owner", + "publicize_image": "role:admin", "copy_from": "", "download_image": "", @@ -19,11 +17,11 @@ "get_image_location": "", "set_image_location": "", - "add_member": "rule:admin_or_owner", - "delete_member": "rule:admin_or_owner", + "add_member": "", + "delete_member": "", "get_member": "", "get_members": "", - "modify_member": "rule:admin_or_owner", + "modify_member": "", "manage_image_cache": "role:admin", diff --git a/playbooks/roles/os_heat/templates/api-paste.ini.j2 b/playbooks/roles/os_heat/templates/api-paste.ini.j2 index 0e8185dfa0..79440f9127 100644 --- a/playbooks/roles/os_heat/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_heat/templates/api-paste.ini.j2 @@ -101,4 +101,4 @@ paste.filter_factory = oslo.middleware.request_id:RequestId.factory [filter:osprofiler] paste.filter_factory = osprofiler.web:WsgiMiddleware.factory hmac_keys = {{ heat_profiler_hmac_key }} -enabled = {{ heat_profiler_enabled }} +enabled = yes diff --git a/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 b/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 index b7c53bdd69..30173442e6 100644 --- a/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 +++ b/playbooks/roles/os_heat/templates/templates/AWS_RDS_DBInstance.yaml.j2 @@ -95,8 +95,8 @@ Resources: MasterUserPassword: {Ref: MasterUserPassword} WaitHandle: {Ref: WaitHandle} - | - #!/usr/bin/env bash - set -v + #!/bin/bash -v + # iptables -F # Helper function diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/cisco-apic.filters b/playbooks/roles/os_neutron/files/rootwrap.d/cisco-apic.filters new file mode 100644 index 0000000000..a74a3602d0 --- /dev/null +++ b/playbooks/roles/os_neutron/files/rootwrap.d/cisco-apic.filters @@ -0,0 +1,17 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# cisco-apic filters +lldpctl: CommandFilter, lldpctl, root + +# ip_lib filters +ip: IpFilter, ip, root +find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* +ip_exec: IpNetnsExecFilter, ip, root diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml index 381fa0b6aa..cfe03617ab 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml @@ -99,6 +99,7 @@ - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" } - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } + - { src: "rootwrap.d/cisco-apic.filters", dest: "/etc/neutron/rootwrap.d/cisco-apic.filters" } notify: - Restart neutron services tags: diff --git a/playbooks/roles/os_neutron/templates/api-paste.ini.j2 b/playbooks/roles/os_neutron/templates/api-paste.ini.j2 index 780853da8f..29f01e20b2 100644 --- a/playbooks/roles/os_neutron/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_neutron/templates/api-paste.ini.j2 @@ -27,4 +27,4 @@ paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_ paste.app_factory = neutron.api.versions:Versions.factory [app:neutronapiapp_v2_0] -paste.app_factory = neutron.api.v2.router:APIRouter.factory \ No newline at end of file +paste.app_factory = neutron.api.v2.router:APIRouter.factory diff --git a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters index 3e9b7f547c..acb5b25e46 100644 --- a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters +++ b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters @@ -31,6 +31,9 @@ qemu-nbd: CommandFilter, qemu-nbd, root # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device losetup: CommandFilter, losetup, root +# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device +blkid: CommandFilter, blkid, root + # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* @@ -45,7 +48,6 @@ mkdir: CommandFilter, mkdir, root # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') -# nova/utils.py: 'chown', owner_uid, path chown: CommandFilter, chown, root # nova/virt/disk/vfs/localfs.py: 'chmod' @@ -84,6 +86,9 @@ tunctl: CommandFilter, tunctl, root # nova/network/linux_net.py: 'ovs-vsctl', .... ovs-vsctl: CommandFilter, ovs-vsctl, root +# nova/virt/libvirt/vif.py: 'vrouter-port-control', ... +vrouter-port-control: CommandFilter, vrouter-port-control, root + # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root @@ -164,11 +169,9 @@ qemu-img: CommandFilter, qemu-img, root # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' readlink: CommandFilter, readlink, root -# nova/virt/disk/api.py: 'touch', target -touch: CommandFilter, touch, root - # nova/virt/disk/api.py: mkfs.ext3: CommandFilter, mkfs.ext3, root +mkfs.ext4: CommandFilter, mkfs.ext4, root mkfs.ntfs: CommandFilter, mkfs.ntfs, root # nova/virt/libvirt/connection.py: @@ -203,7 +206,7 @@ systool: CommandFilter, systool, root # nova/virt/libvirt/volume.py: sginfo: CommandFilter, sginfo, root sg_scan: CommandFilter, sg_scan, root -ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.* +ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.* # nova/volume/encryptors.py: # nova/virt/libvirt/dmcrypt.py: @@ -226,3 +229,9 @@ cp: CommandFilter, cp, root # nova/virt/xenapi/vm_utils.py: sync: CommandFilter, sync, root + +# nova/virt/libvirt/imagebackend.py: +ploop: CommandFilter, ploop, root + +# nova/virt/libvirt/utils.py: 'xend', 'status' +xend: CommandFilter, xend, root diff --git a/playbooks/roles/os_nova/templates/policy.json.j2 b/playbooks/roles/os_nova/templates/policy.json.j2 index c8464b1f34..c23839394d 100644 --- a/playbooks/roles/os_nova/templates/policy.json.j2 +++ b/playbooks/roles/os_nova/templates/policy.json.j2 @@ -182,5 +182,212 @@ "network:create_private_dns_domain": "", "network:create_public_dns_domain": "", "network:delete_dns_domain": "", - "network:attach_external_network": "rule:admin_api" + "network:attach_external_network": "rule:admin_api", + + "os_compute_api:servers:start": "rule:admin_or_owner", + "os_compute_api:servers:stop": "rule:admin_or_owner", + "os_compute_api:os-access-ips:discoverable": "", + "os_compute_api:os-access-ips": "", + "os_compute_api:os-admin-actions": "rule:admin_api", + "os_compute_api:os-admin-actions:discoverable": "", + "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", + "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", + "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", + "os_compute_api:os-admin-password": "", + "os_compute_api:os-admin-password:discoverable": "", + "os_compute_api:os-aggregates:discoverable": "", + "os_compute_api:os-aggregates:index": "rule:admin_api", + "os_compute_api:os-aggregates:create": "rule:admin_api", + "os_compute_api:os-aggregates:show": "rule:admin_api", + "os_compute_api:os-aggregates:update": "rule:admin_api", + "os_compute_api:os-aggregates:delete": "rule:admin_api", + "os_compute_api:os-aggregates:add_host": "rule:admin_api", + "os_compute_api:os-aggregates:remove_host": "rule:admin_api", + "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", + "os_compute_api:os-agents": "rule:admin_api", + "os_compute_api:os-agents:discoverable": "", + "os_compute_api:os-attach-interfaces": "", + "os_compute_api:os-attach-interfaces:discoverable": "", + "os_compute_api:os-baremetal-nodes": "rule:admin_api", + "os_compute_api:os-baremetal-nodes:discoverable": "", + "os_compute_api:os-block-device-mapping-v1:discoverable": "", + "os_compute_api:os-cells": "rule:admin_api", + "os_compute_api:os-cells:create": "rule:admin_api", + "os_compute_api:os-cells:delete": "rule:admin_api", + "os_compute_api:os-cells:update": "rule:admin_api", + "os_compute_api:os-cells:sync_instances": "rule:admin_api", + "os_compute_api:os-cells:discoverable": "", + "os_compute_api:os-certificates:create": "", + "os_compute_api:os-certificates:show": "", + "os_compute_api:os-certificates:discoverable": "", + "os_compute_api:os-cloudpipe": "rule:admin_api", + "os_compute_api:os-cloudpipe:discoverable": "", + "os_compute_api:os-consoles:discoverable": "", + "os_compute_api:os-consoles:create": "", + "os_compute_api:os-consoles:delete": "", + "os_compute_api:os-consoles:index": "", + "os_compute_api:os-consoles:show": "", + "os_compute_api:os-console-output:discoverable": "", + "os_compute_api:os-console-output": "", + "os_compute_api:os-remote-consoles": "", + "os_compute_api:os-remote-consoles:discoverable": "", + "os_compute_api:os-create-backup:discoverable": "", + "os_compute_api:os-create-backup": "rule:admin_or_owner", + "os_compute_api:os-deferred-delete": "", + "os_compute_api:os-deferred-delete:discoverable": "", + "os_compute_api:os-disk-config": "", + "os_compute_api:os-disk-config:discoverable": "", + "os_compute_api:os-evacuate": "rule:admin_api", + "os_compute_api:os-evacuate:discoverable": "", + "os_compute_api:os-extended-server-attributes": "rule:admin_api", + "os_compute_api:os-extended-server-attributes:discoverable": "", + "os_compute_api:os-extended-status": "", + "os_compute_api:os-extended-status:discoverable": "", + "os_compute_api:os-extended-availability-zone": "", + "os_compute_api:os-extended-availability-zone:discoverable": "", + "os_compute_api:extension_info:discoverable": "", + "os_compute_api:os-extended-volumes": "", + "os_compute_api:os-extended-volumes:discoverable": "", + "os_compute_api:os-fixed-ips": "rule:admin_api", + "os_compute_api:os-fixed-ips:discoverable": "", + "os_compute_api:os-flavor-access": "", + "os_compute_api:os-flavor-access:discoverable": "", + "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-rxtx": "", + "os_compute_api:os-flavor-rxtx:discoverable": "", + "os_compute_api:flavors:discoverable": "", + "os_compute_api:os-flavor-extra-specs:discoverable": "", + "os_compute_api:os-flavor-extra-specs:index": "", + "os_compute_api:os-flavor-extra-specs:show": "", + "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", + "os_compute_api:os-flavor-manage:discoverable": "", + "os_compute_api:os-flavor-manage": "rule:admin_api", + "os_compute_api:os-floating-ip-dns": "", + "os_compute_api:os-floating-ip-dns:discoverable": "", + "os_compute_api:os-floating-ip-pools": "", + "os_compute_api:os-floating-ip-pools:discoverable": "", + "os_compute_api:os-floating-ips": "", + "os_compute_api:os-floating-ips:discoverable": "", + "os_compute_api:os-floating-ips-bulk": "rule:admin_api", + "os_compute_api:os-floating-ips-bulk:discoverable": "", + "os_compute_api:os-fping": "", + "os_compute_api:os-fping:discoverable": "", + "os_compute_api:os-fping:all_tenants": "rule:admin_api", + "os_compute_api:os-hide-server-addresses": "is_admin:False", + "os_compute_api:os-hide-server-addresses:discoverable": "", + "os_compute_api:os-hosts": "rule:admin_api", + "os_compute_api:os-hosts:discoverable": "", + "os_compute_api:os-hypervisors": "rule:admin_api", + "os_compute_api:os-hypervisors:discoverable": "", + "os_compute_api:images:discoverable": "", + "os_compute_api:image-size": "", + "os_compute_api:image-size:discoverable": "", + "os_compute_api:os-instance-actions": "", + "os_compute_api:os-instance-actions:discoverable": "", + "os_compute_api:os-instance-actions:events": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log:discoverable": "", + "os_compute_api:ips:discoverable": "", + "os_compute_api:ips:index": "rule:admin_or_owner", + "os_compute_api:ips:show": "rule:admin_or_owner", + "os_compute_api:os-keypairs:discoverable": "", + "os_compute_api:os-keypairs": "", + "os_compute_api:os-keypairs:index": "", + "os_compute_api:os-keypairs:show": "", + "os_compute_api:os-keypairs:create": "", + "os_compute_api:os-keypairs:delete": "", + "os_compute_api:limits:discoverable": "", + "os_compute_api:os-lock-server:discoverable": "", + "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", + "os_compute_api:os-migrate-server:discoverable": "", + "os_compute_api:os-migrate-server:migrate": "rule:admin_api", + "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", + "os_compute_api:os-multinic": "", + "os_compute_api:os-multinic:discoverable": "", + "os_compute_api:os-networks": "rule:admin_api", + "os_compute_api:os-networks:view": "", + "os_compute_api:os-networks:discoverable": "", + "os_compute_api:os-networks-associate": "rule:admin_api", + "os_compute_api:os-networks-associate:discoverable": "", + "os_compute_api:os-pause-server:discoverable": "", + "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", + "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", + "os_compute_api:os-pci:pci_servers": "", + "os_compute_api:os-pci:discoverable": "", + "os_compute_api:os-pci:index": "rule:admin_api", + "os_compute_api:os-pci:detail": "rule:admin_api", + "os_compute_api:os-pci:show": "rule:admin_api", + "os_compute_api:os-personality:discoverable": "", + "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", + "os_compute_api:os-quota-sets:discoverable": "", + "os_compute_api:os-quota-sets:show": "", + "os_compute_api:os-quota-sets:update": "rule:admin_api", + "os_compute_api:os-quota-sets:delete": "rule:admin_api", + "os_compute_api:os-quota-sets:detail": "rule:admin_api", + "os_compute_api:os-quota-class-sets": "", + "os_compute_api:os-quota-class-sets:discoverable": "", + "os_compute_api:os-rescue": "", + "os_compute_api:os-rescue:discoverable": "", + "os_compute_api:os-scheduler-hints:discoverable": "", + "os_compute_api:os-security-group-default-rules:discoverable": "", + "os_compute_api:os-security-group-default-rules": "rule:admin_api", + "os_compute_api:os-security-groups": "", + "os_compute_api:os-security-groups:discoverable": "", + "os_compute_api:os-server-diagnostics": "rule:admin_api", + "os_compute_api:os-server-diagnostics:discoverable": "", + "os_compute_api:os-server-password": "", + "os_compute_api:os-server-password:discoverable": "", + "os_compute_api:os-server-usage": "", + "os_compute_api:os-server-usage:discoverable": "", + "os_compute_api:os-server-groups": "", + "os_compute_api:os-server-groups:discoverable": "", + "os_compute_api:os-services": "rule:admin_api", + "os_compute_api:os-services:discoverable": "", + "os_compute_api:server-metadata:discoverable": "", + "os_compute_api:server-metadata:index": "rule:admin_or_owner", + "os_compute_api:server-metadata:show": "rule:admin_or_owner", + "os_compute_api:server-metadata:delete": "rule:admin_or_owner", + "os_compute_api:server-metadata:create": "rule:admin_or_owner", + "os_compute_api:server-metadata:update": "rule:admin_or_owner", + "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", + "os_compute_api:servers:discoverable": "", + "os_compute_api:os-shelve:shelve": "", + "os_compute_api:os-shelve:shelve:discoverable": "", + "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", + "os_compute_api:os-simple-tenant-usage:discoverable": "", + "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", + "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", + "os_compute_api:os-suspend-server:discoverable": "", + "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", + "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks:discoverable": "", + "os_compute_api:os-shelve:unshelve": "", + "os_compute_api:os-user-data:discoverable": "", + "os_compute_api:os-virtual-interfaces": "", + "os_compute_api:os-virtual-interfaces:discoverable": "", + "os_compute_api:os-volumes": "", + "os_compute_api:os-volumes:discoverable": "", + "os_compute_api:os-volumes-attachments:index": "", + "os_compute_api:os-volumes-attachments:show": "", + "os_compute_api:os-volumes-attachments:create": "", + "os_compute_api:os-volumes-attachments:update": "", + "os_compute_api:os-volumes-attachments:delete": "", + "os_compute_api:os-volumes-attachments:discoverable": "", + "os_compute_api:os-availability-zone:list": "", + "os_compute_api:os-availability-zone:discoverable": "", + "os_compute_api:os-availability-zone:detail": "rule:admin_api", + "os_compute_api:os-used-limits": "rule:admin_api", + "os_compute_api:os-used-limits:discoverable": "", + "os_compute_api:os-migrations:index": "rule:admin_api", + "os_compute_api:os-migrations:discoverable": "", + "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:discoverable": "", + "os_compute_api:os-console-auth-tokens": "rule:admin_api", + "os_compute_api:os-server-external-events:create": "rule:admin_api" } diff --git a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 b/playbooks/roles/os_nova/templates/rootwrap.conf.j2 index fb2997abdb..aa466c5d50 100644 --- a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 +++ b/playbooks/roles/os_nova/templates/rootwrap.conf.j2 @@ -17,7 +17,7 @@ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin use_syslog=False # Which syslog facility to use. -# Valid values include auth, authpriv, syslog, user0, user1... +# Valid values include auth, authpriv, syslog, local0, local1... # Default value is 'syslog' syslog_log_facility=syslog diff --git a/playbooks/roles/os_tempest/templates/tempest.conf.j2 b/playbooks/roles/os_tempest/templates/tempest.conf.j2 index 753cbb13e7..1f4f515a31 100644 --- a/playbooks/roles/os_tempest/templates/tempest.conf.j2 +++ b/playbooks/roles/os_tempest/templates/tempest.conf.j2 @@ -41,7 +41,7 @@ flavor_ref_alt = 202 image_ssh_user = {{ tempest_compute_image_ssh_user }} image_ssh_password = {{ tempest_compute_image_ssh_password }} image_alt_ssh_user = {{ tempest_compute_image_alt_ssh_user }} -ssh_auth_method = configured +auth_method = keypair fixed_network_name = private endpoint_type = internalURL floating_ip_range = 10.0.0.0/29 diff --git a/requirements.txt b/requirements.txt index e4b304e719..476663e9a8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,7 +5,3 @@ pip>=6.0 PrettyTable>=0.7,<0.8 # scripts/inventory-manage.py pycrypto>=2.6 # ansible PyYAML>=3.1.0 # ansible -# Temporary pin of <2.0 for django-compressor: -# https://bugs.launchpad.net/horizon/+bug/1532048 -# https://review.openstack.org/265025 -django_compressor>=1.4,<2.0 diff --git a/scripts/sources-branch-updater.sh b/scripts/sources-branch-updater.sh index 6cfdb6438e..815bee3257 100755 --- a/scripts/sources-branch-updater.sh +++ b/scripts/sources-branch-updater.sh @@ -95,11 +95,11 @@ for repo in $(grep 'git_repo\:' ${SERVICE_FILE}); do cp {} "playbooks/roles/os_${repo_name}/templates/policy.json.j2" \; # Tweak the paste files - find ${repo_tmp_path}/etc -name "*-paste.ini" -exec \ + find ${repo_tmp_path}/etc -name "*[_-]paste.ini" -exec \ sed -i.bak "s|hmac_keys = SECRET_KEY|hmac_keys = {{ ${repo_name}_profiler_hmac_key }}|" {} \; # Update the paste files - find ${repo_tmp_path}/etc -name "*-paste.ini" -exec \ + find ${repo_tmp_path}/etc -name "*[_-]paste.ini" -exec \ bash -c "name=\"{}\"; cp \${name} \"playbooks/roles/os_${repo_name}/templates/\$(basename \${name}).j2\"" \; # Update the rootwrap conf files