Update Kilo SHAs - 21 Jan 2016
Updates all repo SHAs to open up work on 11.2.8 This patch includes a normalisation of file names and updates of paste, policy and rootwrap configurations. It also updates tempest.conf.j2 to replace ssh_auth_method with auth_method, and change auth_method to 'keypair' (configured is no longer an a valid option). The locally held temporary pin for django-compressor has been removed as https://review.openstack.org/265025 is included in the updated OpenStack sources. Some projects name their paste config files with an underscore instead of a dash. This patch ensures that the source-branch-updater includes those files too when checking for updates. The OpenStack updates include the following CVE fixes: - OSSA-2016-001: Nova host data leak through snapshot https://security.openstack.org/ossa/OSSA-2016-001.html - OSSA-2016-002: Xen connection password leak in logs via StorageError https://security.openstack.org/ossa/OSSA-2016-002.html - OSSA-2016-003: Heat denial of service through template-validate https://security.openstack.org/ossa/OSSA-2016-003.html Change-Id: I2c878646dd54f41637bd4830122f11e97e9f70f6 Related-Bug: #1532048
This commit is contained in:
parent
9f9acac3e0
commit
e6cc4d6bac
|
@ -27,16 +27,16 @@
|
|||
|
||||
## Tempest service
|
||||
tempest_git_repo: https://git.openstack.org/openstack/tempest
|
||||
tempest_git_install_branch: aa166794fe24b1da6a70be51c51f4d7f77e2712f # HEAD of "master" as of 07.12.2015
|
||||
tempest_git_install_branch: b7d85910d5857487b7c01453b63aa51aa1583bcf # HEAD of "master" as of 21.01.2016
|
||||
tempest_git_install_fragments: "yaprtignorerequirements=true"
|
||||
tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
# NOVNC from source
|
||||
novncproxy_git_repo: https://github.com/kanaka/novnc
|
||||
novncproxy_git_install_branch: b2a813dc739c8b41dd647dc01c8f8f11d8996286 # HEAD of "master" as of 07.12.2015
|
||||
novncproxy_git_install_branch: 670dbddb54264fd0082d0aca1b3acb0f1814b1d2 # HEAD of "master" as of 21.01.2016
|
||||
novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
# spice-html5 from source
|
||||
spicehtml5_git_repo: https://github.com/SPICE/spice-html5
|
||||
spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 07.12.2015
|
||||
spicehtml5_git_install_branch: ab73d009487c8afd4def39b54a422499b4c13c40 # HEAD of "master" as of 21.01.2016
|
||||
spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}"
|
||||
|
|
|
@ -31,31 +31,31 @@
|
|||
|
||||
## Global Requirements
|
||||
requirements_git_repo: https://git.openstack.org/openstack/requirements
|
||||
requirements_git_install_branch: 817317e264ab89c646facabaa0c43f3c9de00ac4 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
requirements_git_install_branch: 0517298926fa413c3aa03d7e93d5a21bdb9d6ca9 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Ceilometer service
|
||||
ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer
|
||||
ceilometer_git_install_branch: 0d79ea0edca9c175076742357c83aed07b48711b # HEAD of "stable/kilo" as of 07.12.2015
|
||||
ceilometer_git_install_branch: e09a946ccfaf80a9bc4bbbbf327169c09974117c # HEAD of "stable/kilo" as of 21.01.2016
|
||||
ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Cinder service
|
||||
cinder_git_repo: https://git.openstack.org/openstack/cinder
|
||||
cinder_git_install_branch: 7cce8719f23bd35c10144f8232c80e31ccef1019 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
cinder_git_install_branch: 7c05ae7d031827bbc069391e48dbdc6783481054 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Glance service
|
||||
glance_git_repo: https://git.openstack.org/openstack/glance
|
||||
glance_git_install_branch: 417c02ae8ae362713dc7c46740f1af7e2a9d55c2 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
glance_git_install_branch: 0bac2bf693f054894f2e1b8149de8ecc7772f065 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Heat service
|
||||
heat_git_repo: https://git.openstack.org/openstack/heat
|
||||
heat_git_install_branch: 4aa687ed79437d96dc65a0805fe8a3257156afbb # HEAD of "stable/kilo" as of 07.12.2015
|
||||
heat_git_install_branch: f32bddcd12cd0c9e56f1daeb4519f610f729d2f7 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}"
|
||||
heat_repo_plugins:
|
||||
- { path: "contrib", package: "extraroute" }
|
||||
|
@ -63,41 +63,41 @@ heat_repo_plugins:
|
|||
|
||||
## Horizon service
|
||||
horizon_git_repo: https://git.openstack.org/openstack/horizon
|
||||
horizon_git_install_branch: 1d10078edbca1a2f5ab15af1ad837c4d687a9d45 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
horizon_git_install_branch: e3848cf0aa7a0da53989736d5d058883cecab0b5 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Keystone service
|
||||
keystone_git_repo: https://git.openstack.org/openstack/keystone
|
||||
keystone_git_install_branch: 3182bf798ec680ab9070f00775a1f1c2499793fc # HEAD of "stable/kilo" as of 07.12.2015
|
||||
keystone_git_install_branch: 9c9c1331e0c004897d5f4c5847f7143b56373f10 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Neutron service
|
||||
neutron_git_repo: https://git.openstack.org/openstack/neutron
|
||||
neutron_git_install_branch: 671cca2fd41cea1c6741452f4a9ef6162be94406 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
neutron_git_install_branch: 608b54137fb67512c07099089ea7e074176e12df # HEAD of "stable/kilo" as of 21.01.2016
|
||||
neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas
|
||||
neutron_lbaas_git_install_branch: f3289f6f32a504557d7e3776dfd56ecb98259ad7 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
neutron_lbaas_git_install_branch: 19b26518fdd738b848edbbac483f53d1326555af # HEAD of "stable/kilo" as of 21.01.2016
|
||||
neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas
|
||||
neutron_vpnaas_git_install_branch: 27eaa2e9dccbefbfc04ac6a4a45acbc119e6e55c # HEAD of "stable/kilo" as of 07.12.2015
|
||||
neutron_vpnaas_git_install_branch: 27eaa2e9dccbefbfc04ac6a4a45acbc119e6e55c # HEAD of "stable/kilo" as of 21.01.2016
|
||||
neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas
|
||||
neutron_fwaas_git_install_branch: 70b567c08e4d3130d566c3614f91cc66411ce7b2 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
neutron_fwaas_git_install_branch: 70b567c08e4d3130d566c3614f91cc66411ce7b2 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Nova service
|
||||
nova_git_repo: https://git.openstack.org/openstack/nova
|
||||
nova_git_install_branch: fc932f1fbcf6199839c31918125d7fe775c4b5f6 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
nova_git_install_branch: b974c6d1d5753f333d1d71f8190ddf3b4f8fbbf1 # HEAD of "stable/kilo" as of 21.01.2016
|
||||
nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}"
|
||||
|
||||
|
||||
## Swift service
|
||||
swift_git_repo: https://git.openstack.org/openstack/swift
|
||||
swift_git_install_branch: 2914514e2464c4a9227bbbf67f5a08eda7b7ad06 # HEAD of "stable/kilo" as of 07.12.2015
|
||||
swift_git_install_branch: 036c2f348d24c01c7a4deba3e44889c45270b46d # HEAD of "stable/kilo" as of 21.01.2016
|
||||
swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}"
|
||||
|
|
|
@ -15,5 +15,5 @@
|
|||
|
||||
## Git Source for python2-lxc library
|
||||
git_repo: https://github.com/lxc/python2-lxc
|
||||
git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 21.10.2015
|
||||
git_install_branch: 0553f05d23b56b59bf3015fa5e45bfbfab9021ef # HEAD of "master" as of 21.01.2016
|
||||
git_dest: "/opt/lxc_python2_{{ git_install_branch|replace('/', '_') }}"
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
# limitations under the License.
|
||||
|
||||
## OpenStack Source Code Release
|
||||
openstack_release: 11.2.7
|
||||
openstack_release: 11.2.8
|
||||
|
||||
# Global minimum kernel requirement
|
||||
openstack_host_required_kernel: 3.13.0-34-generic
|
||||
|
|
|
@ -104,9 +104,12 @@ ceilometer_service_names:
|
|||
|
||||
## Tunable overrides
|
||||
ceilometer_policy_overrides: {}
|
||||
ceilometer_rootwrap_conf_overrides: {}
|
||||
ceilometer_ceilometer_conf_overrides: {}
|
||||
ceilometer_api_paste_ini_overrides: {}
|
||||
ceilometer_event_definitions_yaml_overrides: {}
|
||||
ceilometer_event_pipeline_yaml_overrides: {}
|
||||
ceilometer_pipeline_yaml_overrides: {}
|
||||
ceilometer_deprecated_pipeline_yaml_overrides: {}
|
||||
ceilometer_gabbi_pipeline_yaml_overrides: {}
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
# ceilometer-rootwrap command filters for IPMI capable nodes
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
# ceilometer/ipmi/nodemanager/node_manager.py: 'ipmitool'
|
||||
ipmitool: CommandFilter, ipmitool, root
|
||||
|
|
@ -31,6 +31,10 @@
|
|||
dest: "/etc/ceilometer/api_paste.ini"
|
||||
config_overrides: "{{ ceilometer_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "rootwrap.conf.j2"
|
||||
dest: "/etc/ceilometer/rootwrap.conf"
|
||||
config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "event_pipeline.yaml.j2"
|
||||
dest: "/etc/ceilometer/event_pipeline.yaml"
|
||||
config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}"
|
||||
|
@ -43,6 +47,14 @@
|
|||
dest: "/etc/ceilometer/pipeline.yaml"
|
||||
config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}"
|
||||
config_type: "yaml"
|
||||
- src: "deprecated_pipeline.yaml.j2"
|
||||
dest: "/etc/ceilometer/deprecated_pipeline.yaml"
|
||||
config_overrides: "{{ ceilometer_deprecated_pipeline_yaml_overrides }}"
|
||||
config_type: "yaml"
|
||||
- src: "gabbi_pipeline.yaml.j2"
|
||||
dest: "/etc/ceilometer/gabbi_pipeline.yaml"
|
||||
config_overrides: "{{ ceilometer_gabbi_pipeline_yaml_overrides }}"
|
||||
config_type: "yaml"
|
||||
- src: "policy.json.j2"
|
||||
dest: "/etc/ceilometer/policy.json"
|
||||
config_overrides: "{{ ceilometer_policy_overrides }}"
|
||||
|
@ -52,3 +64,15 @@
|
|||
- ceilometer-config
|
||||
- ceilometer-post-install
|
||||
|
||||
- name: Drop rootwrap filters
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ ceilometer_system_user_name }}"
|
||||
group: "{{ ceilometer_system_group_name }}"
|
||||
with_items:
|
||||
- { src: "rootwrap.d/ipmi.filters", dest: "/etc/ceilometer/rootwrap.d/ipmi.filters" }
|
||||
notify:
|
||||
- Restart ceilometer services
|
||||
tags:
|
||||
- ceilometer-config
|
||||
|
|
|
@ -55,6 +55,7 @@
|
|||
mode: "{{ item.mode|default('0755') }}"
|
||||
with_items:
|
||||
- { path: "/etc/ceilometer" }
|
||||
- { path: "/etc/ceilometer/rootwrap.d" }
|
||||
- { path: "{{ ceilometer_system_user_home }}" }
|
||||
- { path: "{{ ceilometer_system_user_home }}/.ssh", mode: "0700" }
|
||||
- { path: "/var/cache/ceilometer", mode: "0700" }
|
||||
|
|
|
@ -15,3 +15,4 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
|||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo.middleware:RequestId.factory
|
||||
|
||||
|
|
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
-
|
||||
name: meter_pipeline
|
||||
interval: 600
|
||||
meters:
|
||||
- "*"
|
||||
resources:
|
||||
transformers:
|
||||
publishers:
|
||||
- rpc://
|
||||
-
|
||||
name: cpu_pipeline
|
||||
interval: 600
|
||||
meters:
|
||||
- "cpu"
|
||||
transformers:
|
||||
- name: "rate_of_change"
|
||||
parameters:
|
||||
target:
|
||||
name: "cpu_util"
|
||||
unit: "%"
|
||||
type: "gauge"
|
||||
scale: "100.0 / (10**9 * (resource_metadata.cpu_number or 1))"
|
||||
publishers:
|
||||
- rpc://
|
||||
-
|
||||
name: disk_pipeline
|
||||
interval: 600
|
||||
meters:
|
||||
- "disk.read.bytes"
|
||||
- "disk.read.requests"
|
||||
- "disk.write.bytes"
|
||||
- "disk.write.requests"
|
||||
- "disk.device.read.bytes"
|
||||
- "disk.device.read.requests"
|
||||
- "disk.device.write.bytes"
|
||||
- "disk.device.write.requests"
|
||||
transformers:
|
||||
- name: "rate_of_change"
|
||||
parameters:
|
||||
source:
|
||||
map_from:
|
||||
name: "(disk\\.device|disk)\\.(read|write)\\.(bytes|requests)"
|
||||
unit: "(B|request)"
|
||||
target:
|
||||
map_to:
|
||||
name: "\\1.\\2.\\3.rate"
|
||||
unit: "\\1/s"
|
||||
type: "gauge"
|
||||
publishers:
|
||||
- rpc://
|
||||
-
|
||||
name: network_pipeline
|
||||
interval: 600
|
||||
meters:
|
||||
- "network.incoming.bytes"
|
||||
- "network.incoming.packets"
|
||||
- "network.outgoing.bytes"
|
||||
- "network.outgoing.packets"
|
||||
transformers:
|
||||
- name: "rate_of_change"
|
||||
parameters:
|
||||
source:
|
||||
map_from:
|
||||
name: "network\\.(incoming|outgoing)\\.(bytes|packets)"
|
||||
unit: "(B|packet)"
|
||||
target:
|
||||
map_to:
|
||||
name: "network.\\1.\\2.rate"
|
||||
unit: "\\1/s"
|
||||
type: "gauge"
|
||||
publishers:
|
||||
- rpc://
|
|
@ -366,4 +366,3 @@
|
|||
<<: *http_audit
|
||||
reason_code:
|
||||
fields: payload.reason.reasonCode
|
||||
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
# A limited pipeline for use with the Gabbi spike.
|
||||
# direct writes to the the metering database without using an
|
||||
# intermediary dispatcher.
|
||||
#
|
||||
# This is one of several things that will need some extensive
|
||||
# tidying to be more right.
|
||||
---
|
||||
sources:
|
||||
- name: meter_source
|
||||
interval: 1
|
||||
meters:
|
||||
- "*"
|
||||
sinks:
|
||||
- meter_sink
|
||||
sinks:
|
||||
- name: meter_sink
|
||||
transformers:
|
||||
publishers:
|
||||
- direct://
|
|
@ -80,4 +80,3 @@ sinks:
|
|||
type: "gauge"
|
||||
publishers:
|
||||
- notifier://
|
||||
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
# Configuration for ceilometer-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, user0, user1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
|
@ -35,7 +35,7 @@
|
|||
dest: "/etc/cinder/rootwrap.conf"
|
||||
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "policy.json"
|
||||
- src: "policy.json.j2"
|
||||
dest: "/etc/cinder/policy.json"
|
||||
config_overrides: "{{ cinder_policy_overrides }}"
|
||||
config_type: "json"
|
||||
|
|
|
@ -35,7 +35,7 @@ enabled = yes
|
|||
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
|
||||
paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
|
||||
|
||||
[app:apiv1]
|
||||
paste.app_factory = cinder.api.v1.router:APIRouter.factory
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Use this pipeline for no auth - DEFAULT
|
||||
[pipeline:glance-search]
|
||||
pipeline = unauthenticated-context rootapp
|
||||
|
||||
[pipeline:glance-search-keystone]
|
||||
pipeline = authtoken context rootapp
|
||||
|
||||
[composite:rootapp]
|
||||
paste.composite_factory = glance.api:root_app_factory
|
||||
/v0.1: apiv0_1app
|
||||
|
||||
[app:apiv0_1app]
|
||||
paste.app_factory = glance.search.api.v0_1.router:API.factory
|
||||
|
||||
[filter:unauthenticated-context]
|
||||
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
|
||||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
||||
delay_auth_decision = true
|
||||
|
||||
[filter:context]
|
||||
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
|
|
@ -1,7 +1,5 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"tenant_is_owner": "tenant:%(owner)s",
|
||||
"admin_or_owner": "role:admin OR rule:tenant_is_owner",
|
||||
"default": "",
|
||||
|
||||
"add_image": "",
|
||||
|
@ -9,7 +7,7 @@
|
|||
"get_image": "",
|
||||
"get_images": "",
|
||||
"modify_image": "",
|
||||
"publicize_image": "rule:admin_or_owner",
|
||||
"publicize_image": "role:admin",
|
||||
"copy_from": "",
|
||||
|
||||
"download_image": "",
|
||||
|
@ -19,11 +17,11 @@
|
|||
"get_image_location": "",
|
||||
"set_image_location": "",
|
||||
|
||||
"add_member": "rule:admin_or_owner",
|
||||
"delete_member": "rule:admin_or_owner",
|
||||
"add_member": "",
|
||||
"delete_member": "",
|
||||
"get_member": "",
|
||||
"get_members": "",
|
||||
"modify_member": "rule:admin_or_owner",
|
||||
"modify_member": "",
|
||||
|
||||
"manage_image_cache": "role:admin",
|
||||
|
||||
|
|
|
@ -101,4 +101,4 @@ paste.filter_factory = oslo.middleware.request_id:RequestId.factory
|
|||
[filter:osprofiler]
|
||||
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
|
||||
hmac_keys = {{ heat_profiler_hmac_key }}
|
||||
enabled = {{ heat_profiler_enabled }}
|
||||
enabled = yes
|
||||
|
|
|
@ -95,8 +95,8 @@ Resources:
|
|||
MasterUserPassword: {Ref: MasterUserPassword}
|
||||
WaitHandle: {Ref: WaitHandle}
|
||||
- |
|
||||
#!/usr/bin/env bash
|
||||
set -v
|
||||
#!/bin/bash -v
|
||||
#
|
||||
iptables -F
|
||||
|
||||
# Helper function
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# cisco-apic filters
|
||||
lldpctl: CommandFilter, lldpctl, root
|
||||
|
||||
# ip_lib filters
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
|
@ -99,6 +99,7 @@
|
|||
- { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
|
||||
- { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
|
||||
- { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
|
||||
- { src: "rootwrap.d/cisco-apic.filters", dest: "/etc/neutron/rootwrap.d/cisco-apic.filters" }
|
||||
notify:
|
||||
- Restart neutron services
|
||||
tags:
|
||||
|
|
|
@ -31,6 +31,9 @@ qemu-nbd: CommandFilter, qemu-nbd, root
|
|||
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
|
||||
losetup: CommandFilter, losetup, root
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
|
||||
blkid: CommandFilter, blkid, root
|
||||
|
||||
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
|
||||
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
|
||||
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
||||
|
@ -45,7 +48,6 @@ mkdir: CommandFilter, mkdir, root
|
|||
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
|
||||
# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
|
||||
# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
|
||||
# nova/utils.py: 'chown', owner_uid, path
|
||||
chown: CommandFilter, chown, root
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'chmod'
|
||||
|
@ -84,6 +86,9 @@ tunctl: CommandFilter, tunctl, root
|
|||
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
|
||||
vrouter-port-control: CommandFilter, vrouter-port-control, root
|
||||
|
||||
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
|
||||
|
@ -164,11 +169,9 @@ qemu-img: CommandFilter, qemu-img, root
|
|||
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
|
||||
readlink: CommandFilter, readlink, root
|
||||
|
||||
# nova/virt/disk/api.py: 'touch', target
|
||||
touch: CommandFilter, touch, root
|
||||
|
||||
# nova/virt/disk/api.py:
|
||||
mkfs.ext3: CommandFilter, mkfs.ext3, root
|
||||
mkfs.ext4: CommandFilter, mkfs.ext4, root
|
||||
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
|
||||
|
||||
# nova/virt/libvirt/connection.py:
|
||||
|
@ -203,7 +206,7 @@ systool: CommandFilter, systool, root
|
|||
# nova/virt/libvirt/volume.py:
|
||||
sginfo: CommandFilter, sginfo, root
|
||||
sg_scan: CommandFilter, sg_scan, root
|
||||
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*
|
||||
ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.*
|
||||
|
||||
# nova/volume/encryptors.py:
|
||||
# nova/virt/libvirt/dmcrypt.py:
|
||||
|
@ -226,3 +229,9 @@ cp: CommandFilter, cp, root
|
|||
|
||||
# nova/virt/xenapi/vm_utils.py:
|
||||
sync: CommandFilter, sync, root
|
||||
|
||||
# nova/virt/libvirt/imagebackend.py:
|
||||
ploop: CommandFilter, ploop, root
|
||||
|
||||
# nova/virt/libvirt/utils.py: 'xend', 'status'
|
||||
xend: CommandFilter, xend, root
|
||||
|
|
|
@ -182,5 +182,212 @@
|
|||
"network:create_private_dns_domain": "",
|
||||
"network:create_public_dns_domain": "",
|
||||
"network:delete_dns_domain": "",
|
||||
"network:attach_external_network": "rule:admin_api"
|
||||
"network:attach_external_network": "rule:admin_api",
|
||||
|
||||
"os_compute_api:servers:start": "rule:admin_or_owner",
|
||||
"os_compute_api:servers:stop": "rule:admin_or_owner",
|
||||
"os_compute_api:os-access-ips:discoverable": "",
|
||||
"os_compute_api:os-access-ips": "",
|
||||
"os_compute_api:os-admin-actions": "rule:admin_api",
|
||||
"os_compute_api:os-admin-actions:discoverable": "",
|
||||
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
|
||||
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
|
||||
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
|
||||
"os_compute_api:os-admin-password": "",
|
||||
"os_compute_api:os-admin-password:discoverable": "",
|
||||
"os_compute_api:os-aggregates:discoverable": "",
|
||||
"os_compute_api:os-aggregates:index": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:create": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:show": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:update": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:delete": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
|
||||
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
|
||||
"os_compute_api:os-agents": "rule:admin_api",
|
||||
"os_compute_api:os-agents:discoverable": "",
|
||||
"os_compute_api:os-attach-interfaces": "",
|
||||
"os_compute_api:os-attach-interfaces:discoverable": "",
|
||||
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
|
||||
"os_compute_api:os-baremetal-nodes:discoverable": "",
|
||||
"os_compute_api:os-block-device-mapping-v1:discoverable": "",
|
||||
"os_compute_api:os-cells": "rule:admin_api",
|
||||
"os_compute_api:os-cells:create": "rule:admin_api",
|
||||
"os_compute_api:os-cells:delete": "rule:admin_api",
|
||||
"os_compute_api:os-cells:update": "rule:admin_api",
|
||||
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
|
||||
"os_compute_api:os-cells:discoverable": "",
|
||||
"os_compute_api:os-certificates:create": "",
|
||||
"os_compute_api:os-certificates:show": "",
|
||||
"os_compute_api:os-certificates:discoverable": "",
|
||||
"os_compute_api:os-cloudpipe": "rule:admin_api",
|
||||
"os_compute_api:os-cloudpipe:discoverable": "",
|
||||
"os_compute_api:os-consoles:discoverable": "",
|
||||
"os_compute_api:os-consoles:create": "",
|
||||
"os_compute_api:os-consoles:delete": "",
|
||||
"os_compute_api:os-consoles:index": "",
|
||||
"os_compute_api:os-consoles:show": "",
|
||||
"os_compute_api:os-console-output:discoverable": "",
|
||||
"os_compute_api:os-console-output": "",
|
||||
"os_compute_api:os-remote-consoles": "",
|
||||
"os_compute_api:os-remote-consoles:discoverable": "",
|
||||
"os_compute_api:os-create-backup:discoverable": "",
|
||||
"os_compute_api:os-create-backup": "rule:admin_or_owner",
|
||||
"os_compute_api:os-deferred-delete": "",
|
||||
"os_compute_api:os-deferred-delete:discoverable": "",
|
||||
"os_compute_api:os-disk-config": "",
|
||||
"os_compute_api:os-disk-config:discoverable": "",
|
||||
"os_compute_api:os-evacuate": "rule:admin_api",
|
||||
"os_compute_api:os-evacuate:discoverable": "",
|
||||
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
|
||||
"os_compute_api:os-extended-server-attributes:discoverable": "",
|
||||
"os_compute_api:os-extended-status": "",
|
||||
"os_compute_api:os-extended-status:discoverable": "",
|
||||
"os_compute_api:os-extended-availability-zone": "",
|
||||
"os_compute_api:os-extended-availability-zone:discoverable": "",
|
||||
"os_compute_api:extension_info:discoverable": "",
|
||||
"os_compute_api:os-extended-volumes": "",
|
||||
"os_compute_api:os-extended-volumes:discoverable": "",
|
||||
"os_compute_api:os-fixed-ips": "rule:admin_api",
|
||||
"os_compute_api:os-fixed-ips:discoverable": "",
|
||||
"os_compute_api:os-flavor-access": "",
|
||||
"os_compute_api:os-flavor-access:discoverable": "",
|
||||
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
|
||||
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
|
||||
"os_compute_api:os-flavor-rxtx": "",
|
||||
"os_compute_api:os-flavor-rxtx:discoverable": "",
|
||||
"os_compute_api:flavors:discoverable": "",
|
||||
"os_compute_api:os-flavor-extra-specs:discoverable": "",
|
||||
"os_compute_api:os-flavor-extra-specs:index": "",
|
||||
"os_compute_api:os-flavor-extra-specs:show": "",
|
||||
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
|
||||
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
|
||||
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
|
||||
"os_compute_api:os-flavor-manage:discoverable": "",
|
||||
"os_compute_api:os-flavor-manage": "rule:admin_api",
|
||||
"os_compute_api:os-floating-ip-dns": "",
|
||||
"os_compute_api:os-floating-ip-dns:discoverable": "",
|
||||
"os_compute_api:os-floating-ip-pools": "",
|
||||
"os_compute_api:os-floating-ip-pools:discoverable": "",
|
||||
"os_compute_api:os-floating-ips": "",
|
||||
"os_compute_api:os-floating-ips:discoverable": "",
|
||||
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
|
||||
"os_compute_api:os-floating-ips-bulk:discoverable": "",
|
||||
"os_compute_api:os-fping": "",
|
||||
"os_compute_api:os-fping:discoverable": "",
|
||||
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
|
||||
"os_compute_api:os-hide-server-addresses": "is_admin:False",
|
||||
"os_compute_api:os-hide-server-addresses:discoverable": "",
|
||||
"os_compute_api:os-hosts": "rule:admin_api",
|
||||
"os_compute_api:os-hosts:discoverable": "",
|
||||
"os_compute_api:os-hypervisors": "rule:admin_api",
|
||||
"os_compute_api:os-hypervisors:discoverable": "",
|
||||
"os_compute_api:images:discoverable": "",
|
||||
"os_compute_api:image-size": "",
|
||||
"os_compute_api:image-size:discoverable": "",
|
||||
"os_compute_api:os-instance-actions": "",
|
||||
"os_compute_api:os-instance-actions:discoverable": "",
|
||||
"os_compute_api:os-instance-actions:events": "rule:admin_api",
|
||||
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
|
||||
"os_compute_api:os-instance-usage-audit-log:discoverable": "",
|
||||
"os_compute_api:ips:discoverable": "",
|
||||
"os_compute_api:ips:index": "rule:admin_or_owner",
|
||||
"os_compute_api:ips:show": "rule:admin_or_owner",
|
||||
"os_compute_api:os-keypairs:discoverable": "",
|
||||
"os_compute_api:os-keypairs": "",
|
||||
"os_compute_api:os-keypairs:index": "",
|
||||
"os_compute_api:os-keypairs:show": "",
|
||||
"os_compute_api:os-keypairs:create": "",
|
||||
"os_compute_api:os-keypairs:delete": "",
|
||||
"os_compute_api:limits:discoverable": "",
|
||||
"os_compute_api:os-lock-server:discoverable": "",
|
||||
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
|
||||
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
|
||||
"os_compute_api:os-migrate-server:discoverable": "",
|
||||
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
|
||||
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
|
||||
"os_compute_api:os-multinic": "",
|
||||
"os_compute_api:os-multinic:discoverable": "",
|
||||
"os_compute_api:os-networks": "rule:admin_api",
|
||||
"os_compute_api:os-networks:view": "",
|
||||
"os_compute_api:os-networks:discoverable": "",
|
||||
"os_compute_api:os-networks-associate": "rule:admin_api",
|
||||
"os_compute_api:os-networks-associate:discoverable": "",
|
||||
"os_compute_api:os-pause-server:discoverable": "",
|
||||
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
|
||||
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
|
||||
"os_compute_api:os-pci:pci_servers": "",
|
||||
"os_compute_api:os-pci:discoverable": "",
|
||||
"os_compute_api:os-pci:index": "rule:admin_api",
|
||||
"os_compute_api:os-pci:detail": "rule:admin_api",
|
||||
"os_compute_api:os-pci:show": "rule:admin_api",
|
||||
"os_compute_api:os-personality:discoverable": "",
|
||||
"os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "",
|
||||
"os_compute_api:os-quota-sets:discoverable": "",
|
||||
"os_compute_api:os-quota-sets:show": "",
|
||||
"os_compute_api:os-quota-sets:update": "rule:admin_api",
|
||||
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
|
||||
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
|
||||
"os_compute_api:os-quota-class-sets": "",
|
||||
"os_compute_api:os-quota-class-sets:discoverable": "",
|
||||
"os_compute_api:os-rescue": "",
|
||||
"os_compute_api:os-rescue:discoverable": "",
|
||||
"os_compute_api:os-scheduler-hints:discoverable": "",
|
||||
"os_compute_api:os-security-group-default-rules:discoverable": "",
|
||||
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
|
||||
"os_compute_api:os-security-groups": "",
|
||||
"os_compute_api:os-security-groups:discoverable": "",
|
||||
"os_compute_api:os-server-diagnostics": "rule:admin_api",
|
||||
"os_compute_api:os-server-diagnostics:discoverable": "",
|
||||
"os_compute_api:os-server-password": "",
|
||||
"os_compute_api:os-server-password:discoverable": "",
|
||||
"os_compute_api:os-server-usage": "",
|
||||
"os_compute_api:os-server-usage:discoverable": "",
|
||||
"os_compute_api:os-server-groups": "",
|
||||
"os_compute_api:os-server-groups:discoverable": "",
|
||||
"os_compute_api:os-services": "rule:admin_api",
|
||||
"os_compute_api:os-services:discoverable": "",
|
||||
"os_compute_api:server-metadata:discoverable": "",
|
||||
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
|
||||
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
|
||||
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
|
||||
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
|
||||
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
|
||||
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
|
||||
"os_compute_api:servers:discoverable": "",
|
||||
"os_compute_api:os-shelve:shelve": "",
|
||||
"os_compute_api:os-shelve:shelve:discoverable": "",
|
||||
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
|
||||
"os_compute_api:os-simple-tenant-usage:discoverable": "",
|
||||
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
|
||||
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
|
||||
"os_compute_api:os-suspend-server:discoverable": "",
|
||||
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
|
||||
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
|
||||
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
|
||||
"os_compute_api:os-tenant-networks:discoverable": "",
|
||||
"os_compute_api:os-shelve:unshelve": "",
|
||||
"os_compute_api:os-user-data:discoverable": "",
|
||||
"os_compute_api:os-virtual-interfaces": "",
|
||||
"os_compute_api:os-virtual-interfaces:discoverable": "",
|
||||
"os_compute_api:os-volumes": "",
|
||||
"os_compute_api:os-volumes:discoverable": "",
|
||||
"os_compute_api:os-volumes-attachments:index": "",
|
||||
"os_compute_api:os-volumes-attachments:show": "",
|
||||
"os_compute_api:os-volumes-attachments:create": "",
|
||||
"os_compute_api:os-volumes-attachments:update": "",
|
||||
"os_compute_api:os-volumes-attachments:delete": "",
|
||||
"os_compute_api:os-volumes-attachments:discoverable": "",
|
||||
"os_compute_api:os-availability-zone:list": "",
|
||||
"os_compute_api:os-availability-zone:discoverable": "",
|
||||
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
|
||||
"os_compute_api:os-used-limits": "rule:admin_api",
|
||||
"os_compute_api:os-used-limits:discoverable": "",
|
||||
"os_compute_api:os-migrations:index": "rule:admin_api",
|
||||
"os_compute_api:os-migrations:discoverable": "",
|
||||
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
|
||||
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
|
||||
"os_compute_api:os-assisted-volume-snapshots:discoverable": "",
|
||||
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
|
||||
"os_compute_api:os-server-external-events:create": "rule:admin_api"
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
|||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, user0, user1...
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ flavor_ref_alt = 202
|
|||
image_ssh_user = {{ tempest_compute_image_ssh_user }}
|
||||
image_ssh_password = {{ tempest_compute_image_ssh_password }}
|
||||
image_alt_ssh_user = {{ tempest_compute_image_alt_ssh_user }}
|
||||
ssh_auth_method = configured
|
||||
auth_method = keypair
|
||||
fixed_network_name = private
|
||||
endpoint_type = internalURL
|
||||
floating_ip_range = 10.0.0.0/29
|
||||
|
|
|
@ -5,7 +5,3 @@ pip>=6.0
|
|||
PrettyTable>=0.7,<0.8 # scripts/inventory-manage.py
|
||||
pycrypto>=2.6 # ansible
|
||||
PyYAML>=3.1.0 # ansible
|
||||
# Temporary pin of <2.0 for django-compressor:
|
||||
# https://bugs.launchpad.net/horizon/+bug/1532048
|
||||
# https://review.openstack.org/265025
|
||||
django_compressor>=1.4,<2.0
|
||||
|
|
|
@ -95,11 +95,11 @@ for repo in $(grep 'git_repo\:' ${SERVICE_FILE}); do
|
|||
cp {} "playbooks/roles/os_${repo_name}/templates/policy.json.j2" \;
|
||||
|
||||
# Tweak the paste files
|
||||
find ${repo_tmp_path}/etc -name "*-paste.ini" -exec \
|
||||
find ${repo_tmp_path}/etc -name "*[_-]paste.ini" -exec \
|
||||
sed -i.bak "s|hmac_keys = SECRET_KEY|hmac_keys = {{ ${repo_name}_profiler_hmac_key }}|" {} \;
|
||||
|
||||
# Update the paste files
|
||||
find ${repo_tmp_path}/etc -name "*-paste.ini" -exec \
|
||||
find ${repo_tmp_path}/etc -name "*[_-]paste.ini" -exec \
|
||||
bash -c "name=\"{}\"; cp \${name} \"playbooks/roles/os_${repo_name}/templates/\$(basename \${name}).j2\"" \;
|
||||
|
||||
# Update the rootwrap conf files
|
||||
|
|
Loading…
Reference in New Issue