Neutron: Move all config to be directly values driven.
This PS moves all the config files to be directly values driven, both simplifying over-ride and allowing configs to be targeted to pods in future work. Change-Id: Ifcbc19b17aa1d145f12ed1aed8b15a69ca045bb7
This commit is contained in:
portdirect
parent
757378fb7f
commit
ceca6ad96c
@ -184,29 +184,14 @@ data:
|
||||
{{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | indent 4 }}
|
||||
dnsmasq.conf: ""
|
||||
neutron_sudoers: |
|
||||
{{- tuple $envAll.Values.conf.neutron_sudoers "etc/_neutron_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ $envAll.Values.conf.neutron_sudoers | indent 4 }}
|
||||
rootwrap.conf: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
debug.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.debug "etc/rootwrap.d/_debug.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
dibbler.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.dibbler "etc/rootwrap.d/_dibbler.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
ipset-firewall.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.ipset_firewall "etc/rootwrap.d/_ipset-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
l3.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.l3 "etc/rootwrap.d/_l3.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
netns-cleanup.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.netns_cleanup "etc/rootwrap.d/_netns-cleanup.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
dhcp.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.dhcp "etc/rootwrap.d/_dhcp.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
ebtables.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.ebtables "etc/rootwrap.d/_ebtables.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
iptables-firewall.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.iptables_firewall "etc/rootwrap.d/_iptables-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
linuxbridge-plugin.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.linuxbridge_plugin "etc/rootwrap.d/_linuxbridge-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
openvswitch-plugin.filters: |
|
||||
{{- tuple $envAll.Values.conf.rootwrap_filters.openvswitch_plugin "etc/rootwrap.d/_openvswitch-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{ $envAll.Values.conf.rootwrap | indent 4 }}
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{ printf "%s.filters" $filePrefix }}: |
|
||||
{{ $value.content | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
@ -101,46 +101,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "dhcp_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: socket
|
||||
mountPath: /var/lib/neutron/openstack-helm
|
||||
{{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
|
||||
@ -97,46 +97,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "l3_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: libmodules
|
||||
mountPath: /lib/modules
|
||||
readOnly: true
|
||||
|
||||
@ -104,46 +104,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "lb_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: run
|
||||
mountPath: /run
|
||||
{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
@ -193,46 +163,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "lb_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: run
|
||||
mountPath: /run
|
||||
{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
|
||||
@ -115,46 +115,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "metadata_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: socket
|
||||
mountPath: /var/lib/neutron/openstack-helm
|
||||
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
|
||||
@ -104,46 +104,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "ovs_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: run
|
||||
mountPath: /run
|
||||
{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
@ -195,46 +165,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "ovs_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: run
|
||||
mountPath: /run
|
||||
{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
|
||||
@ -86,46 +86,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "sriov_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: run
|
||||
mountPath: /run
|
||||
{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
@ -169,46 +139,16 @@ spec:
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||
{{- if ( has "sriov_agent" $value.pods ) }}
|
||||
{{- $filePrefix := replace "_" "-" $key }}
|
||||
{{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
mountPath: {{ $rootwrapFile }}
|
||||
subPath: {{ base $rootwrapFile }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: run
|
||||
mountPath: /run
|
||||
{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
|
||||
|
||||
@ -1,20 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
||||
Defaults !requiretty
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
||||
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
|
||||
@ -1,34 +0,0 @@
|
||||
# Configuration for neutron-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
|
||||
[xenapi]
|
||||
# XenAPI configuration is only required by the L2 agent if it is to
|
||||
# target a XenServer/XCP compute host's dom0.
|
||||
xenapi_connection_url=<None>
|
||||
xenapi_connection_username=root
|
||||
xenapi_connection_password=<None>
|
||||
@ -1,18 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# This is needed because we should ping
|
||||
# from inside a namespace which requires root
|
||||
# _alt variants allow to match -c and -w in any order
|
||||
# (used by NeutronDebugAgent.ping_all)
|
||||
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
|
||||
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
|
||||
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
|
||||
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
|
||||
@ -1,34 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# dhcp-agent
|
||||
dnsmasq: CommandFilter, dnsmasq, root
|
||||
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
||||
# it looks like these are the only signals needed, per
|
||||
# neutron/agent/linux/dhcp.py
|
||||
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
|
||||
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
|
||||
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
ivs-ctl: CommandFilter, ivs-ctl, root
|
||||
mm-ctl: CommandFilter, mm-ctl, root
|
||||
dhcp_release: CommandFilter, dhcp_release, root
|
||||
dhcp_release6: CommandFilter, dhcp_release6, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
||||
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
||||
kill_metadata: KillFilter, root, python, -9
|
||||
kill_metadata7: KillFilter, root, python2.7, -9
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
@ -1,16 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# Filters for the dibbler-based reference implementation of the pluggable
|
||||
# Prefix Delegation driver. Other implementations using an alternative agent
|
||||
# should include a similar filter in this folder.
|
||||
|
||||
# prefix_delegation_agent
|
||||
dibbler-client: CommandFilter, dibbler-client, root
|
||||
@ -1,11 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
ebtables: CommandFilter, ebtables, root
|
||||
@ -1,12 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "ipset", "-A", ...
|
||||
ipset: CommandFilter, ipset, root
|
||||
@ -1,27 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables-save", ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables", "-A", ...
|
||||
iptables: CommandFilter, iptables, root
|
||||
ip6tables: CommandFilter, ip6tables, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
|
||||
# neutron/agent/linux/ip_conntrack.py
|
||||
conntrack: CommandFilter, conntrack, root
|
||||
@ -1,52 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# arping
|
||||
arping: CommandFilter, arping, root
|
||||
|
||||
# l3_agent
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
route: CommandFilter, route, root
|
||||
radvd: CommandFilter, radvd, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
||||
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
||||
kill_metadata: KillFilter, root, python, -15, -9
|
||||
kill_metadata7: KillFilter, root, python2.7, -15, -9
|
||||
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
|
||||
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# For ip monitor
|
||||
kill_ip_monitor: KillFilter, root, ip, -9
|
||||
|
||||
# ovs_lib (if OVSInterfaceDriver is used)
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# iptables_manager
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# Keepalived
|
||||
keepalived: CommandFilter, keepalived, root
|
||||
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
|
||||
|
||||
# l3 agent to delete floatingip's conntrack state
|
||||
conntrack: CommandFilter, conntrack, root
|
||||
|
||||
# keepalived state change monitor
|
||||
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
||||
@ -1,28 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# linuxbridge-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
brctl: CommandFilter, brctl, root
|
||||
bridge: CommandFilter, bridge, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# tc commands needed for QoS support
|
||||
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
|
||||
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
|
||||
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
|
||||
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
|
||||
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
|
||||
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
|
||||
@ -1,12 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# netns-cleanup
|
||||
netstat: CommandFilter, netstat, root
|
||||
@ -1,24 +0,0 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# openvswitch-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
|
||||
ovsdb-client: CommandFilter, ovsdb-client, root
|
||||
xe: CommandFilter, xe, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
@ -974,43 +974,371 @@ conf:
|
||||
get_subports: ''
|
||||
add_subports: rule:admin_or_owner
|
||||
remove_subports: rule:admin_or_owner
|
||||
neutron_sudoers:
|
||||
override:
|
||||
append:
|
||||
rootwrap:
|
||||
override:
|
||||
append:
|
||||
neutron_sudoers: |
|
||||
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
||||
Defaults !requiretty
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
||||
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
|
||||
rootwrap: |
|
||||
# Configuration for neutron-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
|
||||
[xenapi]
|
||||
# XenAPI configuration is only required by the L2 agent if it is to
|
||||
# target a XenServer/XCP compute host's dom0.
|
||||
xenapi_connection_url=<None>
|
||||
xenapi_connection_username=root
|
||||
xenapi_connection_password=<None>
|
||||
rootwrap_filters:
|
||||
debug:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# This is needed because we should ping
|
||||
# from inside a namespace which requires root
|
||||
# _alt variants allow to match -c and -w in any order
|
||||
# (used by NeutronDebugAgent.ping_all)
|
||||
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
|
||||
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
|
||||
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
|
||||
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
|
||||
dibbler:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# Filters for the dibbler-based reference implementation of the pluggable
|
||||
# Prefix Delegation driver. Other implementations using an alternative agent
|
||||
# should include a similar filter in this folder.
|
||||
|
||||
# prefix_delegation_agent
|
||||
dibbler-client: CommandFilter, dibbler-client, root
|
||||
ipset_firewall:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "ipset", "-A", ...
|
||||
ipset: CommandFilter, ipset, root
|
||||
l3:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# arping
|
||||
arping: CommandFilter, arping, root
|
||||
|
||||
# l3_agent
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
route: CommandFilter, route, root
|
||||
radvd: CommandFilter, radvd, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
||||
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
||||
kill_metadata: KillFilter, root, python, -15, -9
|
||||
kill_metadata7: KillFilter, root, python2.7, -15, -9
|
||||
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
|
||||
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# For ip monitor
|
||||
kill_ip_monitor: KillFilter, root, ip, -9
|
||||
|
||||
# ovs_lib (if OVSInterfaceDriver is used)
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# iptables_manager
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# Keepalived
|
||||
keepalived: CommandFilter, keepalived, root
|
||||
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
|
||||
|
||||
# l3 agent to delete floatingip's conntrack state
|
||||
conntrack: CommandFilter, conntrack, root
|
||||
|
||||
# keepalived state change monitor
|
||||
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
||||
netns_cleanup:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# netns-cleanup
|
||||
netstat: CommandFilter, netstat, root
|
||||
dhcp:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# dhcp-agent
|
||||
dnsmasq: CommandFilter, dnsmasq, root
|
||||
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
||||
# it looks like these are the only signals needed, per
|
||||
# neutron/agent/linux/dhcp.py
|
||||
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
|
||||
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
|
||||
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
ivs-ctl: CommandFilter, ivs-ctl, root
|
||||
mm-ctl: CommandFilter, mm-ctl, root
|
||||
dhcp_release: CommandFilter, dhcp_release, root
|
||||
dhcp_release6: CommandFilter, dhcp_release6, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
||||
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
||||
kill_metadata: KillFilter, root, python, -9
|
||||
kill_metadata7: KillFilter, root, python2.7, -9
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
ebtables:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
ebtables: CommandFilter, ebtables, root
|
||||
iptables_firewall:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables-save", ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables", "-A", ...
|
||||
iptables: CommandFilter, iptables, root
|
||||
ip6tables: CommandFilter, ip6tables, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
|
||||
# neutron/agent/linux/ip_conntrack.py
|
||||
conntrack: CommandFilter, conntrack, root
|
||||
linuxbridge_plugin:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# linuxbridge-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
brctl: CommandFilter, brctl, root
|
||||
bridge: CommandFilter, bridge, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# tc commands needed for QoS support
|
||||
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
|
||||
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
|
||||
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
|
||||
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
|
||||
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
|
||||
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
|
||||
openvswitch_plugin:
|
||||
override:
|
||||
append:
|
||||
pods:
|
||||
- dhcp_agent
|
||||
- l3_agent
|
||||
- lb_agent
|
||||
- metadata_agent
|
||||
- ovs_agent
|
||||
- sriov_agent
|
||||
content: |
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# openvswitch-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
|
||||
ovsdb-client: CommandFilter, ovsdb-client, root
|
||||
xe: CommandFilter, xe, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
neutron:
|
||||
DEFAULT:
|
||||
#NOTE(portdirect): the bind port should not be defined, and is manipulated
|
||||
|
||||
Loading…
Reference in New Issue
Block a user