summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Thode <prometheanfire@gentoo.org>2015-10-19 00:25:48 -0500
committerMatthew Thode <prometheanfire@gentoo.org>2015-10-19 00:25:48 -0500
commite7acc7c2e5487da3e50a484eb6a561e3d33134bd (patch)
tree1d9981e51d87e3a39054d4c48b6a120a6b270523 /sys-cluster/nova
parentsys-cluster/cinder: fixing src_uri (diff)
downloadgentoo-e7acc7c2e5487da3e50a484eb6a561e3d33134bd.tar.gz
gentoo-e7acc7c2e5487da3e50a484eb6a561e3d33134bd.tar.bz2
gentoo-e7acc7c2e5487da3e50a484eb6a561e3d33134bd.zip
sys-cluster/nova: fixing etc install
Package-Manager: portage-2.2.20.1
Diffstat (limited to 'sys-cluster/nova')
-rw-r--r--sys-cluster/nova/Manifest1
-rw-r--r--sys-cluster/nova/files/etc.liberty/api-paste.ini140
-rw-r--r--sys-cluster/nova/files/etc.liberty/cells.json26
-rw-r--r--sys-cluster/nova/files/etc.liberty/logging_sample.conf84
-rw-r--r--sys-cluster/nova/files/etc.liberty/policy.json488
-rw-r--r--sys-cluster/nova/files/etc.liberty/rootwrap.conf27
-rw-r--r--sys-cluster/nova/files/etc.liberty/rootwrap.d/api-metadata.filters13
-rw-r--r--sys-cluster/nova/files/etc.liberty/rootwrap.d/compute.filters246
-rw-r--r--sys-cluster/nova/files/etc.liberty/rootwrap.d/network.filters91
-rw-r--r--sys-cluster/nova/nova-12.0.0.ebuild26
-rw-r--r--sys-cluster/nova/nova-2015.2.9999.ebuild24
11 files changed, 1137 insertions, 29 deletions
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index 601d009f3464..fb999f0a6975 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -1,3 +1,4 @@
+DIST liberty-nova.conf.sample 134201 SHA256 32752212c571c4a1473c3fa8bbd197a658ee54e233b4d46a157807be42997e42 SHA512 5325a31a0fccb9898bec0a022f5430dcc1729615c8eac88a4261c403f9ecd8ce2b07d73b52f3bc2c5cbe681234b30b923adb94385aac28e08d982a8f8bfef350 WHIRLPOOL 6d2894160a96742551777ce397b67f332c4f2793402f4634a2cfd0005ba99fb077cf0d0306a59e4b8c7f689914860e5d7f45d838c845d6a896a66c24f0f141c0
DIST nova-12.0.0.tar.gz 5233669 SHA256 28416df09a1f99b78d001d133e30f51acce389749d7e111c9e7dce18e7462ac4 SHA512 e3304684e090e8ec6cb45df5d77835d8b7d7c881c08e49c89cfa547a2581ec13bd66c430db01d7e82345650a1bc6fea77faa37092f00313c4fd58390ea3627d7 WHIRLPOOL 53f3afbae0cd3b8884c9074299f17b26d73074466bad491636ab0ef0fe1e636fa08267c6d26fff9d9b1850e8c9100d509fc47d1b76588d8f1564b23ebd707b17
DIST nova-2015.1.1.tar.gz 4544374 SHA256 d9b480827995727f2ccc06e4b5709e689e8a466006e07157ce92bc9d074e197e SHA512 7aad21fc59143cd4acab4a97980aafa9b1216789a0206c0d3098f5d96257e40baa77ef45696982648cc82a7f988f40525621da402871eeb398b21699932cea64 WHIRLPOOL 08b94f93be1e5821cfaaa835f33af2ddc23e75cea3dc6f1ca82be80317db95abd38dda336cca212cd68111fa65ca8c53c62f684e07acd2c1906e8d4cfc989905
DIST nova-2015.1.2.tar.gz 4564794 SHA256 8ea47c076367dec47d7bea89210f260da64171be5adf559ced8514d5fdb6c453 SHA512 c3ec70f90723dbbc6c04a1ab5e5fd43b43c4080ab6a7454bd48d47eb2f228fe22b59f999f881dfb28fbd502e084c0c8764f5cdf4b096f6af46a2f0c97f0e4f61 WHIRLPOOL d3e038905726574864cc5c4d04ead21c90c24a676bc6d5580e65a1b37830889b92b7df09165b5f97e345aa99ba94a3f42b3212119a4bae34b318aa5946052bf6
diff --git a/sys-cluster/nova/files/etc.liberty/api-paste.ini b/sys-cluster/nova/files/etc.liberty/api-paste.ini
new file mode 100644
index 000000000000..cb5ea6713ab0
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/api-paste.ini
@@ -0,0 +1,140 @@
+############
+# Metadata #
+############
+[composite:metadata]
+use = egg:Paste#urlmap
+/: meta
+
+[pipeline:meta]
+pipeline = ec2faultwrap logrequest metaapp
+
+[app:metaapp]
+paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
+
+#######
+# EC2 #
+#######
+
+# NOTE: this is now deprecated in favor of https://github.com/stackforge/ec2-api
+[composite:ec2]
+use = egg:Paste#urlmap
+/: ec2cloud
+
+[composite:ec2cloud]
+use = call:nova.api.auth:pipeline_factory
+noauth2 = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor
+keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor
+
+[filter:ec2faultwrap]
+paste.filter_factory = nova.api.ec2:FaultWrapper.factory
+
+[filter:logrequest]
+paste.filter_factory = nova.api.ec2:RequestLogging.factory
+
+[filter:ec2lockout]
+paste.filter_factory = nova.api.ec2:Lockout.factory
+
+[filter:ec2keystoneauth]
+paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory
+
+[filter:ec2noauth]
+paste.filter_factory = nova.api.ec2:NoAuth.factory
+
+[filter:cloudrequest]
+controller = nova.api.ec2.cloud.CloudController
+paste.filter_factory = nova.api.ec2:Requestify.factory
+
+[filter:authorizer]
+paste.filter_factory = nova.api.ec2:Authorizer.factory
+
+[filter:validator]
+paste.filter_factory = nova.api.ec2:Validator.factory
+
+[app:ec2executor]
+paste.app_factory = nova.api.ec2:Executor.factory
+
+#############
+# OpenStack #
+#############
+
+[composite:osapi_compute]
+use = call:nova.api.openstack.urlmap:urlmap_factory
+/: oscomputeversions
+# starting in Liberty the v21 implementation replaces the v2
+# implementation and is suggested that you use it as the default. If
+# this causes issues with your clients you can rollback to the
+# *frozen* v2 api by commenting out the above stanza and using the
+# following instead::
+# /v1.1: openstack_compute_api_legacy_v2
+# /v2: openstack_compute_api_legacy_v2
+# if rolling back to v2 fixes your issue please file a critical bug
+# at - https://bugs.launchpad.net/nova/+bugs
+#
+# v21 is an exactly feature match for v2, except it has more stringent
+# input validation on the wsgi surface (prevents fuzzing early on the
+# API). It also provides new features via API microversions which are
+# opt into for clients. Unaware clients will receive the same frozen
+# v2 API feature set, but with some relaxed validation
+/v1.1: openstack_compute_api_v21_legacy_v2_compatible
+/v2: openstack_compute_api_v21_legacy_v2_compatible
+/v2.1: openstack_compute_api_v21
+
+# NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible
+[composite:openstack_compute_api_legacy_v2]
+use = call:nova.api.auth:pipeline_factory
+noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
+keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
+
+[composite:openstack_compute_api_v21]
+use = call:nova.api.auth:pipeline_factory_v21
+noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
+
+[composite:openstack_compute_api_v21_legacy_v2_compatible]
+use = call:nova.api.auth:pipeline_factory_v21
+noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:compute_req_id]
+paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
+
+[filter:faultwrap]
+paste.filter_factory = nova.api.openstack:FaultWrapper.factory
+
+[filter:noauth2]
+paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
+
+[filter:legacy_ratelimit]
+paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
+
+[filter:legacy_v2_compatible]
+paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory
+
+[app:osapi_compute_app_legacy_v2]
+paste.app_factory = nova.api.openstack.compute:APIRouter.factory
+
+[app:osapi_compute_app_v21]
+paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
+
+[pipeline:oscomputeversions]
+pipeline = faultwrap oscomputeversionapp
+
+[app:oscomputeversionapp]
+paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
diff --git a/sys-cluster/nova/files/etc.liberty/cells.json b/sys-cluster/nova/files/etc.liberty/cells.json
new file mode 100644
index 000000000000..cc74930d4d7a
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/cells.json
@@ -0,0 +1,26 @@
+{
+ "parent": {
+ "name": "parent",
+ "api_url": "http://api.example.com:8774",
+ "transport_url": "rabbit://rabbit.example.com",
+ "weight_offset": 0.0,
+ "weight_scale": 1.0,
+ "is_parent": true
+ },
+ "cell1": {
+ "name": "cell1",
+ "api_url": "http://api.example.com:8774",
+ "transport_url": "rabbit://rabbit1.example.com",
+ "weight_offset": 0.0,
+ "weight_scale": 1.0,
+ "is_parent": false
+ },
+ "cell2": {
+ "name": "cell2",
+ "api_url": "http://api.example.com:8774",
+ "transport_url": "rabbit://rabbit2.example.com",
+ "weight_offset": 0.0,
+ "weight_scale": 1.0,
+ "is_parent": false
+ }
+}
diff --git a/sys-cluster/nova/files/etc.liberty/logging_sample.conf b/sys-cluster/nova/files/etc.liberty/logging_sample.conf
new file mode 100644
index 000000000000..03c6944fcbb6
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/logging_sample.conf
@@ -0,0 +1,84 @@
+[loggers]
+keys = root, nova
+
+[handlers]
+keys = stderr, stdout, watchedfile, syslog, null
+
+[formatters]
+keys = context, default
+
+[logger_root]
+level = WARNING
+handlers = null
+
+[logger_nova]
+level = INFO
+handlers = stderr
+qualname = nova
+
+[logger_amqp]
+level = WARNING
+handlers = stderr
+qualname = amqp
+
+[logger_amqplib]
+level = WARNING
+handlers = stderr
+qualname = amqplib
+
+[logger_sqlalchemy]
+level = WARNING
+handlers = stderr
+qualname = sqlalchemy
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARNING" logs neither. (Recommended for production systems.)
+
+[logger_boto]
+level = WARNING
+handlers = stderr
+qualname = boto
+
+# NOTE(mikal): suds is used by the vmware driver, removing this will
+# cause many extraneous log lines for their tempest runs. Refer to
+# https://review.openstack.org/#/c/219225/ for details.
+[logger_suds]
+level = INFO
+handlers = stderr
+qualname = suds
+
+[logger_eventletwsgi]
+level = WARNING
+handlers = stderr
+qualname = eventlet.wsgi.server
+
+[handler_stderr]
+class = StreamHandler
+args = (sys.stderr,)
+formatter = context
+
+[handler_stdout]
+class = StreamHandler
+args = (sys.stdout,)
+formatter = context
+
+[handler_watchedfile]
+class = handlers.WatchedFileHandler
+args = ('nova.log',)
+formatter = context
+
+[handler_syslog]
+class = handlers.SysLogHandler
+args = ('/dev/log', handlers.SysLogHandler.LOG_USER)
+formatter = context
+
+[handler_null]
+class = logging.NullHandler
+formatter = default
+args = ()
+
+[formatter_context]
+class = nova.openstack.common.log.ContextFormatter
+
+[formatter_default]
+format = %(message)s
diff --git a/sys-cluster/nova/files/etc.liberty/policy.json b/sys-cluster/nova/files/etc.liberty/policy.json
new file mode 100644
index 000000000000..5f6023e5c388
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/policy.json
@@ -0,0 +1,488 @@
+{
+ "context_is_admin": "role:admin",
+ "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
+ "default": "rule:admin_or_owner",
+
+ "cells_scheduler_filter:TargetCellFilter": "is_admin:True",
+
+ "compute:create": "",
+ "compute:create:attach_network": "",
+ "compute:create:attach_volume": "",
+ "compute:create:forced_host": "is_admin:True",
+
+ "compute:get": "",
+ "compute:get_all": "",
+ "compute:get_all_tenants": "is_admin:True",
+
+ "compute:update": "",
+
+ "compute:get_instance_metadata": "",
+ "compute:get_all_instance_metadata": "",
+ "compute:get_all_instance_system_metadata": "",
+ "compute:update_instance_metadata": "",
+ "compute:delete_instance_metadata": "",
+
+ "compute:get_instance_faults": "",
+ "compute:get_diagnostics": "",
+ "compute:get_instance_diagnostics": "",
+
+ "compute:start": "rule:admin_or_owner",
+ "compute:stop": "rule:admin_or_owner",
+
+ "compute:get_lock": "",
+ "compute:lock": "",
+ "compute:unlock": "",
+ "compute:unlock_override": "rule:admin_api",
+
+ "compute:get_vnc_console": "",
+ "compute:get_spice_console": "",
+ "compute:get_rdp_console": "",
+ "compute:get_serial_console": "",
+ "compute:get_mks_console": "",
+ "compute:get_console_output": "",
+
+ "compute:reset_network": "",
+ "compute:inject_network_info": "",
+ "compute:add_fixed_ip": "",
+ "compute:remove_fixed_ip": "",
+
+ "compute:attach_volume": "",
+ "compute:detach_volume": "",
+ "compute:swap_volume": "",
+
+ "compute:attach_interface": "",
+ "compute:detach_interface": "",
+
+ "compute:set_admin_password": "",
+
+ "compute:rescue": "",
+ "compute:unrescue": "",
+
+ "compute:suspend": "",
+ "compute:resume": "",
+
+ "compute:pause": "",
+ "compute:unpause": "",
+
+ "compute:shelve": "",
+ "compute:shelve_offload": "",
+ "compute:unshelve": "",
+
+ "compute:snapshot": "",
+ "compute:snapshot_volume_backed": "",
+ "compute:backup": "",
+
+ "compute:resize": "",
+ "compute:confirm_resize": "",
+ "compute:revert_resize": "",
+
+ "compute:rebuild": "",
+ "compute:reboot": "",
+ "compute:delete": "rule:admin_or_owner",
+ "compute:soft_delete": "rule:admin_or_owner",
+ "compute:force_delete": "rule:admin_or_owner",
+
+ "compute:security_groups:add_to_instance": "",
+ "compute:security_groups:remove_from_instance": "",
+
+ "compute:delete": "",
+ "compute:soft_delete": "",
+ "compute:force_delete": "",
+ "compute:restore": "",
+
+ "compute:volume_snapshot_create": "",
+ "compute:volume_snapshot_delete": "",
+
+ "admin_api": "is_admin:True",
+ "compute_extension:accounts": "rule:admin_api",
+ "compute_extension:admin_actions": "rule:admin_api",
+ "compute_extension:admin_actions:pause": "rule:admin_or_owner",
+ "compute_extension:admin_actions:unpause": "rule:admin_or_owner",
+ "compute_extension:admin_actions:suspend": "rule:admin_or_owner",
+ "compute_extension:admin_actions:resume": "rule:admin_or_owner",
+ "compute_extension:admin_actions:lock": "rule:admin_or_owner",
+ "compute_extension:admin_actions:unlock": "rule:admin_or_owner",
+ "compute_extension:admin_actions:resetNetwork": "rule:admin_api",
+ "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
+ "compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
+ "compute_extension:admin_actions:migrateLive": "rule:admin_api",
+ "compute_extension:admin_actions:resetState": "rule:admin_api",
+ "compute_extension:admin_actions:migrate": "rule:admin_api",
+ "compute_extension:aggregates": "rule:admin_api",
+ "compute_extension:agents": "rule:admin_api",
+ "compute_extension:attach_interfaces": "",
+ "compute_extension:baremetal_nodes": "rule:admin_api",
+ "compute_extension:cells": "rule:admin_api",
+ "compute_extension:cells:create": "rule:admin_api",
+ "compute_extension:cells:delete": "rule:admin_api",
+ "compute_extension:cells:update": "rule:admin_api",
+ "compute_extension:cells:sync_instances": "rule:admin_api",
+ "compute_extension:certificates": "",
+ "compute_extension:cloudpipe": "rule:admin_api",
+ "compute_extension:cloudpipe_update": "rule:admin_api",
+ "compute_extension:config_drive": "",
+ "compute_extension:console_output": "",
+ "compute_extension:consoles": "",
+ "compute_extension:createserverext": "",
+ "compute_extension:deferred_delete": "",
+ "compute_extension:disk_config": "",
+ "compute_extension:evacuate": "rule:admin_api",
+ "compute_extension:extended_server_attributes": "rule:admin_api",
+ "compute_extension:extended_status": "",
+ "compute_extension:extended_availability_zone": "",
+ "compute_extension:extended_ips": "",
+ "compute_extension:extended_ips_mac": "",
+ "compute_extension:extended_vif_net": "",
+ "compute_extension:extended_volumes": "",
+ "compute_extension:fixed_ips": "rule:admin_api",
+ "compute_extension:flavor_access": "",
+ "compute_extension:flavor_access:addTenantAccess": "rule:admin_api",
+ "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api",
+ "compute_extension:flavor_disabled": "",
+ "compute_extension:flavor_rxtx": "",
+ "compute_extension:flavor_swap": "",
+ "compute_extension:flavorextradata": "",
+ "compute_extension:flavorextraspecs:index": "",
+ "compute_extension:flavorextraspecs:show": "",
+ "compute_extension:flavorextraspecs:create": "rule:admin_api",
+ "compute_extension:flavorextraspecs:update": "rule:admin_api",
+ "compute_extension:flavorextraspecs:delete": "rule:admin_api",
+ "compute_extension:flavormanage": "rule:admin_api",
+ "compute_extension:floating_ip_dns": "",
+ "compute_extension:floating_ip_pools": "",
+ "compute_extension:floating_ips": "",
+ "compute_extension:floating_ips_bulk": "rule:admin_api",
+ "compute_extension:fping": "",
+ "compute_extension:fping:all_tenants": "rule:admin_api",
+ "compute_extension:hide_server_addresses": "is_admin:False",
+ "compute_extension:hosts": "rule:admin_api",
+ "compute_extension:hypervisors": "rule:admin_api",
+ "compute_extension:image_size": "",
+ "compute_extension:instance_actions": "",
+ "compute_extension:instance_actions:events": "rule:admin_api",
+ "compute_extension:instance_usage_audit_log": "rule:admin_api",
+ "compute_extension:keypairs": "",
+ "compute_extension:keypairs:index": "",
+ "compute_extension:keypairs:show": "",
+ "compute_extension:keypairs:create": "",
+ "compute_extension:keypairs:delete": "",
+ "compute_extension:multinic": "",
+ "compute_extension:networks": "rule:admin_api",
+ "compute_extension:networks:view": "",
+ "compute_extension:networks_associate": "rule:admin_api",
+ "compute_extension:os-tenant-networks": "",
+ "compute_extension:quotas:show": "",
+ "compute_extension:quotas:update": "rule:admin_api",
+ "compute_extension:quotas:delete": "rule:admin_api",
+ "compute_extension:quota_classes": "",
+ "compute_extension:rescue": "",
+ "compute_extension:security_group_default_rules": "rule:admin_api",
+ "compute_extension:security_groups": "",
+ "compute_extension:server_diagnostics": "rule:admin_api",
+ "compute_extension:server_groups": "",
+ "compute_extension:server_password": "",
+ "compute_extension:server_usage": "",
+ "compute_extension:services": "rule:admin_api",
+ "compute_extension:shelve": "",
+ "compute_extension:shelveOffload": "rule:admin_api",
+ "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
+ "compute_extension:simple_tenant_usage:list": "rule:admin_api",
+ "compute_extension:unshelve": "",
+ "compute_extension:users": "rule:admin_api",
+ "compute_extension:virtual_interfaces": "",
+ "compute_extension:virtual_storage_arrays": "",
+ "compute_extension:volumes": "",
+ "compute_extension:volume_attachments:index": "",
+ "compute_extension:volume_attachments:show": "",
+ "compute_extension:volume_attachments:create": "",
+ "compute_extension:volume_attachments:update": "",
+ "compute_extension:volume_attachments:delete": "",
+ "compute_extension:volumetypes": "",
+ "compute_extension:availability_zone:list": "",
+ "compute_extension:availability_zone:detail": "rule:admin_api",
+ "compute_extension:used_limits_for_admin": "rule:admin_api",
+ "compute_extension:migrations:index": "rule:admin_api",
+ "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api",
+ "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api",
+ "compute_extension:console_auth_tokens": "rule:admin_api",
+ "compute_extension:os-server-external-events:create": "rule:admin_api",
+
+ "network:get_all": "",
+ "network:get": "",
+ "network:create": "",
+ "network:delete": "",
+ "network:associate": "",
+ "network:disassociate": "",
+ "network:get_vifs_by_instance": "",
+ "network:allocate_for_instance": "",
+ "network:deallocate_for_instance": "",
+ "network:validate_networks": "",
+ "network:get_instance_uuids_by_ip_filter": "",
+ "network:get_instance_id_by_floating_address": "",
+ "network:setup_networks_on_host": "",
+ "network:get_backdoor_port": "",
+
+ "network:get_floating_ip": "",
+ "network:get_floating_ip_pools": "",
+ "network:get_floating_ip_by_address": "",
+ "network:get_floating_ips_by_project": "",
+ "network:get_floating_ips_by_fixed_address": "",
+ "network:allocate_floating_ip": "",
+ "network:associate_floating_ip": "",
+ "network:disassociate_floating_ip": "",
+ "network:release_floating_ip": "",
+ "network:migrate_instance_start": "",
+ "network:migrate_instance_finish": "",
+
+ "network:get_fixed_ip": "",
+ "network:get_fixed_ip_by_address": "",
+ "network:add_fixed_ip_to_instance": "",
+ "network:remove_fixed_ip_from_instance": "",
+ "network:add_network_to_project": "",
+ "network:get_instance_nw_info": "",
+
+ "network:get_dns_domains": "",
+ "network:add_dns_entry": "",
+ "network:modify_dns_entry": "",
+ "network:delete_dns_entry": "",
+ "network:get_dns_entries_by_address": "",
+ "network:get_dns_entries_by_name": "",
+ "network:create_private_dns_domain": "",
+ "network:create_public_dns_domain": "",
+ "network:delete_dns_domain": "",
+ "network:attach_external_network": "rule:admin_api",
+ "network:get_vif_by_mac_address": "",
+
+ "os_compute_api:servers:detail:get_all_tenants": "is_admin:True",
+ "os_compute_api:servers:index:get_all_tenants": "is_admin:True",
+ "os_compute_api:servers:confirm_resize": "",
+ "os_compute_api:servers:create": "",
+ "os_compute_api:servers:create:attach_network": "",
+ "os_compute_api:servers:create:attach_volume": "",
+ "os_compute_api:servers:create:forced_host": "rule:admin_api",
+ "os_compute_api:servers:delete": "",
+ "os_compute_api:servers:update": "",
+ "os_compute_api:servers:detail": "",
+ "os_compute_api:servers:index": "",
+ "os_compute_api:servers:reboot": "",
+ "os_compute_api:servers:rebuild": "",
+ "os_compute_api:servers:resize": "",
+ "os_compute_api:servers:revert_resize": "",
+ "os_compute_api:servers:show": "",
+ "os_compute_api:servers:create_image": "",
+ "os_compute_api:servers:create_image:allow_volume_backed": "",
+ "os_compute_api:servers:start": "rule:admin_or_owner",
+ "os_compute_api:servers:stop": "rule:admin_or_owner",
+ "os_compute_api:os-access-ips:discoverable": "",
+ "os_compute_api:os-access-ips": "",
+ "os_compute_api:os-admin-actions": "rule:admin_api",
+ "os_compute_api:os-admin-actions:discoverable": "",
+ "os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
+ "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
+ "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
+ "os_compute_api:os-admin-password": "",
+ "os_compute_api:os-admin-password:discoverable": "",
+ "os_compute_api:os-aggregates:discoverable": "",
+ "os_compute_api:os-aggregates:index": "rule:admin_api",
+ "os_compute_api:os-aggregates:create": "rule:admin_api",
+ "os_compute_api:os-aggregates:show": "rule:admin_api",
+ "os_compute_api:os-aggregates:update": "rule:admin_api",
+ "os_compute_api:os-aggregates:delete": "rule:admin_api",
+ "os_compute_api:os-aggregates:add_host": "rule:admin_api",
+ "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
+ "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
+ "os_compute_api:os-agents": "rule:admin_api",
+ "os_compute_api:os-agents:discoverable": "",
+ "os_compute_api:os-attach-interfaces": "",
+ "os_compute_api:os-attach-interfaces:discoverable": "",
+ "os_compute_api:os-baremetal-nodes": "rule:admin_api",
+ "os_compute_api:os-baremetal-nodes:discoverable": "",
+ "os_compute_api:os-block-device-mapping-v1:discoverable": "",
+ "os_compute_api:os-cells": "rule:admin_api",
+ "os_compute_api:os-cells:create": "rule:admin_api",
+ "os_compute_api:os-cells:delete": "rule:admin_api",
+ "os_compute_api:os-cells:update": "rule:admin_api",
+ "os_compute_api:os-cells:sync_instances": "rule:admin_api",
+ "os_compute_api:os-cells:discoverable": "",
+ "os_compute_api:os-certificates:create": "",
+ "os_compute_api:os-certificates:show": "",
+ "os_compute_api:os-certificates:discoverable": "",
+ "os_compute_api:os-cloudpipe": "rule:admin_api",
+ "os_compute_api:os-cloudpipe:discoverable": "",
+ "os_compute_api:os-config-drive": "",
+ "os_compute_api:os-consoles:discoverable": "",
+ "os_compute_api:os-consoles:create": "",
+ "os_compute_api:os-consoles:delete": "",
+ "os_compute_api:os-consoles:index": "",
+ "os_compute_api:os-consoles:show": "",
+ "os_compute_api:os-console-output:discoverable": "",
+ "os_compute_api:os-console-output": "",
+ "os_compute_api:os-remote-consoles": "",
+ "os_compute_api:os-remote-consoles:discoverable": "",
+ "os_compute_api:os-create-backup:discoverable": "",
+ "os_compute_api:os-create-backup": "rule:admin_or_owner",
+ "os_compute_api:os-deferred-delete": "",
+ "os_compute_api:os-deferred-delete:discoverable": "",
+ "os_compute_api:os-disk-config": "",
+ "os_compute_api:os-disk-config:discoverable": "",
+ "os_compute_api:os-evacuate": "rule:admin_api",
+ "os_compute_api:os-evacuate:discoverable": "",
+ "os_compute_api:os-extended-server-attributes": "rule:admin_api",
+ "os_compute_api:os-extended-server-attributes:discoverable": "",
+ "os_compute_api:os-extended-status": "",
+ "os_compute_api:os-extended-status:discoverable": "",
+ "os_compute_api:os-extended-availability-zone": "",
+ "os_compute_api:os-extended-availability-zone:discoverable": "",
+ "os_compute_api:extensions": "",
+ "os_compute_api:extension_info:discoverable": "",
+ "os_compute_api:os-extended-volumes": "",
+ "os_compute_api:os-extended-volumes:discoverable": "",
+ "os_compute_api:os-fixed-ips": "rule:admin_api",
+ "os_compute_api:os-fixed-ips:discoverable": "",
+ "os_compute_api:os-flavor-access": "",
+ "os_compute_api:os-flavor-access:discoverable": "",
+ "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
+ "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
+ "os_compute_api:os-flavor-rxtx": "",
+ "os_compute_api:os-flavor-rxtx:discoverable": "",
+ "os_compute_api:flavors:discoverable": "",
+ "os_compute_api:os-flavor-extra-specs:discoverable": "",
+ "os_compute_api:os-flavor-extra-specs:index": "",
+ "os_compute_api:os-flavor-extra-specs:show": "",
+ "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
+ "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
+ "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
+ "os_compute_api:os-flavor-manage:discoverable": "",
+ "os_compute_api:os-flavor-manage": "rule:admin_api",
+ "os_compute_api:os-floating-ip-dns": "",
+ "os_compute_api:os-floating-ip-dns:discoverable": "",
+ "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
+ "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api",
+ "os_compute_api:os-floating-ip-pools": "",
+ "os_compute_api:os-floating-ip-pools:discoverable": "",
+ "os_compute_api:os-floating-ips": "",
+ "os_compute_api:os-floating-ips:discoverable": "",
+ "os_compute_api:os-floating-ips-bulk": "rule:admin_api",
+ "os_compute_api:os-floating-ips-bulk:discoverable": "",
+ "os_compute_api:os-fping": "",
+ "os_compute_api:os-fping:discoverable": "",
+ "os_compute_api:os-fping:all_tenants": "rule:admin_api",
+ "os_compute_api:os-hide-server-addresses": "is_admin:False",
+ "os_compute_api:os-hide-server-addresses:discoverable": "",
+ "os_compute_api:os-hosts": "rule:admin_api",
+ "os_compute_api:os-hosts:discoverable": "",
+ "os_compute_api:os-hypervisors": "rule:admin_api",
+ "os_compute_api:os-hypervisors:discoverable": "",
+ "os_compute_api:images:discoverable": "",
+ "os_compute_api:image-size": "",
+ "os_compute_api:image-size:discoverable": "",
+ "os_compute_api:os-instance-actions": "",
+ "os_compute_api:os-instance-actions:discoverable": "",
+ "os_compute_api:os-instance-actions:events": "rule:admin_api",
+ "os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
+ "os_compute_api:os-instance-usage-audit-log:discoverable": "",
+ "os_compute_api:ips:discoverable": "",
+ "os_compute_api:ips:index": "rule:admin_or_owner",
+ "os_compute_api:ips:show": "rule:admin_or_owner",
+ "os_compute_api:os-keypairs:discoverable": "",
+ "os_compute_api:os-keypairs": "",
+ "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
+ "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
+ "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
+ "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
+ "os_compute_api:limits:discoverable": "",
+ "os_compute_api:limits": "",
+ "os_compute_api:os-lock-server:discoverable": "",
+ "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
+ "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
+ "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
+ "os_compute_api:os-migrate-server:discoverable": "",
+ "os_compute_api:os-migrate-server:migrate": "rule:admin_api",
+ "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
+ "os_compute_api:os-multinic": "",
+ "os_compute_api:os-multinic:discoverable": "",
+ "os_compute_api:os-networks": "rule:admin_api",
+ "os_compute_api:os-networks:view": "",
+ "os_compute_api:os-networks:discoverable": "",
+ "os_compute_api:os-networks-associate": "rule:admin_api",
+ "os_compute_api:os-networks-associate:discoverable": "",
+ "os_compute_api:os-pause-server:discoverable": "",
+ "os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
+ "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
+ "os_compute_api:os-pci:pci_servers": "",
+ "os_compute_api:os-pci:discoverable": "",
+ "os_compute_api:os-pci:index": "rule:admin_api",
+ "os_compute_api:os-pci:detail": "rule:admin_api",
+ "os_compute_api:os-pci:show": "rule:admin_api",
+ "os_compute_api:os-personality:discoverable": "",
+ "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "",
+ "os_compute_api:os-quota-sets:discoverable": "",
+ "os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
+ "os_compute_api:os-quota-sets:defaults": "",
+ "os_compute_api:os-quota-sets:update": "rule:admin_api",
+ "os_compute_api:os-quota-sets:delete": "rule:admin_api",
+ "os_compute_api:os-quota-sets:detail": "rule:admin_api",
+ "os_compute_api:os-quota-class-sets:update": "rule:admin_api",
+ "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
+ "os_compute_api:os-quota-class-sets:discoverable": "",
+ "os_compute_api:os-rescue": "",
+ "os_compute_api:os-rescue:discoverable": "",
+ "os_compute_api:os-scheduler-hints:discoverable": "",
+ "os_compute_api:os-security-group-default-rules:discoverable": "",
+ "os_compute_api:os-security-group-default-rules": "rule:admin_api",
+ "os_compute_api:os-security-groups": "",
+ "os_compute_api:os-security-groups:discoverable": "",
+ "os_compute_api:os-server-diagnostics": "rule:admin_api",
+ "os_compute_api:os-server-diagnostics:discoverable": "",
+ "os_compute_api:os-server-password": "",
+ "os_compute_api:os-server-password:discoverable": "",
+ "os_compute_api:os-server-usage": "",
+ "os_compute_api:os-server-usage:discoverable": "",
+ "os_compute_api:os-server-groups": "",
+ "os_compute_api:os-server-groups:discoverable": "",
+ "os_compute_api:os-services": "rule:admin_api",
+ "os_compute_api:os-services:discoverable": "",
+ "os_compute_api:server-metadata:discoverable": "",
+ "os_compute_api:server-metadata:index": "rule:admin_or_owner",
+ "os_compute_api:server-metadata:show": "rule:admin_or_owner",
+ "os_compute_api:server-metadata:delete": "rule:admin_or_owner",
+ "os_compute_api:server-metadata:create": "rule:admin_or_owner",
+ "os_compute_api:server-metadata:update": "rule:admin_or_owner",
+ "os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
+ "os_compute_api:servers:discoverable": "",
+ "os_compute_api:os-shelve:shelve": "",
+ "os_compute_api:os-shelve:shelve:discoverable": "",
+ "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
+ "os_compute_api:os-simple-tenant-usage:discoverable": "",
+ "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
+ "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
+ "os_compute_api:os-suspend-server:discoverable": "",
+ "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
+ "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
+ "os_compute_api:os-tenant-networks": "rule:admin_or_owner",
+ "os_compute_api:os-tenant-networks:discoverable": "",
+ "os_compute_api:os-shelve:unshelve": "",
+ "os_compute_api:os-user-data:discoverable": "",
+ "os_compute_api:os-virtual-interfaces": "",
+ "os_compute_api:os-virtual-interfaces:discoverable": "",
+ "os_compute_api:os-volumes": "",
+ "os_compute_api:os-volumes:discoverable": "",
+ "os_compute_api:os-volumes-attachments:index": "",
+ "os_compute_api:os-volumes-attachments:show": "",
+ "os_compute_api:os-volumes-attachments:create": "",
+ "os_compute_api:os-volumes-attachments:update": "",
+ "os_compute_api:os-volumes-attachments:delete": "",
+ "os_compute_api:os-volumes-attachments:discoverable": "",
+ "os_compute_api:os-availability-zone:list": "",
+ "os_compute_api:os-availability-zone:discoverable": "",
+ "os_compute_api:os-availability-zone:detail": "rule:admin_api",
+ "os_compute_api:os-used-limits": "rule:admin_api",
+ "os_compute_api:os-used-limits:discoverable": "",
+ "os_compute_api:os-migrations:index": "rule:admin_api",
+ "os_compute_api:os-migrations:discoverable": "",
+ "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
+ "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
+ "os_compute_api:os-assisted-volume-snapshots:discoverable": "",
+ "os_compute_api:os-console-auth-tokens": "rule:admin_api",
+ "os_compute_api:os-server-external-events:create": "rule:admin_api"
+}
diff --git a/sys-cluster/nova/files/etc.liberty/rootwrap.conf b/sys-cluster/nova/files/etc.liberty/rootwrap.conf
new file mode 100644
index 000000000000..aa466c5d5024
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/rootwrap.conf
@@ -0,0 +1,27 @@
+# Configuration for nova-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
diff --git a/sys-cluster/nova/files/etc.liberty/rootwrap.d/api-metadata.filters b/sys-cluster/nova/files/etc.liberty/rootwrap.d/api-metadata.filters
new file mode 100644
index 000000000000..1aa6f83e68df
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/rootwrap.d/api-metadata.filters
@@ -0,0 +1,13 @@
+# nova-rootwrap command filters for api-metadata nodes
+# This is needed on nova-api hosts running with "metadata" in enabled_apis
+# or when running nova-api-metadata
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
diff --git a/sys-cluster/nova/files/etc.liberty/rootwrap.d/compute.filters b/sys-cluster/nova/files/etc.liberty/rootwrap.d/compute.filters
new file mode 100644
index 000000000000..2a38cca54b43
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/rootwrap.d/compute.filters
@@ -0,0 +1,246 @@
+# nova-rootwrap command filters for compute nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
+# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
+kpartx: CommandFilter, kpartx, root
+
+# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
+# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
+tune2fs: CommandFilter, tune2fs, root
+
+# nova/virt/disk/mount/api.py: 'mount', mapped_device
+# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
+# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
+# nova/virt/configdrive.py: 'mount', device, mountdir
+# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
+mount: CommandFilter, mount, root
+
+# nova/virt/disk/mount/api.py: 'umount', mapped_device
+# nova/virt/disk/api.py: 'umount' target
+# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
+# nova/virt/configdrive.py: 'umount', mountdir
+umount: CommandFilter, umount, root
+
+# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
+# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
+qemu-nbd: CommandFilter, qemu-nbd, root
+
+# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
+# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
+losetup: CommandFilter, losetup, root
+
+# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
+blkid: CommandFilter, blkid, root
+
+# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
+# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
+blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
+
+# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
+tee: CommandFilter, tee, root
+
+# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
+mkdir: CommandFilter, mkdir, root
+
+# nova/virt/disk/vfs/localfs.py: 'chown'
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+chown: CommandFilter, chown, root
+
+# nova/virt/disk/vfs/localfs.py: 'chmod'
+chmod: CommandFilter, chmod, root
+
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+# nova/network/linux_net.py: 'ip', 'route', 'add', ..
+# nova/network/linux_net.py: 'ip', 'route', 'del', .
+# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ip: CommandFilter, ip, root
+
+# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
+# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
+tunctl: CommandFilter, tunctl, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
+vrouter-port-control: CommandFilter, vrouter-port-control, root
+
+# nova/virt/libvirt/vif.py: 'ebrctl', ...
+ebrctl: CommandFilter, ebrctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+dd: CommandFilter, dd, root
+
+# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
+iscsiadm: CommandFilter, iscsiadm, root
+
+# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
+# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
+aoe-revalidate: CommandFilter, aoe-revalidate, root
+aoe-discover: CommandFilter, aoe-discover, root
+
+# nova/virt/xenapi/vm_utils.py: parted, --script, ...
+# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
+parted: CommandFilter, parted, root
+
+# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
+pygrub: CommandFilter, pygrub, root
+
+# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
+fdisk: CommandFilter, fdisk, root
+
+# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
+# nova/virt/disk/api.py: e2fsck, -f, -p, image
+e2fsck: CommandFilter, e2fsck, root
+
+# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
+# nova/virt/disk/api.py: resize2fs, image
+resize2fs: CommandFilter, resize2fs, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, arping, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, brctl, root
+
+# nova/virt/libvirt/utils.py: 'mkswap'
+# nova/virt/xenapi/vm_utils.py: 'mkswap'
+mkswap: CommandFilter, mkswap, root
+
+# nova/virt/libvirt/utils.py: 'nova-idmapshift'
+nova-idmapshift: CommandFilter, nova-idmapshift, root
+
+# nova/virt/xenapi/vm_utils.py: 'mkfs'
+# nova/utils.py: 'mkfs', fs, path, label
+mkfs: CommandFilter, mkfs, root
+
+# nova/virt/libvirt/utils.py: 'qemu-img'
+qemu-img: CommandFilter, qemu-img, root
+
+# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
+readlink: CommandFilter, readlink, root
+
+# nova/virt/disk/api.py:
+mkfs.ext3: CommandFilter, mkfs.ext3, root
+mkfs.ext4: CommandFilter, mkfs.ext4, root
+mkfs.ntfs: CommandFilter, mkfs.ntfs, root
+
+# nova/virt/libvirt/connection.py:
+lvremove: CommandFilter, lvremove, root
+
+# nova/virt/libvirt/utils.py:
+lvcreate: CommandFilter, lvcreate, root
+
+# nova/virt/libvirt/utils.py:
+lvs: CommandFilter, lvs, root
+
+# nova/virt/libvirt/utils.py:
+vgs: CommandFilter, vgs, root
+
+# nova/utils.py:read_file_as_root: 'cat', file_path
+# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
+read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
+read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
+
+# os-brick needed commands
+read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+multipath: CommandFilter, multipath, root
+# multipathd show status
+multipathd: CommandFilter, multipathd, root
+systool: CommandFilter, systool, root
+sginfo: CommandFilter, sginfo, root
+vgc-cluster: CommandFilter, vgc-cluster, root
+# os_brick/initiator/connector.py
+drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+
+# TODO(smcginnis) Temporary fix.
+# Need to pull in os-brick os-brick.filters file instead and clean
+# out stale brick values from this file.
+scsi_id: CommandFilter, /lib/udev/scsi_id, root
+
+# nova/storage/linuxscsi.py: sg_scan device
+sg_scan: CommandFilter, sg_scan, root
+
+# nova/volume/encryptors/cryptsetup.py:
+# nova/volume/encryptors/luks.py:
+ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/.*, .*
+
+# nova/volume/encryptors.py:
+# nova/virt/libvirt/dmcrypt.py:
+cryptsetup: CommandFilter, cryptsetup, root
+
+# nova/virt/xenapi/vm_utils.py:
+xenstore-read: CommandFilter, xenstore-read, root
+
+# nova/virt/libvirt/utils.py:
+rbd: CommandFilter, rbd, root
+
+# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
+shred: CommandFilter, shred, root
+
+# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
+cp: CommandFilter, cp, root
+
+# nova/virt/xenapi/vm_utils.py:
+sync: CommandFilter, sync, root
+
+# nova/virt/libvirt/imagebackend.py:
+ploop: CommandFilter, ploop, root
+
+# nova/virt/libvirt/utils.py: 'xend', 'status'
+xend: CommandFilter, xend, root
diff --git a/sys-cluster/nova/files/etc.liberty/rootwrap.d/network.filters b/sys-cluster/nova/files/etc.liberty/rootwrap.d/network.filters
new file mode 100644
index 000000000000..527ab40c2799
--- /dev/null
+++ b/sys-cluster/nova/files/etc.liberty/rootwrap.d/network.filters
@@ -0,0 +1,91 @@
+# nova-rootwrap command filters for network nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+# nova/network/linux_net.py: 'ip', 'route', 'add', ..
+# nova/network/linux_net.py: 'ip', 'route', 'del', .
+# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ip: CommandFilter, ip, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
+# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
+# nova/network/linux_net.py: 'ivs-ctl', ....
+ivs-ctl: CommandFilter, ivs-ctl, root
+
+# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
+ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
+
+# nova/virt/libvirt/vif.py: 'mm-ctl', ...
+mm-ctl: CommandFilter, mm-ctl, root
+
+# nova/network/linux_net.py: 'ebtables', '-D' ...
+# nova/network/linux_net.py: 'ebtables', '-I' ...
+ebtables: CommandFilter, ebtables, root
+ebtables_usr: CommandFilter, ebtables, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, arping, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, brctl, root
+
+# nova/network/linux_net.py: 'sysctl', ....
+sysctl: CommandFilter, sysctl, root
+
+# nova/network/linux_net.py: 'conntrack'
+conntrack: CommandFilter, conntrack, root
diff --git a/sys-cluster/nova/nova-12.0.0.ebuild b/sys-cluster/nova/nova-12.0.0.ebuild
index 010092dd47c0..5aec32f7cd18 100644
--- a/sys-cluster/nova/nova-12.0.0.ebuild
+++ b/sys-cluster/nova/nova-12.0.0.ebuild
@@ -9,7 +9,8 @@ inherit distutils-r1 eutils linux-info multilib user
DESCRIPTION="A cloud computing fabric controller (main part of an IaaS system) written in Python"
HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="https://launchpad.net/${PN}/liberty/${PV}/+download/${P}.tar.gz"
+SRC_URI="https://launchpad.net/${PN}/liberty/${PV}/+download/${P}.tar.gz
+ https://dev.gentoo.org/~prometheanfire/dist/nova/liberty/nova.conf.sample -> liberty-nova.conf.sample"
LICENSE="Apache-2.0"
SLOT="0"
@@ -225,15 +226,9 @@ pkg_setup() {
python_prepare_all() {
sed -i '/^hacking/d' test-requirements.txt || die
- sed -i 's/python/python2\.7/g' tools/config/generate_sample.sh || die
distutils-r1_python_prepare_all
}
-python_compile() {
- distutils-r1_python_compile
- ./tools/config/generate_sample.sh -b ./ -p nova -o etc/nova || die
-}
-
python_test() {
# turn multiprocessing off, testr will use it --parallel
local DISTUTILS_NO_PARALLEL_BUILD=1
@@ -258,16 +253,17 @@ python_install() {
insinto /etc/nova
insopts -m 0640 -o nova -g nova
- newins "etc/nova/nova.conf.sample" "nova.conf"
- doins "etc/nova/api-paste.ini"
- doins "etc/nova/logging_sample.conf"
- doins "etc/nova/policy.json"
- doins "etc/nova/rootwrap.conf"
+ newins "${FILESDIR}/etc.liberty/api-paste.ini" "api-paste.ini"
+ newins "${FILESDIR}/etc.liberty/cells.json" "cells.json"
+ newins "${FILESDIR}/etc.liberty/logging_sample.conf" "logging_sample.conf"
+ newins "${DISTDIR}/liberty-nova.conf.sample" "nova.conf.sample"
+ newins "${FILESDIR}/etc.liberty/policy.json" "policy.json"
+ newins "${FILESDIR}/etc.liberty/rootwrap.conf" "rootwrap.conf"
#rootwrap filters
insinto /etc/nova/rootwrap.d
- doins "etc/nova/rootwrap.d/api-metadata.filters"
- doins "etc/nova/rootwrap.d/compute.filters"
- doins "etc/nova/rootwrap.d/network.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/api-metadata.filters" "api-metadata.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/compute.filters" "compute.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/network.filters" "network.filters"
#copy migration conf file (not coppied on install via setup.py script)
insopts -m 0644
insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
diff --git a/sys-cluster/nova/nova-2015.2.9999.ebuild b/sys-cluster/nova/nova-2015.2.9999.ebuild
index b59770861f0d..ae955f707418 100644
--- a/sys-cluster/nova/nova-2015.2.9999.ebuild
+++ b/sys-cluster/nova/nova-2015.2.9999.ebuild
@@ -9,6 +9,7 @@ inherit distutils-r1 eutils git-2 linux-info multilib user
DESCRIPTION="A cloud computing fabric controller (main part of an IaaS system) written in Python"
HOMEPAGE="https://launchpad.net/nova"
+SRC_URI="https://dev.gentoo.org/~prometheanfire/dist/nova/liberty/nova.conf.sample -> liberty-nova.conf.sample"
EGIT_REPO_URI="https://github.com/openstack/nova.git"
EGIT_BRANCH="stable/liberty"
@@ -226,15 +227,9 @@ pkg_setup() {
python_prepare_all() {
sed -i '/^hacking/d' test-requirements.txt || die
- sed -i 's/python/python2\.7/g' tools/config/generate_sample.sh || die
distutils-r1_python_prepare_all
}
-python_compile() {
- distutils-r1_python_compile
- ./tools/config/generate_sample.sh -b ./ -p nova -o etc/nova || die
-}
-
python_test() {
# turn multiprocessing off, testr will use it --parallel
local DISTUTILS_NO_PARALLEL_BUILD=1
@@ -259,16 +254,17 @@ python_install() {
insinto /etc/nova
insopts -m 0640 -o nova -g nova
- newins "etc/nova/nova.conf.sample" "nova.conf"
- doins "etc/nova/api-paste.ini"
- doins "etc/nova/logging_sample.conf"
- doins "etc/nova/policy.json"
- doins "etc/nova/rootwrap.conf"
+ newins "${FILESDIR}/etc.liberty/api-paste.ini" "api-paste.ini"
+ newins "${FILESDIR}/etc.liberty/cells.json" "cells.json"
+ newins "${FILESDIR}/etc.liberty/logging_sample.conf" "logging_sample.conf"
+ newins "${DISTDIR}/liberty-nova.conf.sample" "nova.conf.sample"
+ newins "${FILESDIR}/etc.liberty/policy.json" "policy.json"
+ newins "${FILESDIR}/etc.liberty/rootwrap.conf" "rootwrap.conf"
#rootwrap filters
insinto /etc/nova/rootwrap.d
- doins "etc/nova/rootwrap.d/api-metadata.filters"
- doins "etc/nova/rootwrap.d/compute.filters"
- doins "etc/nova/rootwrap.d/network.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/api-metadata.filters" "api-metadata.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/compute.filters" "compute.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/network.filters" "network.filters"
#copy migration conf file (not coppied on install via setup.py script)
insopts -m 0644
insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/