Install set of files and directory structure for manila

Change-Id: I691591ddfc04c605ccf72e279abc416d11ab7fc3

deployment_scripts/puppet/manifests/install.pp

@@ -21,4 +21,6 @@ package {'python-manila-ui':
   ensure => 'installed'
 }
 
+class{'::manila_auxiliary::fs': }
+
 Package['python-pip']->Package['pycrypto']->Package['python-manila']->Package['python-manilaclient']->Package['python-manila-ui']

deployment_scripts/puppet/modules/manila_auxiliary/files/api-paste.ini

@@ -0,0 +1,59 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_share]
+use = call:manila.api:root_app_factory
+/: apiversions
+/v1: openstack_share_api
+/v2: openstack_share_api_v2
+
+[composite:openstack_share_api]
+use = call:manila.api.middleware.auth:pipeline_factory
+noauth = cors faultwrap ssl sizelimit noauth api
+keystone = cors faultwrap ssl sizelimit authtoken keystonecontext api
+keystone_nolimit = cors faultwrap ssl sizelimit authtoken keystonecontext api
+
+[composite:openstack_share_api_v2]
+use = call:manila.api.middleware.auth:pipeline_factory
+noauth = cors faultwrap ssl sizelimit noauth apiv2
+keystone = cors faultwrap ssl sizelimit authtoken keystonecontext apiv2
+keystone_nolimit = cors faultwrap ssl sizelimit authtoken keystonecontext apiv2
+
+[filter:faultwrap]
+paste.filter_factory = manila.api.middleware.fault:FaultWrapper.factory
+
+[filter:noauth]
+paste.filter_factory = manila.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[filter:ssl]
+paste.filter_factory = oslo_middleware.ssl:SSLMiddleware.factory
+
+[app:api]
+paste.app_factory = manila.api.v1.router:APIRouter.factory
+
+[app:apiv2]
+paste.app_factory = manila.api.v2.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = cors faultwrap osshareversionapp
+
+[app:osshareversionapp]
+paste.app_factory = manila.api.versions:VersionsRouter.factory
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = manila.api.middleware.auth:ManilaKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = manila

deployment_scripts/puppet/modules/manila_auxiliary/files/logging_sample.conf

@@ -0,0 +1,73 @@
+[loggers]
+keys = root, manila
+
+[handlers]
+keys = stderr, stdout, watchedfile, syslog, null
+
+[formatters]
+keys = default
+
+[logger_root]
+level = WARNING
+handlers = null
+
+[logger_manila]
+level = INFO
+handlers = stderr
+qualname = manila
+
+[logger_amqplib]
+level = WARNING
+handlers = stderr
+qualname = amqplib
+
+[logger_sqlalchemy]
+level = WARNING
+handlers = stderr
+qualname = sqlalchemy
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARNING" logs neither.  (Recommended for production systems.)
+
+[logger_boto]
+level = WARNING
+handlers = stderr
+qualname = boto
+
+[logger_suds]
+level = INFO
+handlers = stderr
+qualname = suds
+
+[logger_eventletwsgi]
+level = WARNING
+handlers = stderr
+qualname = eventlet.wsgi.server
+
+[handler_stderr]
+class = StreamHandler
+args = (sys.stderr,)
+formatter = default
+
+[handler_stdout]
+class = StreamHandler
+args = (sys.stdout,)
+formatter = default
+
+[handler_watchedfile]
+class = handlers.WatchedFileHandler
+args = ('manila.log',)
+formatter = default
+
+[handler_syslog]
+class = handlers.SysLogHandler
+args = ('/dev/log', handlers.SysLogHandler.LOG_USER)
+formatter = default
+
+[handler_null]
+class = manila.common.openstack.NullHandler
+formatter = default
+args = ()
+
+[formatter_default]
+format = %(message)s

deployment_scripts/puppet/modules/manila_auxiliary/files/policy.json

@@ -0,0 +1,130 @@
+{
+    "context_is_admin": "role:admin",
+    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
+    "default": "rule:admin_or_owner",
+
+    "admin_api": "is_admin:True",
+
+    "availability_zone:index": "rule:default",
+
+    "quota_set:update": "rule:admin_api",
+    "quota_set:show": "rule:default",
+    "quota_set:delete": "rule:admin_api",
+
+    "quota_class_set:show": "rule:default",
+    "quota_class_set:update": "rule:admin_api",
+
+    "service:index": "rule:admin_api",
+    "service:update": "rule:admin_api",
+
+    "share:create": "",
+    "share:delete": "rule:default",
+    "share:get": "rule:default",
+    "share:get_all": "rule:default",
+    "share:list_by_share_server_id": "rule:admin_api",
+    "share:update": "rule:default",
+    "share:access_get": "rule:default",
+    "share:access_get_all": "rule:default",
+    "share:allow_access": "rule:default",
+    "share:deny_access": "rule:default",
+    "share:extend": "rule:default",
+    "share:shrink": "rule:default",
+    "share:get_share_metadata": "rule:default",
+    "share:delete_share_metadata": "rule:default",
+    "share:update_share_metadata": "rule:default",
+    "share:migration_start": "rule:admin_api",
+    "share:migration_complete": "rule:admin_api",
+    "share:migration_cancel": "rule:admin_api",
+    "share:migration_get_progress": "rule:admin_api",
+    "share:reset_task_state": "rule:admin_api",
+    "share:manage": "rule:admin_api",
+    "share:unmanage": "rule:admin_api",
+    "share:force_delete": "rule:admin_api",
+    "share:reset_status": "rule:admin_api",
+    "share_export_location:index": "rule:default",
+    "share_export_location:show": "rule:default",
+
+    "share_instance:index": "rule:admin_api",
+    "share_instance:show": "rule:admin_api",
+    "share_instance:force_delete": "rule:admin_api",
+    "share_instance:reset_status": "rule:admin_api",
+    "share_instance_export_location:index": "rule:admin_api",
+    "share_instance_export_location:show": "rule:admin_api",
+
+    "share_snapshot:create_snapshot": "rule:default",
+    "share_snapshot:delete_snapshot": "rule:default",
+    "share_snapshot:get_snapshot": "rule:default",
+    "share_snapshot:get_all_snapshots": "rule:default",
+    "share_snapshot:snapshot_update": "rule:default",
+    "share_snapshot:manage_snapshot": "rule:admin_api",
+    "share_snapshot:unmanage_snapshot": "rule:admin_api",
+    "share_snapshot:force_delete": "rule:admin_api",
+    "share_snapshot:reset_status": "rule:admin_api",
+
+    "share_type:index": "rule:default",
+    "share_type:show": "rule:default",
+    "share_type:default": "rule:default",
+    "share_type:create": "rule:admin_api",
+    "share_type:delete": "rule:admin_api",
+    "share_type:add_project_access": "rule:admin_api",
+    "share_type:list_project_access": "rule:admin_api",
+    "share_type:remove_project_access": "rule:admin_api",
+
+    "share_types_extra_spec:create": "rule:admin_api",
+    "share_types_extra_spec:update": "rule:admin_api",
+    "share_types_extra_spec:show": "rule:admin_api",
+    "share_types_extra_spec:index": "rule:admin_api",
+    "share_types_extra_spec:delete": "rule:admin_api",
+
+    "security_service:create": "rule:default",
+    "security_service:delete": "rule:default",
+    "security_service:update": "rule:default",
+    "security_service:show": "rule:default",
+    "security_service:index": "rule:default",
+    "security_service:detail": "rule:default",
+    "security_service:get_all_security_services": "rule:admin_api",
+
+    "share_server:index": "rule:admin_api",
+    "share_server:show": "rule:admin_api",
+    "share_server:details": "rule:admin_api",
+    "share_server:delete": "rule:admin_api",
+
+    "share_network:create": "rule:default",
+    "share_network:delete": "rule:default",
+    "share_network:update": "rule:default",
+    "share_network:index": "rule:default",
+    "share_network:detail": "rule:default",
+    "share_network:show": "rule:default",
+    "share_network:add_security_service": "rule:default",
+    "share_network:remove_security_service": "rule:default",
+    "share_network:get_all_share_networks": "rule:admin_api",
+
+    "scheduler_stats:pools:index": "rule:admin_api",
+    "scheduler_stats:pools:detail": "rule:admin_api",
+
+    "consistency_group:create" : "rule:default",
+    "consistency_group:delete": "rule:default",
+    "consistency_group:update": "rule:default",
+    "consistency_group:get": "rule:default",
+    "consistency_group:get_all": "rule:default",
+    "consistency_group:force_delete": "rule:admin_api",
+    "consistency_group:reset_status": "rule:admin_api",
+
+    "cgsnapshot:force_delete": "rule:admin_api",
+    "cgsnapshot:reset_status": "rule:admin_api",
+    "cgsnapshot:create" : "rule:default",
+    "cgsnapshot:update" : "rule:default",
+    "cgsnapshot:delete": "rule:default",
+    "cgsnapshot:get_cgsnapshot": "rule:default",
+    "cgsnapshot:get_all": "rule:default",
+
+    "share_replica:get_all": "rule:default",
+    "share_replica:show": "rule:default",
+    "share_replica:create" : "rule:default",
+    "share_replica:delete": "rule:default",
+    "share_replica:promote": "rule:default",
+    "share_replica:resync": "rule:admin_api",
+    "share_replica:reset_status": "rule:admin_api",
+    "share_replica:force_delete": "rule:admin_api",
+    "share_replica:reset_replica_state": "rule:admin_api"
+}

deployment_scripts/puppet/modules/manila_auxiliary/files/rootwrap.conf

@@ -0,0 +1,27 @@
+# Configuration for manila-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/manila/rootwrap.d,/usr/share/manila/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin,/usr/lpp/mmfs/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, user0, user1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR

deployment_scripts/puppet/modules/manila_auxiliary/files/share.filters

@@ -0,0 +1,153 @@
+# manila-rootwrap command filters for share nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# manila/utils.py : 'chown', '%s', '%s'
+chown: CommandFilter, chown, root
+# manila/utils.py : 'cat', '%s'
+cat: CommandFilter, cat, root
+
+# manila/share/drivers/lvm.py: 'mkfs.ext4', '/dev/mapper/%s'
+mkfs.ext4: CommandFilter, mkfs.ext4, root
+
+# manila/share/drivers/lvm.py: 'mkfs.ext3', '/dev/mapper/%s'
+mkfs.ext3: CommandFilter, mkfs.ext3, root
+
+# manila/share/drivers/lvm.py: 'smbd', '-s', '%s', '-D'
+smbd: CommandFilter, smbd, root
+smb: CommandFilter, smb, root
+
+# manila/share/drivers/lvm.py: 'rmdir', '%s'
+rmdir: CommandFilter, rmdir, root
+
+# manila/share/drivers/lvm.py: 'dd' 'count=0', 'if=%s' % srcstr, 'of=%s'
+dd: CommandFilter, dd, root
+
+# manila/share/drivers/lvm.py: 'fsck', '-pf', %s
+fsck: CommandFilter, fsck, root
+
+# manila/share/drivers/lvm.py: 'resize2fs', %s
+resize2fs: CommandFilter, resize2fs, root
+
+# manila/share/drivers/helpers.py: 'smbcontrol', 'all', 'close-share', '%s'
+smbcontrol: CommandFilter, smbcontrol, root
+
+# manila/share/drivers/helpers.py: 'net', 'conf', 'addshare', '%s', '%s', 'writeable=y', 'guest_ok=y
+# manila/share/drivers/helpers.py: 'net', 'conf', 'delshare', '%s'
+# manila/share/drivers/helpers.py: 'net', 'conf', 'setparm', '%s', '%s', '%s'
+# manila/share/drivers/helpers.py: 'net', 'conf', 'getparm', '%s', 'hosts allow'
+net: CommandFilter, net, root
+
+# manila/share/drivers/lvm.py: 'lvremove', '-f', "%s/%s
+lvremove: CommandFilter, lvremove, root
+
+# manila/share/drivers/lvm.py: 'lvextend', '-L', '%sG''-n', %s
+lvextend: CommandFilter, lvextend, root
+
+# manila/share/drivers/lvm.py: 'lvcreate', '-L', %s, '-n', %s
+lvcreate: CommandFilter, lvcreate, root
+
+# manila/share/drivers/lvm.py: 'vgs', '--noheadings', '-o', 'name'
+# manila/share/drivers/lvm.py: 'vgs', %s, '--rows', '--units', 'g'
+vgs: CommandFilter, vgs, root
+
+# manila/share/drivers/glusterfs.py: 'mkdir', '%s'
+# manila/share/drivers/ganesha/manager.py: 'mkdir', '-p', '%s'
+mkdir: CommandFilter, mkdir, root
+
+# manila/share/drivers/glusterfs.py: 'rm', '-rf', '%s'
+rm: CommandFilter, rm, root
+
+# manila/share/drivers/glusterfs.py: 'mount', '-t', 'glusterfs', '%s', '%s'
+# manila/share/drivers/glusterfs/glusterfs_native.py: 'mount', '-t', 'glusterfs', '%s', '%s'
+mount: CommandFilter, mount, root
+
+# manila/share/drivers/glusterfs.py: 'gluster', '--xml', 'volume', 'info', '%s'
+# manila/share/drivers/glusterfs.py: 'gluster', 'volume', 'set', '%s', 'nfs.export-dir', '%s'
+gluster: CommandFilter, gluster, root
+
+# manila/network/linux/ip_lib.py: 'ip', 'netns', 'exec', '%s', '%s'
+ip: CommandFilter, ip, root
+
+# manila/network/linux/interface.py: 'ovs-vsctl', 'add-port', '%s', '%s'
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# manila/share/drivers/glusterfs/glusterfs_native.py: 'find', '%s', '-mindepth', '1', '!', '-path', '%s', '!', '-path', '%s', '-delete'
+# manila/share/drivers/glusterfs/glusterfs_native.py: 'find', '%s', '-mindepth', '1', '-delete'
+find: CommandFilter, find, root
+
+# manila/share/drivers/glusterfs/glusterfs_native.py: 'umount', '%s'
+umount: CommandFilter, umount, root
+
+# GPFS commands
+# manila/share/drivers/ibm/gpfs.py: 'mmgetstate', '-Y'
+mmgetstate: CommandFilter, mmgetstate, root
+# manila/share/drivers/ibm/gpfs.py: 'mmlsattr', '%s'
+mmlsattr: CommandFilter, mmlsattr, root
+# manila/share/drivers/ibm/gpfs.py: 'mmcrfileset', '%s', '%s', '--inode-space', 'new'
+mmcrfileset: CommandFilter, mmcrfileset, root
+# manila/share/drivers/ibm/gpfs.py: 'mmlinkfileset', '%s', '%s', '-J', '%s'
+mmlinkfileset: CommandFilter, mmlinkfileset, root
+# manila/share/drivers/ibm/gpfs.py: 'mmsetquota', '-j', '%s', '-h', '%s', '%s'
+mmsetquota: CommandFilter, mmsetquota, root
+# manila/share/drivers/ibm/gpfs.py: 'mmunlinkfileset', '%s', '%s', '-f'
+mmunlinkfileset: CommandFilter, mmunlinkfileset, root
+# manila/share/drivers/ibm/gpfs.py: 'mmdelfileset', '%s', '%s', '-f'
+mmdelfileset: CommandFilter, mmdelfileset, root
+# manila/share/drivers/ibm/gpfs.py: 'mmcrsnapshot', '%s', '%s', '-j', '%s'
+mmcrsnapshot: CommandFilter, mmcrsnapshot, root
+# manila/share/drivers/ibm/gpfs.py: 'mmdelsnapshot', '%s', '%s', '-j', '%s'
+mmdelsnapshot: CommandFilter, mmdelsnapshot, root
+# manila/share/drivers/ibm/gpfs.py: 'rsync', '-rp', '%s', '%s'
+rsync: CommandFilter, rsync, root
+# manila/share/drivers/ibm/gpfs.py: 'exportfs'
+exportfs: CommandFilter, exportfs, root
+# manila/share/drivers/ibm/gpfs.py: 'stat', '--format=%F', '%s'
+stat: CommandFilter, stat, root
+# manila/share/drivers/ibm/gpfs.py: 'df', '-P', '-B', '1', '%s'
+df: CommandFilter, df, root
+
+# Ganesha commands
+# manila/share/drivers/ibm/ganesha_utils.py: 'mv', '%s', '%s'
+# manila/share/drivers/ganesha/manager.py: 'mv', '%s', '%s'
+mv: CommandFilter, mv, root
+# manila/share/drivers/ibm/ganesha_utils.py: 'cp', '%s', '%s'
+cp: CommandFilter, cp, root
+# manila/share/drivers/ibm/ganesha_utils.py: 'scp', '-i', '%s', '%s', '%s'
+scp: CommandFilter, scp, root
+# manila/share/drivers/ibm/ganesha_utils.py: 'ssh', '%s', '%s'
+ssh: CommandFilter, ssh, root
+# manila/share/drivers/ibm/ganesha_utils.py: 'chmod', '%s', '%s'
+chmod: CommandFilter, chmod, root
+# manila/share/drivers/ibm/ganesha_utils.py: 'service', '%s', 'restart'
+service: CommandFilter, service, root
+
+# manila/share/drivers/ganesha/manager.py: 'mktemp', '-p', '%s', '-t', '%s'
+mktemp: CommandFilter, mktemp, root
+
+# manila/share/drivers/ganesha/manager.py:
+shcat: RegExpFilter, sh, root, sh, -c, echo '((.|\n)*)' > /.*
+
+# manila/share/drivers/ganesha/manager.py:
+dbus-addexport: RegExpFilter, dbus-send, root, dbus-send, --print-reply, --system, --dest=org\.ganesha\.nfsd, /org/ganesha/nfsd/ExportMgr, org\.ganesha\.nfsd\.exportmgr\.(Add|Remove)Export, .*, .*
+
+# manila/share/drivers/ganesha/manager.py:
+dbus-removeexport: RegExpFilter, dbus-send, root, dbus-send, --print-reply, --system, --dest=org\.ganesha\.nfsd, /org/ganesha/nfsd/ExportMgr, org\.ganesha\.nfsd\.exportmgr\.(Add|Remove)Export, .*
+
+# manila/share/drivers/ganesha/manager.py:
+rmconf: RegExpFilter, sh, root, sh, -c, rm -f /.*/\*\.conf$
+
+# ZFS commands
+# manila/share/drivers/zfsonlinux/driver.py
+# manila/share/drivers/zfsonlinux/utils.py
+zpool: CommandFilter, zpool, root
+
+# manila/share/drivers/zfsonlinux/driver.py
+# manila/share/drivers/zfsonlinux/utils.py
+zfs: CommandFilter, zfs, root
+
+# manila/data/utils.py: 'ls', '-pA1', '--group-directories-first', '%s'
+ls: CommandFilter, ls, root
+
+# manila/data/utils.py: 'touch', '--reference=%s', '%s'
+touch: CommandFilter, touch, root

deployment_scripts/puppet/modules/manila_auxiliary/manifests/fs.pp

@@ -0,0 +1,26 @@
+class manila_auxiliary::fs () {
+  file {'/etc/manila':
+    ensure => 'directory',
+  }->
+  file {'/etc/manila/rootwrap.d':
+    ensure => 'directory',
+  }
+  file { '/var/log/manila':
+    ensure => 'directory',
+  }
+  file {'/etc/manila/api-paste.ini':
+    source => "puppet:///modules/manila_auxiliary/api-paste.ini",
+  }
+  file {'/etc/manila/logging_sample.conf':
+    source => "puppet:///modules/manila_auxiliary/logging_sample.conf",
+  }
+  file {'/etc/manila/policy.json':
+    source => "puppet:///modules/manila_auxiliary/policy.json",
+  }
+  file {'/etc/manila/rootwrap.conf':
+    source => "puppet:///modules/manila_auxiliary/rootwrap.conf",
+  }
+  file {'/etc/manila/rootwrap.d/share.filters':
+    source => "puppet:///modules/manila_auxiliary/share.filters"
+  }
+}