From ceca6ad96cb0c6f7a7a5135443cf424005023bf9 Mon Sep 17 00:00:00 2001 From: portdirect Date: Tue, 27 Mar 2018 11:10:50 -0400 Subject: [PATCH] Neutron: Move all config to be directly values driven. This PS moves all the config files to be directly values driven, both simplifying over-ride and allowing configs to be targeted to pods in future work. Change-Id: Ifcbc19b17aa1d145f12ed1aed8b15a69ca045bb7 --- neutron/templates/configmap-etc.yaml | 29 +- neutron/templates/daemonset-dhcp-agent.yaml | 46 +-- neutron/templates/daemonset-l3-agent.yaml | 46 +-- neutron/templates/daemonset-lb-agent.yaml | 92 +---- .../templates/daemonset-metadata-agent.yaml | 46 +-- neutron/templates/daemonset-ovs-agent.yaml | 92 +---- neutron/templates/daemonset-sriov-agent.yaml | 92 +---- neutron/templates/etc/_neutron_sudoers.tpl | 20 - neutron/templates/etc/_rootwrap.conf.tpl | 34 -- .../etc/rootwrap.d/_debug.filters.tpl | 18 - .../etc/rootwrap.d/_dhcp.filters.tpl | 34 -- .../etc/rootwrap.d/_dibbler.filters.tpl | 16 - .../etc/rootwrap.d/_ebtables.filters.tpl | 11 - .../rootwrap.d/_ipset-firewall.filters.tpl | 12 - .../rootwrap.d/_iptables-firewall.filters.tpl | 27 -- .../templates/etc/rootwrap.d/_l3.filters.tpl | 52 --- .../_linuxbridge-plugin.filters.tpl | 28 -- .../etc/rootwrap.d/_netns-cleanup.filters.tpl | 12 - .../_openvswitch-plugin.filters.tpl | 24 -- neutron/values.yaml | 380 ++++++++++++++++-- 20 files changed, 433 insertions(+), 678 deletions(-) delete mode 100644 neutron/templates/etc/_neutron_sudoers.tpl delete mode 100644 neutron/templates/etc/_rootwrap.conf.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_debug.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_l3.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl delete mode 100644 neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index a05e638d77..d409c6e3ef 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -184,29 +184,14 @@ data: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | indent 4 }} dnsmasq.conf: "" neutron_sudoers: | -{{- tuple $envAll.Values.conf.neutron_sudoers "etc/_neutron_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ $envAll.Values.conf.neutron_sudoers | indent 4 }} rootwrap.conf: | -{{- tuple $envAll.Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - debug.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.debug "etc/rootwrap.d/_debug.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - dibbler.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.dibbler "etc/rootwrap.d/_dibbler.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - ipset-firewall.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.ipset_firewall "etc/rootwrap.d/_ipset-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - l3.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.l3 "etc/rootwrap.d/_l3.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - netns-cleanup.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.netns_cleanup "etc/rootwrap.d/_netns-cleanup.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - dhcp.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.dhcp "etc/rootwrap.d/_dhcp.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - ebtables.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.ebtables "etc/rootwrap.d/_ebtables.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - iptables-firewall.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.iptables_firewall "etc/rootwrap.d/_iptables-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - linuxbridge-plugin.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.linuxbridge_plugin "etc/rootwrap.d/_linuxbridge-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - openvswitch-plugin.filters: | -{{- tuple $envAll.Values.conf.rootwrap_filters.openvswitch_plugin "etc/rootwrap.d/_openvswitch-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ $envAll.Values.conf.rootwrap | indent 4 }} +{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} +{{- $filePrefix := replace "_" "-" $key }} + {{ printf "%s.filters" $filePrefix }}: | +{{ $value.content | indent 4 }} +{{- end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index 923d3e3a58..ab98e341a8 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -101,46 +101,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "dhcp_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: socket mountPath: /var/lib/neutron/openstack-helm {{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }} diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index 422feea159..bacbe04cf5 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -97,46 +97,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "l3_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: libmodules mountPath: /lib/modules readOnly: true diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml index f58940ba87..821f2bb7ce 100644 --- a/neutron/templates/daemonset-lb-agent.yaml +++ b/neutron/templates/daemonset-lb-agent.yaml @@ -104,46 +104,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "lb_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: run mountPath: /run {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} @@ -193,46 +163,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "lb_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: run mountPath: /run {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index e5b8332430..32dc87ac2b 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -115,46 +115,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "metadata_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: socket mountPath: /var/lib/neutron/openstack-helm {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index 3076232ae3..bde5b26f5f 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -104,46 +104,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "ovs_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: run mountPath: /run {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} @@ -195,46 +165,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "ovs_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: run mountPath: /run {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} diff --git a/neutron/templates/daemonset-sriov-agent.yaml b/neutron/templates/daemonset-sriov-agent.yaml index c0e5d474ac..97459a882c 100644 --- a/neutron/templates/daemonset-sriov-agent.yaml +++ b/neutron/templates/daemonset-sriov-agent.yaml @@ -86,46 +86,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "sriov_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: run mountPath: /run {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }} @@ -169,46 +139,16 @@ spec: mountPath: /etc/neutron/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "sriov_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/debug.filters - subPath: debug.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dibbler.filters - subPath: dibbler.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters - subPath: ipset-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/l3.filters - subPath: l3.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters - subPath: netns-cleanup.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/dhcp.filters - subPath: dhcp.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/ebtables.filters - subPath: ebtables.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters - subPath: iptables-firewall.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters - subPath: linuxbridge-plugin.filters - readOnly: true - - name: neutron-etc - mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters - subPath: openvswitch-plugin.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: run mountPath: /run {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }} diff --git a/neutron/templates/etc/_neutron_sudoers.tpl b/neutron/templates/etc/_neutron_sudoers.tpl deleted file mode 100644 index cf1f12aca6..0000000000 --- a/neutron/templates/etc/_neutron_sudoers.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -# This sudoers file supports rootwrap for both Kolla and LOCI Images. -Defaults !requiretty -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" -neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * diff --git a/neutron/templates/etc/_rootwrap.conf.tpl b/neutron/templates/etc/_rootwrap.conf.tpl deleted file mode 100644 index 0e7c3c5789..0000000000 --- a/neutron/templates/etc/_rootwrap.conf.tpl +++ /dev/null @@ -1,34 +0,0 @@ -# Configuration for neutron-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR - -[xenapi] -# XenAPI configuration is only required by the L2 agent if it is to -# target a XenServer/XCP compute host's dom0. -xenapi_connection_url= -xenapi_connection_username=root -xenapi_connection_password= diff --git a/neutron/templates/etc/rootwrap.d/_debug.filters.tpl b/neutron/templates/etc/rootwrap.d/_debug.filters.tpl deleted file mode 100644 index 89cb042a3a..0000000000 --- a/neutron/templates/etc/rootwrap.d/_debug.filters.tpl +++ /dev/null @@ -1,18 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# This is needed because we should ping -# from inside a namespace which requires root -# _alt variants allow to match -c and -w in any order -# (used by NeutronDebugAgent.ping_all) -ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ -ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+ -ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ -ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+ diff --git a/neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl b/neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl deleted file mode 100644 index 3f06b4ae26..0000000000 --- a/neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl +++ /dev/null @@ -1,34 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# dhcp-agent -dnsmasq: CommandFilter, dnsmasq, root -# dhcp-agent uses kill as well, that's handled by the generic KillFilter -# it looks like these are the only signals needed, per -# neutron/agent/linux/dhcp.py -kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15 -kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15 - -ovs-vsctl: CommandFilter, ovs-vsctl, root -ivs-ctl: CommandFilter, ivs-ctl, root -mm-ctl: CommandFilter, mm-ctl, root -dhcp_release: CommandFilter, dhcp_release, root -dhcp_release6: CommandFilter, dhcp_release6, root - -# metadata proxy -metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root -# RHEL invocation of the metadata proxy will report /usr/bin/python -kill_metadata: KillFilter, root, python, -9 -kill_metadata7: KillFilter, root, python2.7, -9 - -# ip_lib -ip: IpFilter, ip, root -find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* -ip_exec: IpNetnsExecFilter, ip, root diff --git a/neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl b/neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl deleted file mode 100644 index eea55252f3..0000000000 --- a/neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl +++ /dev/null @@ -1,16 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# Filters for the dibbler-based reference implementation of the pluggable -# Prefix Delegation driver. Other implementations using an alternative agent -# should include a similar filter in this folder. - -# prefix_delegation_agent -dibbler-client: CommandFilter, dibbler-client, root diff --git a/neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl b/neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl deleted file mode 100644 index 8e810e7b55..0000000000 --- a/neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl +++ /dev/null @@ -1,11 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -ebtables: CommandFilter, ebtables, root diff --git a/neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl b/neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl deleted file mode 100644 index 52c66373b2..0000000000 --- a/neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl +++ /dev/null @@ -1,12 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] -# neutron/agent/linux/iptables_firewall.py -# "ipset", "-A", ... -ipset: CommandFilter, ipset, root diff --git a/neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl b/neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl deleted file mode 100644 index 0a81f9ddb4..0000000000 --- a/neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl +++ /dev/null @@ -1,27 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# neutron/agent/linux/iptables_firewall.py -# "iptables-save", ... -iptables-save: CommandFilter, iptables-save, root -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-save: CommandFilter, ip6tables-save, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# neutron/agent/linux/iptables_firewall.py -# "iptables", "-A", ... -iptables: CommandFilter, iptables, root -ip6tables: CommandFilter, ip6tables, root - -# neutron/agent/linux/iptables_firewall.py -sysctl: CommandFilter, sysctl, root - -# neutron/agent/linux/ip_conntrack.py -conntrack: CommandFilter, conntrack, root diff --git a/neutron/templates/etc/rootwrap.d/_l3.filters.tpl b/neutron/templates/etc/rootwrap.d/_l3.filters.tpl deleted file mode 100644 index 789a16f80e..0000000000 --- a/neutron/templates/etc/rootwrap.d/_l3.filters.tpl +++ /dev/null @@ -1,52 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# arping -arping: CommandFilter, arping, root - -# l3_agent -sysctl: CommandFilter, sysctl, root -route: CommandFilter, route, root -radvd: CommandFilter, radvd, root - -# metadata proxy -metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root -# RHEL invocation of the metadata proxy will report /usr/bin/python -kill_metadata: KillFilter, root, python, -15, -9 -kill_metadata7: KillFilter, root, python2.7, -15, -9 -kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP -kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP - -# ip_lib -ip: IpFilter, ip, root -find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* -ip_exec: IpNetnsExecFilter, ip, root - -# For ip monitor -kill_ip_monitor: KillFilter, root, ip, -9 - -# ovs_lib (if OVSInterfaceDriver is used) -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# iptables_manager -iptables-save: CommandFilter, iptables-save, root -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-save: CommandFilter, ip6tables-save, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# Keepalived -keepalived: CommandFilter, keepalived, root -kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9 - -# l3 agent to delete floatingip's conntrack state -conntrack: CommandFilter, conntrack, root - -# keepalived state change monitor -keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root diff --git a/neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl b/neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl deleted file mode 100644 index f0934357ba..0000000000 --- a/neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl +++ /dev/null @@ -1,28 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# linuxbridge-agent -# unclear whether both variants are necessary, but I'm transliterating -# from the old mechanism -brctl: CommandFilter, brctl, root -bridge: CommandFilter, bridge, root - -# ip_lib -ip: IpFilter, ip, root -find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* -ip_exec: IpNetnsExecFilter, ip, root - -# tc commands needed for QoS support -tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+ -tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+ -tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+ -tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+ -tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+ -tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop diff --git a/neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl b/neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl deleted file mode 100644 index 1ee142e54c..0000000000 --- a/neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl +++ /dev/null @@ -1,12 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# netns-cleanup -netstat: CommandFilter, netstat, root diff --git a/neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl b/neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl deleted file mode 100644 index c738733bb4..0000000000 --- a/neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl +++ /dev/null @@ -1,24 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# openvswitch-agent -# unclear whether both variants are necessary, but I'm transliterating -# from the old mechanism -ovs-vsctl: CommandFilter, ovs-vsctl, root -# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl -ovs-ofctl: CommandFilter, ovs-ofctl, root -kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9 -ovsdb-client: CommandFilter, ovsdb-client, root -xe: CommandFilter, xe, root - -# ip_lib -ip: IpFilter, ip, root -find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* -ip_exec: IpNetnsExecFilter, ip, root diff --git a/neutron/values.yaml b/neutron/values.yaml index e44577395c..0db4d0f1fc 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -974,43 +974,371 @@ conf: get_subports: '' add_subports: rule:admin_or_owner remove_subports: rule:admin_or_owner - neutron_sudoers: - override: - append: - rootwrap: - override: - append: + neutron_sudoers: | + # This sudoers file supports rootwrap for both Kolla and LOCI Images. + Defaults !requiretty + Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" + neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * + rootwrap: | + # Configuration for neutron-rootwrap + # This file should be owned by (and only-writeable by) the root user + + [DEFAULT] + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap + + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin + + # Enable logging to syslog + # Default value is False + use_syslog=False + + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility=syslog + + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level=ERROR + + [xenapi] + # XenAPI configuration is only required by the L2 agent if it is to + # target a XenServer/XCP compute host's dom0. + xenapi_connection_url= + xenapi_connection_username=root + xenapi_connection_password= rootwrap_filters: debug: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # This is needed because we should ping + # from inside a namespace which requires root + # _alt variants allow to match -c and -w in any order + # (used by NeutronDebugAgent.ping_all) + ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ + ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+ + ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ + ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+ dibbler: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # Filters for the dibbler-based reference implementation of the pluggable + # Prefix Delegation driver. Other implementations using an alternative agent + # should include a similar filter in this folder. + + # prefix_delegation_agent + dibbler-client: CommandFilter, dibbler-client, root ipset_firewall: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + # neutron/agent/linux/iptables_firewall.py + # "ipset", "-A", ... + ipset: CommandFilter, ipset, root l3: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # arping + arping: CommandFilter, arping, root + + # l3_agent + sysctl: CommandFilter, sysctl, root + route: CommandFilter, route, root + radvd: CommandFilter, radvd, root + + # metadata proxy + metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root + # RHEL invocation of the metadata proxy will report /usr/bin/python + kill_metadata: KillFilter, root, python, -15, -9 + kill_metadata7: KillFilter, root, python2.7, -15, -9 + kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP + kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP + + # ip_lib + ip: IpFilter, ip, root + find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* + ip_exec: IpNetnsExecFilter, ip, root + + # For ip monitor + kill_ip_monitor: KillFilter, root, ip, -9 + + # ovs_lib (if OVSInterfaceDriver is used) + ovs-vsctl: CommandFilter, ovs-vsctl, root + + # iptables_manager + iptables-save: CommandFilter, iptables-save, root + iptables-restore: CommandFilter, iptables-restore, root + ip6tables-save: CommandFilter, ip6tables-save, root + ip6tables-restore: CommandFilter, ip6tables-restore, root + + # Keepalived + keepalived: CommandFilter, keepalived, root + kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9 + + # l3 agent to delete floatingip's conntrack state + conntrack: CommandFilter, conntrack, root + + # keepalived state change monitor + keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root netns_cleanup: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # netns-cleanup + netstat: CommandFilter, netstat, root dhcp: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # dhcp-agent + dnsmasq: CommandFilter, dnsmasq, root + # dhcp-agent uses kill as well, that's handled by the generic KillFilter + # it looks like these are the only signals needed, per + # neutron/agent/linux/dhcp.py + kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15 + kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15 + + ovs-vsctl: CommandFilter, ovs-vsctl, root + ivs-ctl: CommandFilter, ivs-ctl, root + mm-ctl: CommandFilter, mm-ctl, root + dhcp_release: CommandFilter, dhcp_release, root + dhcp_release6: CommandFilter, dhcp_release6, root + + # metadata proxy + metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root + # RHEL invocation of the metadata proxy will report /usr/bin/python + kill_metadata: KillFilter, root, python, -9 + kill_metadata7: KillFilter, root, python2.7, -9 + + # ip_lib + ip: IpFilter, ip, root + find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* + ip_exec: IpNetnsExecFilter, ip, root ebtables: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + ebtables: CommandFilter, ebtables, root iptables_firewall: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # neutron/agent/linux/iptables_firewall.py + # "iptables-save", ... + iptables-save: CommandFilter, iptables-save, root + iptables-restore: CommandFilter, iptables-restore, root + ip6tables-save: CommandFilter, ip6tables-save, root + ip6tables-restore: CommandFilter, ip6tables-restore, root + + # neutron/agent/linux/iptables_firewall.py + # "iptables", "-A", ... + iptables: CommandFilter, iptables, root + ip6tables: CommandFilter, ip6tables, root + + # neutron/agent/linux/iptables_firewall.py + sysctl: CommandFilter, sysctl, root + + # neutron/agent/linux/ip_conntrack.py + conntrack: CommandFilter, conntrack, root linuxbridge_plugin: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # linuxbridge-agent + # unclear whether both variants are necessary, but I'm transliterating + # from the old mechanism + brctl: CommandFilter, brctl, root + bridge: CommandFilter, bridge, root + + # ip_lib + ip: IpFilter, ip, root + find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* + ip_exec: IpNetnsExecFilter, ip, root + + # tc commands needed for QoS support + tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+ + tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+ + tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+ + tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+ + tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+ + tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop openvswitch_plugin: - override: - append: + pods: + - dhcp_agent + - l3_agent + - lb_agent + - metadata_agent + - ovs_agent + - sriov_agent + content: | + # neutron-rootwrap command filters for nodes on which neutron is + # expected to control network + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # openvswitch-agent + # unclear whether both variants are necessary, but I'm transliterating + # from the old mechanism + ovs-vsctl: CommandFilter, ovs-vsctl, root + # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl + ovs-ofctl: CommandFilter, ovs-ofctl, root + kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9 + ovsdb-client: CommandFilter, ovsdb-client, root + xe: CommandFilter, xe, root + + # ip_lib + ip: IpFilter, ip, root + find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* + ip_exec: IpNetnsExecFilter, ip, root neutron: DEFAULT: #NOTE(portdirect): the bind port should not be defined, and is manipulated