From 08098865718e75b67fada55eeba31ab3e77db322 Mon Sep 17 00:00:00 2001 From: Tim Miller Date: Mon, 1 Apr 2013 14:52:48 -0700 Subject: [PATCH] Add a nova-baremetal element. Future work is intended to allow this to serve as a nova-virt element as well, by allowing the config and which services are run (such as bm-deploy-helper) based upon metadata config settings. Change-Id: I59718a0b329e6adc59097492638cf02c76162c0a --- elements/nova/README.md | 2 + elements/nova/element-deps | 3 + elements/nova/install.d/74-nova | 55 ++++++ .../os-config-applier/etc/nova/api-paste.ini | 107 ++++++++++ .../os-config-applier/etc/nova/logging.conf | 76 +++++++ .../nova/os-config-applier/etc/nova/nova.conf | 88 +++++++++ .../os-config-applier/etc/nova/rootwrap.conf | 6 + .../etc/nova/rootwrap.d/api-metadata.filters | 13 ++ .../rootwrap.d/baremetal-compute-ipmi.filters | 9 + .../baremetal-deploy-helper.filters | 10 + .../etc/nova/rootwrap.d/compute.filters | 187 ++++++++++++++++++ .../etc/nova/rootwrap.d/network.filters | 78 ++++++++ .../post-configure.d/74-nova | 21 ++ 13 files changed, 655 insertions(+) create mode 100644 elements/nova/README.md create mode 100644 elements/nova/element-deps create mode 100755 elements/nova/install.d/74-nova create mode 100644 elements/nova/os-config-applier/etc/nova/api-paste.ini create mode 100644 elements/nova/os-config-applier/etc/nova/logging.conf create mode 100644 elements/nova/os-config-applier/etc/nova/nova.conf create mode 100644 elements/nova/os-config-applier/etc/nova/rootwrap.conf create mode 100644 elements/nova/os-config-applier/etc/nova/rootwrap.d/api-metadata.filters create mode 100644 elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters create mode 100644 elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-deploy-helper.filters create mode 100644 elements/nova/os-config-applier/etc/nova/rootwrap.d/compute.filters create mode 100644 elements/nova/os-config-applier/etc/nova/rootwrap.d/network.filters create mode 100755 elements/nova/os-refresh-config/post-configure.d/74-nova diff --git a/elements/nova/README.md b/elements/nova/README.md new file mode 100644 index 00000000..fb25a4f5 --- /dev/null +++ b/elements/nova/README.md @@ -0,0 +1,2 @@ +Installs nova-baremetal service from git. + diff --git a/elements/nova/element-deps b/elements/nova/element-deps new file mode 100644 index 00000000..dca16890 --- /dev/null +++ b/elements/nova/element-deps @@ -0,0 +1,3 @@ +os-svc-install +os-config-applier +os-refresh-config diff --git a/elements/nova/install.d/74-nova b/elements/nova/install.d/74-nova new file mode 100755 index 00000000..88d2943a --- /dev/null +++ b/elements/nova/install.d/74-nova @@ -0,0 +1,55 @@ +#!/bin/bash +set -eux + +function install_dnsmasq_upstart { + cat > /etc/init/nova-bm-dnsmasq.conf << eof +start on runlevel [2345] +stop on runlevel [016] +pre-start script + mkdir -p /tftpboot + chown -R nova:nova /tftpboot + killall -9 dnsmasq || echo 'no dnsmasq running' +end script +task + +script + exec dnsmasq --conf-file= \\ + --port=0 \\ + --enable-tftp \\ + --tftp-root=/tftpboot \\ + --dhcp-boot=pxelinux.0 \\ + --bind-interfaces \\ + --pid-file=/var/run/dnsmasq.pid \\ + --interface=eth0 \\ + --dhcp-range=10.8.53.201,10.8.53.206,29 +end script +eof +} + +install-packages dnsmasq novnc dnsmasq-utils ebtables + +os-svc-install -n nova -u nova -r https://github.com/openstack/nova.git + +# for libvirt clouds only +install-packages libvirt-bin python-libvirt kvm pm-utils syslinux +usermod -a -G libvirtd nova + +mkdir -p /var/run/nova/keys && chown -R nova:nova /var/run/nova/keys +os-svc-daemon nova-api nova nova-api "--config-dir /etc/nova" +os-svc-daemon nova-rpc-zmq-receiver nova nova-rpc-zmq-receiver "--config-dir /etc/nova" +os-svc-daemon nova-cert nova nova-cert "--config-dir /etc/nova" +os-svc-daemon nova-scheduler nova nova-scheduler "--config-dir /etc/nova --debug" +os-svc-daemon nova-consoleauth nova nova-consoleauth "--config-dir /etc/nova" +os-svc-daemon nova-conductor nova nova-conductor "--config-dir /etc/nova" +os-svc-daemon nova-compute nova nova-compute "--config-dir /etc/nova" +os-svc-daemon nova-baremetal-deploy-helper \ + nova nova-baremetal-deploy-helper "--config-dir /etc/nova" +install_dnsmasq_upstart + +mkdir -p /tftpboot/pxelinux.cfg/ +cp /usr/lib/syslinux/pxelinux.0 /tftpboot/ +chown -R nova:nova /var/lib/misc/ + +echo "nova ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nova +chmod 0440 /etc/sudoers.d/nova +visudo -c diff --git a/elements/nova/os-config-applier/etc/nova/api-paste.ini b/elements/nova/os-config-applier/etc/nova/api-paste.ini new file mode 100644 index 00000000..615fe29c --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/api-paste.ini @@ -0,0 +1,107 @@ +############ +# Metadata # +############ +[composite:metadata] +use = egg:Paste#urlmap +/: meta + +[pipeline:meta] +pipeline = ec2faultwrap logrequest metaapp + +[app:metaapp] +paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory + +####### +# EC2 # +####### + +[composite:ec2] +use = egg:Paste#urlmap +/services/Cloud: ec2cloud + +[composite:ec2cloud] +use = call:nova.api.auth:pipeline_factory +noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor +keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor + +[filter:ec2faultwrap] +paste.filter_factory = nova.api.ec2:FaultWrapper.factory + +[filter:logrequest] +paste.filter_factory = nova.api.ec2:RequestLogging.factory + +[filter:ec2lockout] +paste.filter_factory = nova.api.ec2:Lockout.factory + +[filter:ec2keystoneauth] +paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory + +[filter:ec2noauth] +paste.filter_factory = nova.api.ec2:NoAuth.factory + +[filter:cloudrequest] +controller = nova.api.ec2.cloud.CloudController +paste.filter_factory = nova.api.ec2:Requestify.factory + +[filter:authorizer] +paste.filter_factory = nova.api.ec2:Authorizer.factory + +[filter:validator] +paste.filter_factory = nova.api.ec2:Validator.factory + +[app:ec2executor] +paste.app_factory = nova.api.ec2:Executor.factory + +############# +# Openstack # +############# + +[composite:osapi_compute] +use = call:nova.api.openstack.urlmap:urlmap_factory +/: oscomputeversions +/v1.1: openstack_compute_api_v2 +/v2: openstack_compute_api_v2 + +[composite:openstack_compute_api_v2] +use = call:nova.api.auth:pipeline_factory +noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 +keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2 +keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2 + +[filter:faultwrap] +paste.filter_factory = nova.api.openstack:FaultWrapper.factory + +[filter:noauth] +paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory + +[filter:ratelimit] +paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory + +[filter:sizelimit] +paste.filter_factory = nova.api.sizelimit:RequestBodySizeLimiter.factory + +[app:osapi_compute_app_v2] +paste.app_factory = nova.api.openstack.compute:APIRouter.factory + +[pipeline:oscomputeversions] +pipeline = faultwrap oscomputeversionapp + +[app:oscomputeversionapp] +paste.app_factory = nova.api.openstack.compute.versions:Versions.factory + +########## +# Shared # +########## + +[filter:keystonecontext] +paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory + +[filter:authtoken] +paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory +auth_host = {{keystone.host}} +auth_port = 35357 +admin_password = {{service-password}} +auth_protocol = http +admin_tenant_name = service +admin_user = nova +signing_dir = /tmp/keystone-signing-nova diff --git a/elements/nova/os-config-applier/etc/nova/logging.conf b/elements/nova/os-config-applier/etc/nova/logging.conf new file mode 100644 index 00000000..47459efe --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/logging.conf @@ -0,0 +1,76 @@ +[loggers] +keys = root, nova + +[handlers] +keys = stderr, stdout, watchedfile, syslog, null + +[formatters] +keys = legacynova, default + +[logger_root] +level = WARNING +handlers = null + +[logger_nova] +level = INFO +handlers = stderr +qualname = nova + +[logger_amqplib] +level = WARNING +handlers = stderr +qualname = amqplib + +[logger_sqlalchemy] +level = WARNING +handlers = stderr +qualname = sqlalchemy +# "level = INFO" logs SQL queries. +# "level = DEBUG" logs SQL queries and results. +# "level = WARNING" logs neither. (Recommended for production systems.) + +[logger_boto] +level = WARNING +handlers = stderr +qualname = boto + +[logger_suds] +level = INFO +handlers = stderr +qualname = suds + +[logger_eventletwsgi] +level = WARNING +handlers = stderr +qualname = eventlet.wsgi.server + +[handler_stderr] +class = StreamHandler +args = (sys.stderr,) +formatter = legacynova + +[handler_stdout] +class = StreamHandler +args = (sys.stdout,) +formatter = legacynova + +[handler_watchedfile] +class = handlers.WatchedFileHandler +args = ('/var/log/nova/nova.log',) +formatter = legacynova + +[handler_syslog] +class = handlers.SysLogHandler +args = ('/dev/log', handlers.SysLogHandler.LOG_USER) +formatter = legacynova + +[handler_null] +class = nova.openstack.common.log.NullHandler +formatter = default +args = () + +[formatter_legacynova] +class = nova.openstack.common.log.LegacyFormatter + +[formatter_default] +format = %(message)s diff --git a/elements/nova/os-config-applier/etc/nova/nova.conf b/elements/nova/os-config-applier/etc/nova/nova.conf new file mode 100644 index 00000000..58c4a5a9 --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/nova.conf @@ -0,0 +1,88 @@ +[DEFAULT] +debug = True + +s3_host={{keystone.host}} +ec2_host={{keystone.host}} +ec2_dmz_host={{keystone.host}} +ec2_url=http://{{nova.host}}:8773/services/Cloud +rabbit_host={{rabbit.host}} +cc_host={{keystone.host}} +nova_url=http://{{nova.host}}:8774/v1.1/ + +log_config=/etc/nova/logging.conf + +sql_connection={{nova.db}} + +logdir=/var/log/nova +state_path=/var/lib/nova +lock_path=/var/lib/nova +api_paste_config=/etc/nova/api-paste.ini +verbose=True + +# Auth +use_deprecated_auth=false +auth_strategy=keystone +keystone_ec2_url=http://{{keystone.host}}:5000/v2.0/ec2tokens +# Imaging service +glance_api_servers={{glance.host}}:9292 +image_service=nova.image.glance.GlanceImageService + +# Vnc configuration +novnc_enabled=true +novncproxy_base_url=http://{{nova.host}}:6080/vnc_auto.html +novncproxy_port=6080 +vncserver_proxyclient_address=127.0.0.1 +vncserver_listen=0.0.0.0 + +# Networking # +network_api_class=nova.network.quantumv2.api.API +quantum_url=http://{{quantum.host}}:9696 +quantum_auth_strategy=keystone +quantum_admin_tenant_name=service +quantum_admin_username=quantum +quantum_admin_password={{service-password}} +quantum_admin_auth_url=http://{{keystone.host}}:35357/v2.0 +libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver +linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver +firewall_driver = nova.virt.firewall.NoopFirewallDriver +fixed_range = 192.0.2.32/29 + +dhcpbridge_flagfile=/etc/nova/nova.conf +dhcpbridge=/usr/bin/nova-dhcpbridge + +rootwrap_config=/etc/nova/rootwrap.conf + +# Cinder # +volume_api_class=nova.volume.cinder.API +osapi_volume_listen_port=5900 + +rabbit_host={{rabbit.host}} +rabbit_password={{rabbit.password}} + + +state_path=/var/lib/nova +lock_path=/var/lib/nova +keys_path=/var/lib/nova/keys + +enabled_apis = ec2,osapi_compute,metadata,openstack_compute_api_v2 + +dhcpbridge_flagfile = /etc/nova/nova.conf +dhcpbridge=/usr/local/bin/nova-dhcpbridge + +scheduler_default_filters = AllHostsFilter + +# TODO: driver must be configurable. +scheduler_host_manager = nova.scheduler.baremetal_host_manager.BaremetalHostManager +compute_driver = baremetal.driver.BareMetalDriver + +[baremetal] +sql_connection = {{nova.bm_db}} +net_config_template = /opt/stack/nova/nova/virt/baremetal/net-static.ubuntu.template +tftp_root = /tftpboot +instance_type_extra_specs = cpu_arch:i386 + +power_manager = nova.virt.baremetal.virtual_power_driver.VirtualPowerManager +driver = nova.virt.baremetal.pxe.PXE +virtual_power_host_user={{nova.virtual_power_user}} +virtual_power_host_pass={{nova.virtual_power_pass}} +virtual_power_ssh_host={{nova.virtual_power_ssh_host}} diff --git a/elements/nova/os-config-applier/etc/nova/rootwrap.conf b/elements/nova/os-config-applier/etc/nova/rootwrap.conf new file mode 100644 index 00000000..6a24bb7d --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/rootwrap.conf @@ -0,0 +1,6 @@ +[DEFAULT] +filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin +use_syslog=False +syslog_log_facility=syslog +syslog_log_level=ERROR diff --git a/elements/nova/os-config-applier/etc/nova/rootwrap.d/api-metadata.filters b/elements/nova/os-config-applier/etc/nova/rootwrap.d/api-metadata.filters new file mode 100644 index 00000000..1aa6f83e --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/rootwrap.d/api-metadata.filters @@ -0,0 +1,13 @@ +# nova-rootwrap command filters for api-metadata nodes +# This is needed on nova-api hosts running with "metadata" in enabled_apis +# or when running nova-api-metadata +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root + +# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters b/elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters new file mode 100644 index 00000000..a2858cd1 --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters @@ -0,0 +1,9 @@ +# nova-rootwrap command filters for compute nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/virt/baremetal/ipmi.py: 'ipmitool', .. +ipmitool: CommandFilter, /usr/bin/ipmitool, root + +# nova/virt/baremetal/ipmi.py: 'kill', '-TERM', str(console_pid) +kill_shellinaboxd: KillFilter, root, /usr/local/bin/shellinaboxd, -15, -TERM diff --git a/elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-deploy-helper.filters b/elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-deploy-helper.filters new file mode 100644 index 00000000..65416bbf --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/rootwrap.d/baremetal-deploy-helper.filters @@ -0,0 +1,10 @@ +# nova-rootwrap command filters for nova-baremetal-deploy-helper +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova-baremetal-deploy-helper +iscsiadm: CommandFilter, /sbin/iscsiadm, root +fdisk: CommandFilter, /sbin/fdisk, root +dd: CommandFilter, /bin/dd, root +mkswap: CommandFilter, /sbin/mkswap, root +blkid: CommandFilter, /sbin/blkid, root diff --git a/elements/nova/os-config-applier/etc/nova/rootwrap.d/compute.filters b/elements/nova/os-config-applier/etc/nova/rootwrap.d/compute.filters new file mode 100644 index 00000000..6396315b --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/rootwrap.d/compute.filters @@ -0,0 +1,187 @@ +# nova-rootwrap command filters for compute nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/virt/disk/mount/api.py: 'kpartx', '-a', device +# nova/virt/disk/mount/api.py: 'kpartx', '-d', device +kpartx: CommandFilter, /sbin/kpartx, root + +# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path +# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path +tune2fs: CommandFilter, /sbin/tune2fs, root + +# nova/virt/disk/mount/api.py: 'mount', mapped_device +# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target +# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. +# nova/virt/configdrive.py: 'mount', device, mountdir +mount: CommandFilter, /bin/mount, root + +# nova/virt/disk/mount/api.py: 'umount', mapped_device +# nova/virt/disk/api.py: 'umount' target +# nova/virt/xenapi/vm_utils.py: 'umount', dev_path +# nova/virt/configdrive.py: 'umount', mountdir +umount: CommandFilter, /bin/umount, root + +# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image +# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device +qemu-nbd: CommandFilter, /usr/bin/qemu-nbd, root + +# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image +# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device +losetup: CommandFilter, /sbin/losetup, root + +# nova/virt/disk/vfs/localfs.py: 'tee', canonpath +tee: CommandFilter, /usr/bin/tee, root + +# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath +mkdir: CommandFilter, /bin/mkdir, root + +# nova/virt/disk/vfs/localfs.py: 'chown' +# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log +# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log +# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') +# nova/utils.py: 'chown', owner_uid, path +chown: CommandFilter, /bin/chown, root + +# nova/virt/disk/vfs/localfs.py: 'chmod' +chmod: CommandFilter, /bin/chmod, root + +# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev +# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. +# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. +# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. +# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) +# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] +# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge +# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. +# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. +# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' +# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' +# nova/network/linux_net.py: 'ip', 'route', 'add', .. +# nova/network/linux_net.py: 'ip', 'route', 'del', . +# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev +ip: CommandFilter, /sbin/ip, root + +# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev +# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev +tunctl: CommandFilter, tunctl, root + +# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... +# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... +# nova/network/linux_net.py: 'ovs-vsctl', .... +ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root + +# nova/network/linux_net.py: 'ovs-ofctl', .... +ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root + +# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... +dd: CommandFilter, /bin/dd, root + +# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... +iscsiadm: CommandFilter, iscsiadm, root + +# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev +# nova/virt/libvirt/volume.py: 'aoe-discover' +aoe-revalidate: CommandFilter, /usr/sbin/aoe-revalidate, root +aoe-discover: CommandFilter, /usr/sbin/aoe-discover, root + +# nova/virt/xenapi/vm_utils.py: parted, --script, ... +# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. +parted: CommandFilter, parted, root + +# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path +pygrub: CommandFilter, /usr/bin/pygrub, root + +# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s +fdisk: CommandFilter, /sbin/fdisk, root + +# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path +# nova/virt/disk/api.py: e2fsck, -f, -p, image +e2fsck: CommandFilter, /sbin/e2fsck, root + +# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path +# nova/virt/disk/api.py: resize2fs, image +resize2fs: CommandFilter, /sbin/resize2fs, root + +# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root + +# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... +# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. +arping: CommandFilter, arping, root + +# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address +dhcp_release: CommandFilter, /usr/bin/dhcp_release, root + +# nova/network/linux_net.py: 'kill', '-9', pid +# nova/network/linux_net.py: 'kill', '-HUP', pid +kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + +# nova/network/linux_net.py: 'kill', pid +kill_radvd: KillFilter, root, /usr/sbin/radvd + +# nova/network/linux_net.py: dnsmasq call +dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root +dnsmasq_deprecated: DeprecatedDnsmasqFilter, /usr/sbin/dnsmasq, root + +# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. +radvd: CommandFilter, /usr/sbin/radvd, root + +# nova/network/linux_net.py: 'brctl', 'addbr', bridge +# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 +# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' +# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface +brctl: CommandFilter, brctl, root + +# nova/virt/libvirt/utils.py: 'mkswap' +# nova/virt/xenapi/vm_utils.py: 'mkswap' +mkswap: CommandFilter, /sbin/mkswap, root + +# nova/virt/xenapi/vm_utils.py: 'mkfs' +mkfs: CommandFilter, /sbin/mkfs, root + +# nova/virt/libvirt/utils.py: 'qemu-img' +qemu-img: CommandFilter, /usr/bin/qemu-img, root + +# nova/virt/disk/vfs/localfs.py: 'readlink', '-e' +readlink: CommandFilter, readlink, root + +# nova/virt/disk/api.py: 'touch', target +touch: CommandFilter, /usr/bin/touch, root + +# nova/virt/libvirt/connection.py: +read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi + +# nova/virt/libvirt/connection.py: +lvremove: CommandFilter, /sbin/lvremove, root + +# nova/virt/libvirt/utils.py: +lvcreate: CommandFilter, /sbin/lvcreate, root + +# nova/virt/libvirt/utils.py: +lvs: CommandFilter, /sbin/lvs, root + +# nova/virt/libvirt/utils.py: +vgs: CommandFilter, /sbin/vgs, root + +# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... +tgtadm: CommandFilter, /usr/sbin/tgtadm, root + +# nova/utils.py:read_file_as_root: 'cat', file_path +# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) +read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd +read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow + diff --git a/elements/nova/os-config-applier/etc/nova/rootwrap.d/network.filters b/elements/nova/os-config-applier/etc/nova/rootwrap.d/network.filters new file mode 100644 index 00000000..c58bc77e --- /dev/null +++ b/elements/nova/os-config-applier/etc/nova/rootwrap.d/network.filters @@ -0,0 +1,78 @@ +# nova-rootwrap command filters for network nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev +# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. +# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. +# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. +# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) +# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] +# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge +# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. +# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. +# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' +# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' +# nova/network/linux_net.py: 'ip', 'route', 'add', .. +# nova/network/linux_net.py: 'ip', 'route', 'del', . +# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev +ip: CommandFilter, /sbin/ip, root + +# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... +# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... +# nova/network/linux_net.py: 'ovs-vsctl', .... +ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root + +# nova/network/linux_net.py: 'ovs-ofctl', .... +ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root + +# nova/network/linux_net.py: 'ebtables', '-D' ... +# nova/network/linux_net.py: 'ebtables', '-I' ... +ebtables: CommandFilter, /sbin/ebtables, root +ebtables_usr: CommandFilter, /usr/sbin/ebtables, root + +# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root + +# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... +# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. +arping: CommandFilter, arping, root + +# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address +dhcp_release: CommandFilter, /usr/bin/dhcp_release, root + +# nova/network/linux_net.py: 'kill', '-9', pid +# nova/network/linux_net.py: 'kill', '-HUP', pid +kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + +# nova/network/linux_net.py: 'kill', pid +kill_radvd: KillFilter, root, /usr/sbin/radvd + +# nova/network/linux_net.py: dnsmasq call +dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root +dnsmasq_deprecated: DeprecatedDnsmasqFilter, /usr/sbin/dnsmasq, root + +# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. +radvd: CommandFilter, /usr/sbin/radvd, root + +# nova/network/linux_net.py: 'brctl', 'addbr', bridge +# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 +# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' +# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface +brctl: CommandFilter, brctl, root + +# nova/network/linux_net.py: 'sysctl', .... +sysctl: CommandFilter, /sbin/sysctl, root diff --git a/elements/nova/os-refresh-config/post-configure.d/74-nova b/elements/nova/os-refresh-config/post-configure.d/74-nova new file mode 100755 index 00000000..4d71162b --- /dev/null +++ b/elements/nova/os-refresh-config/post-configure.d/74-nova @@ -0,0 +1,21 @@ +#!/bin/bash +set -eux + +modprobe nbd || true + +chown -R nova:nova /var/log/nova + +# TODO: for compute nodes only +mkdir -p /var/run/nova/instances +chown -R nova:nova /var/run/nova +mkdir -p /tftpboot +chown -R nova:nova /tftpboot +service nova-conductor restart +service nova-api restart +service nova-cert restart +service nova-rpc-zmq-receiver restart +service nova-compute restart +service nova-scheduler restart +service nova-consoleauth restart +service nova-baremetal-deploy-helper restart +service nova-bm-dnsmasq restart