Merge "Add acl to paths that are shared among related neutron processes"

docker/services/neutron-dhcp.yaml

@@ -268,3 +268,34 @@ outputs:
             - step|int == 2
             - release == 'ocata'
             - neutron_dhcp_agent_enabled|bool
+      post_upgrade_tasks:
+        - name: Check for neutron user
+          getent:
+            database: passwd
+            key: neutron
+          ignore_errors: True
+        - name: Set neutron_user_avail
+          set_fact:
+            neutron_user_avail: "{{ getent_passwd is defined }}"
+        - when:
+            - step|int == 2
+            - neutron_user_avail|bool
+          block:
+            - name: Ensure read/write access for files created after upgrade
+              become: true
+              shell: |
+                umask 0002
+                setfacl -d -R -m u:neutron:rwx /var/lib/neutron
+                setfacl -R -m u:neutron:rw /var/lib/neutron
+                find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
+            - name: Provide access for domain sockets
+              ignore_errors: True
+              become: true
+              shell: |
+                umask 0002
+                setfacl -m u:neutron:rwx "{{ item }}"
+              with_items:
+                - /var/lib/neutron/metadata_proxy
+                - /var/lib/neutron
+              # These files are not necessarily present
+              ignore_errors: True

docker/services/neutron-l3.yaml

@@ -266,3 +266,34 @@ outputs:
             - step|int == 1
             - release == 'ocata'
             - neutron_l3_agent_enabled|bool
+      post_upgrade_tasks:
+        - name: Check for neutron user
+          getent:
+            database: passwd
+            key: neutron
+          ignore_errors: True
+        - name: Set neutron_user_avail
+          set_fact:
+            neutron_user_avail: "{{ getent_passwd is defined }}"
+        - when:
+            - step|int == 2
+            - neutron_user_avail|bool
+          block:
+            - name: Ensure r/w access for existing files after upgrade
+              become: true
+              shell: |
+                umask 0002
+                setfacl -d -R -m u:neutron:rwx /var/lib/neutron
+                setfacl -R -m u:neutron:rw /var/lib/neutron
+                find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
+            - name: Provide access to domain sockets
+              become: true
+              shell: |
+                umask 0002
+                setfacl -m u:neutron:rwx "{{ item }}"
+              with_items:
+                - /var/lib/neutron/metadata_proxy
+                - /var/lib/neutron/keepalived-state-change
+                - /var/lib/neutron
+              # These files are not necessarily present
+              ignore_errors: True