Add a nova-baremetal element.

Future work is intended to allow this to serve
as a nova-virt element as well, by allowing the config
and which services are run (such as bm-deploy-helper)
based upon metadata config settings.

Change-Id: I59718a0b329e6adc59097492638cf02c76162c0a

elements/nova/README.md

@@ -0,0 +1,2 @@
+Installs nova-baremetal service from git.
+

elements/nova/element-deps

@@ -0,0 +1,3 @@
+os-svc-install
+os-config-applier
+os-refresh-config

elements/nova/install.d/74-nova

@@ -0,0 +1,55 @@
+#!/bin/bash
+set -eux
+
+function install_dnsmasq_upstart {
+  cat > /etc/init/nova-bm-dnsmasq.conf << eof
+start on runlevel [2345]
+stop on runlevel [016]
+pre-start script
+  mkdir -p /tftpboot
+  chown -R nova:nova /tftpboot
+  killall -9 dnsmasq || echo 'no dnsmasq running'
+end script
+task
+
+script
+  exec dnsmasq --conf-file= \\
+               --port=0 \\
+               --enable-tftp \\
+               --tftp-root=/tftpboot \\
+               --dhcp-boot=pxelinux.0 \\
+               --bind-interfaces \\
+               --pid-file=/var/run/dnsmasq.pid \\
+               --interface=eth0 \\
+               --dhcp-range=10.8.53.201,10.8.53.206,29
+end script
+eof
+}
+
+install-packages dnsmasq novnc dnsmasq-utils ebtables
+
+os-svc-install -n nova -u nova -r https://github.com/openstack/nova.git
+
+# for libvirt clouds only
+install-packages libvirt-bin python-libvirt kvm pm-utils syslinux
+usermod -a -G libvirtd nova
+
+mkdir -p /var/run/nova/keys && chown -R nova:nova /var/run/nova/keys
+os-svc-daemon nova-api              nova nova-api              "--config-dir /etc/nova"
+os-svc-daemon nova-rpc-zmq-receiver nova nova-rpc-zmq-receiver "--config-dir /etc/nova"
+os-svc-daemon nova-cert             nova nova-cert             "--config-dir /etc/nova"
+os-svc-daemon nova-scheduler        nova nova-scheduler        "--config-dir /etc/nova --debug"
+os-svc-daemon nova-consoleauth      nova nova-consoleauth      "--config-dir /etc/nova"
+os-svc-daemon nova-conductor        nova nova-conductor        "--config-dir /etc/nova"
+os-svc-daemon nova-compute          nova nova-compute          "--config-dir /etc/nova"
+os-svc-daemon nova-baremetal-deploy-helper \
+                                     nova nova-baremetal-deploy-helper "--config-dir /etc/nova"
+install_dnsmasq_upstart
+
+mkdir -p /tftpboot/pxelinux.cfg/
+cp /usr/lib/syslinux/pxelinux.0 /tftpboot/
+chown -R nova:nova /var/lib/misc/
+
+echo "nova ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nova
+chmod 0440 /etc/sudoers.d/nova
+visudo -c

elements/nova/os-config-applier/etc/nova/api-paste.ini

@@ -0,0 +1,107 @@
+############
+# Metadata #
+############
+[composite:metadata]
+use = egg:Paste#urlmap
+/: meta
+
+[pipeline:meta]
+pipeline = ec2faultwrap logrequest metaapp
+
+[app:metaapp]
+paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
+
+#######
+# EC2 #
+#######
+
+[composite:ec2]
+use = egg:Paste#urlmap
+/services/Cloud: ec2cloud
+
+[composite:ec2cloud]
+use = call:nova.api.auth:pipeline_factory
+noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor
+keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor
+
+[filter:ec2faultwrap]
+paste.filter_factory = nova.api.ec2:FaultWrapper.factory
+
+[filter:logrequest]
+paste.filter_factory = nova.api.ec2:RequestLogging.factory
+
+[filter:ec2lockout]
+paste.filter_factory = nova.api.ec2:Lockout.factory
+
+[filter:ec2keystoneauth]
+paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory
+
+[filter:ec2noauth]
+paste.filter_factory = nova.api.ec2:NoAuth.factory
+
+[filter:cloudrequest]
+controller = nova.api.ec2.cloud.CloudController
+paste.filter_factory = nova.api.ec2:Requestify.factory
+
+[filter:authorizer]
+paste.filter_factory = nova.api.ec2:Authorizer.factory
+
+[filter:validator]
+paste.filter_factory = nova.api.ec2:Validator.factory
+
+[app:ec2executor]
+paste.app_factory = nova.api.ec2:Executor.factory
+
+#############
+# Openstack #
+#############
+
+[composite:osapi_compute]
+use = call:nova.api.openstack.urlmap:urlmap_factory
+/: oscomputeversions
+/v1.1: openstack_compute_api_v2
+/v2: openstack_compute_api_v2
+
+[composite:openstack_compute_api_v2]
+use = call:nova.api.auth:pipeline_factory
+noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
+keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2
+keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2
+
+[filter:faultwrap]
+paste.filter_factory = nova.api.openstack:FaultWrapper.factory
+
+[filter:noauth]
+paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
+
+[filter:ratelimit]
+paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = nova.api.sizelimit:RequestBodySizeLimiter.factory
+
+[app:osapi_compute_app_v2]
+paste.app_factory = nova.api.openstack.compute:APIRouter.factory
+
+[pipeline:oscomputeversions]
+pipeline = faultwrap oscomputeversionapp
+
+[app:oscomputeversionapp]
+paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
+auth_host = {{keystone.host}}
+auth_port = 35357
+admin_password = {{service-password}}
+auth_protocol = http
+admin_tenant_name = service
+admin_user = nova
+signing_dir = /tmp/keystone-signing-nova

elements/nova/os-config-applier/etc/nova/logging.conf

@@ -0,0 +1,76 @@
+[loggers]
+keys = root, nova
+
+[handlers]
+keys = stderr, stdout, watchedfile, syslog, null
+
+[formatters]
+keys = legacynova, default
+
+[logger_root]
+level = WARNING
+handlers = null
+
+[logger_nova]
+level = INFO
+handlers = stderr
+qualname = nova
+
+[logger_amqplib]
+level = WARNING
+handlers = stderr
+qualname = amqplib
+
+[logger_sqlalchemy]
+level = WARNING
+handlers = stderr
+qualname = sqlalchemy
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARNING" logs neither.  (Recommended for production systems.)
+
+[logger_boto]
+level = WARNING
+handlers = stderr
+qualname = boto
+
+[logger_suds]
+level = INFO
+handlers = stderr
+qualname = suds
+
+[logger_eventletwsgi]
+level = WARNING
+handlers = stderr
+qualname = eventlet.wsgi.server
+
+[handler_stderr]
+class = StreamHandler
+args = (sys.stderr,)
+formatter = legacynova
+
+[handler_stdout]
+class = StreamHandler
+args = (sys.stdout,)
+formatter = legacynova
+
+[handler_watchedfile]
+class = handlers.WatchedFileHandler
+args = ('/var/log/nova/nova.log',)
+formatter = legacynova
+
+[handler_syslog]
+class = handlers.SysLogHandler
+args = ('/dev/log', handlers.SysLogHandler.LOG_USER)
+formatter = legacynova
+
+[handler_null]
+class = nova.openstack.common.log.NullHandler
+formatter = default
+args = ()
+
+[formatter_legacynova]
+class = nova.openstack.common.log.LegacyFormatter
+
+[formatter_default]
+format = %(message)s

elements/nova/os-config-applier/etc/nova/nova.conf

@@ -0,0 +1,88 @@
+[DEFAULT]
+debug = True
+
+s3_host={{keystone.host}}
+ec2_host={{keystone.host}}
+ec2_dmz_host={{keystone.host}}
+ec2_url=http://{{nova.host}}:8773/services/Cloud
+rabbit_host={{rabbit.host}}
+cc_host={{keystone.host}}
+nova_url=http://{{nova.host}}:8774/v1.1/
+
+log_config=/etc/nova/logging.conf
+
+sql_connection={{nova.db}}
+
+logdir=/var/log/nova
+state_path=/var/lib/nova
+lock_path=/var/lib/nova
+api_paste_config=/etc/nova/api-paste.ini
+verbose=True
+
+# Auth
+use_deprecated_auth=false
+auth_strategy=keystone
+keystone_ec2_url=http://{{keystone.host}}:5000/v2.0/ec2tokens
+# Imaging service
+glance_api_servers={{glance.host}}:9292
+image_service=nova.image.glance.GlanceImageService
+
+# Vnc configuration
+novnc_enabled=true
+novncproxy_base_url=http://{{nova.host}}:6080/vnc_auto.html
+novncproxy_port=6080
+vncserver_proxyclient_address=127.0.0.1
+vncserver_listen=0.0.0.0
+
+# Networking #
+network_api_class=nova.network.quantumv2.api.API
+quantum_url=http://{{quantum.host}}:9696
+quantum_auth_strategy=keystone
+quantum_admin_tenant_name=service
+quantum_admin_username=quantum
+quantum_admin_password={{service-password}}
+quantum_admin_auth_url=http://{{keystone.host}}:35357/v2.0
+libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
+linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+fixed_range = 192.0.2.32/29
+
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+
+rootwrap_config=/etc/nova/rootwrap.conf
+
+# Cinder #
+volume_api_class=nova.volume.cinder.API
+osapi_volume_listen_port=5900
+
+rabbit_host={{rabbit.host}}
+rabbit_password={{rabbit.password}}
+
+
+state_path=/var/lib/nova
+lock_path=/var/lib/nova
+keys_path=/var/lib/nova/keys
+
+enabled_apis = ec2,osapi_compute,metadata,openstack_compute_api_v2
+
+dhcpbridge_flagfile = /etc/nova/nova.conf
+dhcpbridge=/usr/local/bin/nova-dhcpbridge
+
+scheduler_default_filters = AllHostsFilter
+
+# TODO: driver must be configurable.
+scheduler_host_manager = nova.scheduler.baremetal_host_manager.BaremetalHostManager
+compute_driver = baremetal.driver.BareMetalDriver
+
+[baremetal]
+sql_connection = {{nova.bm_db}}
+net_config_template = /opt/stack/nova/nova/virt/baremetal/net-static.ubuntu.template
+tftp_root = /tftpboot
+instance_type_extra_specs = cpu_arch:i386
+
+power_manager = nova.virt.baremetal.virtual_power_driver.VirtualPowerManager
+driver = nova.virt.baremetal.pxe.PXE
+virtual_power_host_user={{nova.virtual_power_user}}
+virtual_power_host_pass={{nova.virtual_power_pass}}
+virtual_power_ssh_host={{nova.virtual_power_ssh_host}}

elements/nova/os-config-applier/etc/nova/rootwrap.conf

@@ -0,0 +1,6 @@
+[DEFAULT]
+filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+use_syslog=False
+syslog_log_facility=syslog
+syslog_log_level=ERROR

elements/nova/os-config-applier/etc/nova/rootwrap.d/api-metadata.filters

@@ -0,0 +1,13 @@
+# nova-rootwrap command filters for api-metadata nodes
+# This is needed on nova-api hosts running with "metadata" in enabled_apis
+# or when running nova-api-metadata
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root

elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters

@@ -0,0 +1,9 @@
+# nova-rootwrap command filters for compute nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/baremetal/ipmi.py: 'ipmitool', ..
+ipmitool: CommandFilter, /usr/bin/ipmitool, root
+
+# nova/virt/baremetal/ipmi.py: 'kill', '-TERM', str(console_pid)
+kill_shellinaboxd: KillFilter, root, /usr/local/bin/shellinaboxd, -15, -TERM

elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-deploy-helper.filters

@@ -0,0 +1,10 @@
+# nova-rootwrap command filters for nova-baremetal-deploy-helper
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova-baremetal-deploy-helper
+iscsiadm: CommandFilter, /sbin/iscsiadm, root
+fdisk: CommandFilter, /sbin/fdisk, root
+dd: CommandFilter, /bin/dd, root
+mkswap: CommandFilter, /sbin/mkswap, root
+blkid: CommandFilter, /sbin/blkid, root

elements/nova/os-config-applier/etc/nova/rootwrap.d/compute.filters

@@ -0,0 +1,187 @@
+# nova-rootwrap command filters for compute nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
+# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
+kpartx: CommandFilter, /sbin/kpartx, root
+
+# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
+# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
+tune2fs: CommandFilter, /sbin/tune2fs, root
+
+# nova/virt/disk/mount/api.py: 'mount', mapped_device
+# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
+# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
+# nova/virt/configdrive.py: 'mount', device, mountdir
+mount: CommandFilter, /bin/mount, root
+
+# nova/virt/disk/mount/api.py: 'umount', mapped_device
+# nova/virt/disk/api.py: 'umount' target
+# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
+# nova/virt/configdrive.py: 'umount', mountdir
+umount: CommandFilter, /bin/umount, root
+
+# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
+# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
+qemu-nbd: CommandFilter, /usr/bin/qemu-nbd, root
+
+# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
+# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
+losetup: CommandFilter, /sbin/losetup, root
+
+# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
+tee: CommandFilter, /usr/bin/tee, root
+
+# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
+mkdir: CommandFilter, /bin/mkdir, root
+
+# nova/virt/disk/vfs/localfs.py: 'chown'
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+# nova/utils.py: 'chown', owner_uid, path
+chown: CommandFilter, /bin/chown, root
+
+# nova/virt/disk/vfs/localfs.py: 'chmod'
+chmod: CommandFilter, /bin/chmod, root
+
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+# nova/network/linux_net.py: 'ip', 'route', 'add', ..
+# nova/network/linux_net.py: 'ip', 'route', 'del', .
+# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ip: CommandFilter, /sbin/ip, root
+
+# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
+# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
+tunctl: CommandFilter, tunctl, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root
+
+# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+dd: CommandFilter, /bin/dd, root
+
+# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
+iscsiadm: CommandFilter, iscsiadm, root
+
+# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev
+# nova/virt/libvirt/volume.py: 'aoe-discover'
+aoe-revalidate: CommandFilter, /usr/sbin/aoe-revalidate, root
+aoe-discover: CommandFilter, /usr/sbin/aoe-discover, root
+
+# nova/virt/xenapi/vm_utils.py: parted, --script, ...
+# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
+parted: CommandFilter, parted, root
+
+# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
+pygrub: CommandFilter, /usr/bin/pygrub, root
+
+# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
+fdisk: CommandFilter, /sbin/fdisk, root
+
+# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
+# nova/virt/disk/api.py: e2fsck, -f, -p, image
+e2fsck: CommandFilter, /sbin/e2fsck, root
+
+# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
+# nova/virt/disk/api.py: resize2fs, image
+resize2fs: CommandFilter, /sbin/resize2fs, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, arping, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, /usr/bin/dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root
+dnsmasq_deprecated: DeprecatedDnsmasqFilter, /usr/sbin/dnsmasq, root
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, /usr/sbin/radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, brctl, root
+
+# nova/virt/libvirt/utils.py: 'mkswap'
+# nova/virt/xenapi/vm_utils.py: 'mkswap'
+mkswap: CommandFilter, /sbin/mkswap, root
+
+# nova/virt/xenapi/vm_utils.py: 'mkfs'
+mkfs: CommandFilter, /sbin/mkfs, root
+
+# nova/virt/libvirt/utils.py: 'qemu-img'
+qemu-img: CommandFilter, /usr/bin/qemu-img, root
+
+# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
+readlink: CommandFilter, readlink, root
+
+# nova/virt/disk/api.py: 'touch', target
+touch: CommandFilter, /usr/bin/touch, root
+
+# nova/virt/libvirt/connection.py:
+read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+
+# nova/virt/libvirt/connection.py:
+lvremove: CommandFilter, /sbin/lvremove, root
+
+# nova/virt/libvirt/utils.py:
+lvcreate: CommandFilter, /sbin/lvcreate, root
+
+# nova/virt/libvirt/utils.py:
+lvs: CommandFilter, /sbin/lvs, root
+
+# nova/virt/libvirt/utils.py:
+vgs: CommandFilter, /sbin/vgs, root
+
+# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ...
+tgtadm: CommandFilter, /usr/sbin/tgtadm, root
+
+# nova/utils.py:read_file_as_root: 'cat', file_path
+# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
+read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
+read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
+

elements/nova/os-config-applier/etc/nova/rootwrap.d/network.filters

@@ -0,0 +1,78 @@
+# nova-rootwrap command filters for network nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+# nova/network/linux_net.py: 'ip', 'route', 'add', ..
+# nova/network/linux_net.py: 'ip', 'route', 'del', .
+# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ip: CommandFilter, /sbin/ip, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root
+
+# nova/network/linux_net.py: 'ebtables', '-D' ...
+# nova/network/linux_net.py: 'ebtables', '-I' ...
+ebtables: CommandFilter, /sbin/ebtables, root
+ebtables_usr: CommandFilter, /usr/sbin/ebtables, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, arping, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, /usr/bin/dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root
+dnsmasq_deprecated: DeprecatedDnsmasqFilter, /usr/sbin/dnsmasq, root
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, /usr/sbin/radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, brctl, root
+
+# nova/network/linux_net.py: 'sysctl', ....
+sysctl: CommandFilter, /sbin/sysctl, root

elements/nova/os-refresh-config/post-configure.d/74-nova

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eux
+
+modprobe nbd || true
+
+chown -R nova:nova /var/log/nova
+
+# TODO: for compute nodes only
+mkdir -p /var/run/nova/instances
+chown -R nova:nova /var/run/nova
+mkdir -p /tftpboot
+chown -R nova:nova /tftpboot
+service nova-conductor restart
+service nova-api restart
+service nova-cert restart
+service nova-rpc-zmq-receiver restart
+service nova-compute restart
+service nova-scheduler restart
+service nova-consoleauth restart
+service nova-baremetal-deploy-helper restart
+service nova-bm-dnsmasq restart