openstack/openstack-helm
Code Issues Proposed changes

Neutron: Move all config to be directly values driven.

Browse Source 
This PS moves all the config files to be directly values driven,
both simplifying over-ride and allowing configs to be targeted
to pods in future work.

Change-Id: Ifcbc19b17aa1d145f12ed1aed8b15a69ca045bb7
This commit is contained in:
portdirect 2018-03-27 11:10:50 -04:00
parent 757378fb7f
commit ceca6ad96c
20 changed files with 433 additions and 678 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
neutron/templates/configmap-etc.yaml
View File

@ -184,29 +184,14 @@ data:
{{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | indent 4 }} {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | indent 4 }}
dnsmasq.conf: "" dnsmasq.conf: ""
neutron_sudoers: | neutron_sudoers: |
{{- tuple $envAll.Values.conf.neutron_sudoers "etc/_neutron_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{ $envAll.Values.conf.neutron_sudoers | indent 4 }}
rootwrap.conf: | rootwrap.conf: |
{{- tuple $envAll.Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{ $envAll.Values.conf.rootwrap | indent 4 }}
debug.filters: | {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- tuple $envAll.Values.conf.rootwrap_filters.debug "etc/rootwrap.d/_debug.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- $filePrefix := replace "_" "-" $key }}
dibbler.filters: | {{ printf "%s.filters" $filePrefix }}: |
{{- tuple $envAll.Values.conf.rootwrap_filters.dibbler "etc/rootwrap.d/_dibbler.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{ $value.content | indent 4 }}
ipset-firewall.filters: | {{- end }}
{{- tuple $envAll.Values.conf.rootwrap_filters.ipset_firewall "etc/rootwrap.d/_ipset-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
l3.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.l3 "etc/rootwrap.d/_l3.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
netns-cleanup.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.netns_cleanup "etc/rootwrap.d/_netns-cleanup.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
dhcp.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.dhcp "etc/rootwrap.d/_dhcp.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
ebtables.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.ebtables "etc/rootwrap.d/_ebtables.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
iptables-firewall.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.iptables_firewall "etc/rootwrap.d/_iptables-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
linuxbridge-plugin.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.linuxbridge_plugin "etc/rootwrap.d/_linuxbridge-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
openvswitch-plugin.filters: |
{{- tuple $envAll.Values.conf.rootwrap_filters.openvswitch_plugin "etc/rootwrap.d/_openvswitch-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- end }} {{- end }}
{{- end }} {{- end }}

46
neutron/templates/daemonset-dhcp-agent.yaml
View File

@ -101,46 +101,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "dhcp_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: socket - name: socket
mountPath: /var/lib/neutron/openstack-helm mountPath: /var/lib/neutron/openstack-helm
{{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }}

46
neutron/templates/daemonset-l3-agent.yaml
View File

@ -97,46 +97,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "l3_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: libmodules - name: libmodules
mountPath: /lib/modules mountPath: /lib/modules
readOnly: true readOnly: true

92
neutron/templates/daemonset-lb-agent.yaml
View File

@ -104,46 +104,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "lb_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: run - name: run
mountPath: /run mountPath: /run
{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
@ -193,46 +163,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "lb_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: run - name: run
mountPath: /run mountPath: /run
{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}

46
neutron/templates/daemonset-metadata-agent.yaml
View File

@ -115,46 +115,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "metadata_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: socket - name: socket
mountPath: /var/lib/neutron/openstack-helm mountPath: /var/lib/neutron/openstack-helm
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}

92
neutron/templates/daemonset-ovs-agent.yaml
View File

@ -104,46 +104,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "ovs_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: run - name: run
mountPath: /run mountPath: /run
{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
@ -195,46 +165,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "ovs_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: run - name: run
mountPath: /run mountPath: /run
{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}

92
neutron/templates/daemonset-sriov-agent.yaml
View File

@ -86,46 +86,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "sriov_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: run - name: run
mountPath: /run mountPath: /run
{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
@ -169,46 +139,16 @@ spec:
mountPath: /etc/neutron/rootwrap.conf mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf subPath: rootwrap.conf
readOnly: true readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "sriov_agent" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
- name: neutron-etc - name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters mountPath: {{ $rootwrapFile }}
subPath: debug.filters subPath: {{ base $rootwrapFile }}
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true readOnly: true
{{- end }}
{{- end }}
- name: run - name: run
mountPath: /run mountPath: /run
{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}

20
neutron/templates/etc/_neutron_sudoers.tpl
View File

@ -1,20 +0,0 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

34
neutron/templates/etc/_rootwrap.conf.tpl
View File

@ -1,34 +0,0 @@
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>

18
neutron/templates/etc/rootwrap.d/_debug.filters.tpl
View File

@ -1,18 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# This is needed because we should ping
# from inside a namespace which requires root
# _alt variants allow to match -c and -w in any order
# (used by NeutronDebugAgent.ping_all)
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+

34
neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl
View File

@ -1,34 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
# it looks like these are the only signals needed, per
# neutron/agent/linux/dhcp.py
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
ovs-vsctl: CommandFilter, ovs-vsctl, root
ivs-ctl: CommandFilter, ivs-ctl, root
mm-ctl: CommandFilter, mm-ctl, root
dhcp_release: CommandFilter, dhcp_release, root
dhcp_release6: CommandFilter, dhcp_release6, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -9
kill_metadata7: KillFilter, root, python2.7, -9
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root

16
neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl
View File

@ -1,16 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# Filters for the dibbler-based reference implementation of the pluggable
# Prefix Delegation driver. Other implementations using an alternative agent
# should include a similar filter in this folder.
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root

11
neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl
View File

@ -1,11 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root

12
neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl
View File

@ -1,12 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "ipset", "-A", ...
ipset: CommandFilter, ipset, root

27
neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl
View File

@ -1,27 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root

52
neutron/templates/etc/rootwrap.d/_l3.filters.tpl
View File

@ -1,52 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# arping
arping: CommandFilter, arping, root
# l3_agent
sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -15, -9
kill_metadata7: KillFilter, root, python2.7, -15, -9
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
# ovs_lib (if OVSInterfaceDriver is used)
ovs-vsctl: CommandFilter, ovs-vsctl, root
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
# l3 agent to delete floatingip's conntrack state
conntrack: CommandFilter, conntrack, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root

28
neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl
View File

@ -1,28 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# tc commands needed for QoS support
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop

12
neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl
View File

@ -1,12 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# netns-cleanup
netstat: CommandFilter, netstat, root

24
neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl
View File

@ -1,24 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
ovs-vsctl: CommandFilter, ovs-vsctl, root
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
ovsdb-client: CommandFilter, ovsdb-client, root
xe: CommandFilter, xe, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root

380
neutron/values.yaml
View File

@ -974,43 +974,371 @@ conf:
get_subports: '' get_subports: ''
add_subports: rule:admin_or_owner add_subports: rule:admin_or_owner
remove_subports: rule:admin_or_owner remove_subports: rule:admin_or_owner
neutron_sudoers: neutron_sudoers: |
override: # This sudoers file supports rootwrap for both Kolla and LOCI Images.
append: Defaults !requiretty
rootwrap: Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
override: neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
append: rootwrap: |
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>
rootwrap_filters: rootwrap_filters:
debug: debug:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# This is needed because we should ping
# from inside a namespace which requires root
# _alt variants allow to match -c and -w in any order
# (used by NeutronDebugAgent.ping_all)
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
dibbler: dibbler:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# Filters for the dibbler-based reference implementation of the pluggable
# Prefix Delegation driver. Other implementations using an alternative agent
# should include a similar filter in this folder.
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root
ipset_firewall: ipset_firewall:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "ipset", "-A", ...
ipset: CommandFilter, ipset, root
l3: l3:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# arping
arping: CommandFilter, arping, root
# l3_agent
sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -15, -9
kill_metadata7: KillFilter, root, python2.7, -15, -9
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
# ovs_lib (if OVSInterfaceDriver is used)
ovs-vsctl: CommandFilter, ovs-vsctl, root
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
# l3 agent to delete floatingip's conntrack state
conntrack: CommandFilter, conntrack, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
netns_cleanup: netns_cleanup:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# netns-cleanup
netstat: CommandFilter, netstat, root
dhcp: dhcp:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
# it looks like these are the only signals needed, per
# neutron/agent/linux/dhcp.py
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
ovs-vsctl: CommandFilter, ovs-vsctl, root
ivs-ctl: CommandFilter, ivs-ctl, root
mm-ctl: CommandFilter, mm-ctl, root
dhcp_release: CommandFilter, dhcp_release, root
dhcp_release6: CommandFilter, dhcp_release6, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -9
kill_metadata7: KillFilter, root, python2.7, -9
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
ebtables: ebtables:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root
iptables_firewall: iptables_firewall:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root
linuxbridge_plugin: linuxbridge_plugin:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# tc commands needed for QoS support
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
openvswitch_plugin: openvswitch_plugin:
override: pods:
append: - dhcp_agent
- l3_agent
- lb_agent
- metadata_agent
- ovs_agent
- sriov_agent
content: |
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
ovs-vsctl: CommandFilter, ovs-vsctl, root
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
ovsdb-client: CommandFilter, ovsdb-client, root
xe: CommandFilter, xe, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
neutron: neutron:
DEFAULT: DEFAULT:
#NOTE(portdirect): the bind port should not be defined, and is manipulated #NOTE(portdirect): the bind port should not be defined, and is manipulated