Newton apparmor fixes

In newton neutron-lbaas-agent has been renamed neutron-lbaasv2-agent.
The apparmor profile and resource map requires updates to handle this.

Change-Id: Ia8ac50e5e7fa32139528b90d82dfdd1489a2173a
Depends-On: I69b4e3c38b7b24c4ef93010e5612faf377d7a67a

hooks/neutron_utils.py

@@ -111,6 +111,7 @@ NEUTRON_PLUGIN_CONF = {
 NEUTRON_DHCP_AA_PROFILE = 'usr.bin.neutron-dhcp-agent'
 NEUTRON_L3_AA_PROFILE = 'usr.bin.neutron-l3-agent'
 NEUTRON_LBAAS_AA_PROFILE = 'usr.bin.neutron-lbaas-agent'
+NEUTRON_LBAASV2_AA_PROFILE = 'usr.bin.neutron-lbaasv2-agent'
 NEUTRON_METADATA_AA_PROFILE = 'usr.bin.neutron-metadata-agent'
 NEUTRON_METERING_AA_PROFILE = 'usr.bin.neutron-metering-agent'
 NOVA_API_METADATA_AA_PROFILE = 'usr.bin.nova-api-metadata'
@@ -134,6 +135,8 @@ NEUTRON_L3_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
                               ''.format(NEUTRON_L3_AA_PROFILE))
 NEUTRON_LBAAS_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
                                  ''.format(NEUTRON_LBAAS_AA_PROFILE))
+NEUTRON_LBAASV2_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
+                                   ''.format(NEUTRON_LBAASV2_AA_PROFILE))
 NEUTRON_METADATA_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
                                     ''.format(NEUTRON_METADATA_AA_PROFILE))
 NEUTRON_METERING_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'
@@ -383,6 +386,12 @@ NEUTRON_SHARED_CONFIG_FILES = {
             context.AppArmorContext(NEUTRON_LBAAS_AA_PROFILE)
         ],
     },
+    NEUTRON_LBAASV2_AA_PROFILE_PATH: {
+        'services': ['neutron-lbaasv2-agent'],
+        'hook_contexts': [
+            context.AppArmorContext(NEUTRON_LBAASV2_AA_PROFILE)
+        ],
+    },
     NEUTRON_METADATA_AA_PROFILE_PATH: {
         'services': ['neutron-metadata-agent'],
         'hook_contexts': [
@@ -623,6 +632,12 @@ def resolve_config_files(plugin, release):
     if lsb_release()['DISTRIB_CODENAME'] >= 'xenial':
         drop_config.extend([EXT_PORT_CONF, PHY_NIC_MTU_CONF])
 
+    # Rename to lbaasv2 in newton
+    if os_release('neutron-common') < 'newton':
+        drop_config.extend([NEUTRON_LBAASV2_AA_PROFILE_PATH])
+    else:
+        drop_config.extend([NEUTRON_LBAAS_AA_PROFILE_PATH])
+
     for _config in drop_config:
         if _config in config_files[plugin]:
             config_files[plugin].pop(_config)

templates/usr.bin.neutron-dhcp-agent

@@ -15,6 +15,7 @@
   /{,usr/}bin/** rix,
 
   /etc/neutron/** r,
+  /etc/mime.types r,
   /var/lib/neutron/** rwk,
   /var/log/neutron/** rwk,
   /{,var/}run/neutron/** rwk,
@@ -39,6 +40,8 @@
   # Required for assessment of current state of networking
   /proc/sys/net/** r,
 
+  /proc/version r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,

templates/usr.bin.neutron-l3-agent

@@ -15,6 +15,7 @@
   /{,usr/}bin/** rix,
 
   /etc/neutron/** r,
+  /etc/mime.types r,
   /var/lib/neutron/** rwk,
   /var/log/neutron/** rwk,
   /{,var/}run/neutron/** rwk,
@@ -37,6 +38,8 @@
   # Required for assessment of current state of networking
   /proc/sys/net/** r,
 
+  /proc/version r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,

templates/usr.bin.neutron-lbaasv2-agent

@@ -0,0 +1,48 @@
+# Last Modified: Fri Apr  1 16:26:34 2016
+# Mode: {{aa_profile_mode}}
+#include <tunables/global>
+
+/usr/bin/neutron-lbaasv2-agent {
+  #include <abstractions/base>
+  #include <abstractions/python>
+  #include <abstractions/nameservice>
+
+  /usr/bin/neutron-lbaas-agent r,
+
+  /sbin/ldconfig* rix,
+
+  /bin/ r,
+  /bin/** rix,
+  /usr/bin/ r,
+  /usr/bin/** rix,
+
+  /etc/neutron/** r,
+  /etc/mime.types r,
+  /var/lib/neutron/** rwk,
+  /var/log/neutron/** rwk,
+  /{,var/}run/neutron/** rwk,
+  /{,var/}run/lock/neutron/** rwk,
+
+  # Allow unconfined sudo to support oslo.rootwrap
+  # profile makes no attempt to restrict this as this
+  # is limited by the appropriate rootwrap configuration.
+  /usr/bin/sudo Ux,
+
+  # Allow ip to run unrestricted for unpriviledged commands
+  /{,s}bin/ip Ux,
+
+  /tmp/* rw,
+  /var/tmp/* a,
+
+  # Required for parsing of managed process cmdline arguments
+  /proc/*/cmdline r,
+
+  # Required for assessment of current state of networking
+  /proc/sys/net/** r,
+
+  /proc/version r,
+
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/ns/net r,
+}

templates/usr.bin.neutron-metadata-agent

@@ -15,6 +15,7 @@
   /{,usr/}bin/** rix,
 
   /etc/neutron/** r,
+  /etc/mime.types r,
   /var/lib/neutron/** rwk,
   /var/log/neutron/** rwk,
   /{,var/}run/neutron/** rwk,
@@ -37,6 +38,8 @@
   # Required for assessment of current state of networking
   /proc/sys/net/** r,
 
+  /proc/version r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,

templates/usr.bin.neutron-metering-agent

@@ -15,6 +15,7 @@
   /{,usr/}bin/** rix,
 
   /etc/neutron/** r,
+  /etc/mime.types r,
   /var/lib/neutron/** rwk,
   /var/log/neutron/** rwk,
   /{,var/}run/neutron/** rwk,
@@ -37,6 +38,8 @@
   # Required for assessment of current state of networking
   /proc/sys/net/** r,
 
+  /proc/version r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,

templates/usr.bin.neutron-openvswitch-agent

@@ -15,12 +15,14 @@
   /{,usr/}bin/** rix,
 
   /etc/neutron/** r,
+  /etc/mime.types r,
   /etc/udev/udev.conf r,
   /var/lib/neutron/** rwk,
   /var/log/neutron/** rwk,
   /{,var/}run/neutron/** rwk,
   /{,var/}run/lock/neutron/** rwk,
   /run/udev/* r,
+  /run/uuidd/request rw,
   /sys/kernel/uevent_seqnum r,
 
   # Allow unconfined sudo to support oslo.rootwrap
@@ -41,6 +43,8 @@
   # Required for assessment of current state of networking
   /proc/sys/net/** r,
 
+  /proc/version r,
+
 {% if ubuntu_release <= '12.04' %}
   /proc/*/mounts r,
   /proc/*/status r,

tests/basic_deployment.py

@@ -797,6 +797,8 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
             expected['DEFAULT']['device_driver'] = \
                 ('neutron_lbaas.drivers.haproxy.namespace_driver.'
                  'HaproxyNSDriver')
+            expected['DEFAULT'].pop('periodic_interval')
+            expected['DEFAULT'].pop('ovs_use_veth')
         elif self._get_openstack_release() >= self.trusty_kilo:
             expected['DEFAULT']['device_driver'] = \
                 ('neutron_lbaas.services.loadbalancer.drivers.haproxy.'
@@ -1041,7 +1043,6 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
         conf_file = '/etc/neutron/neutron.conf'
         services = {
             'neutron-dhcp-agent': conf_file,
-            'neutron-lbaas-agent': conf_file,
             'neutron-metadata-agent': conf_file,
             'neutron-metering-agent': conf_file,
             'neutron-openvswitch-agent': conf_file,
@@ -1049,6 +1050,10 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
 
         if self._get_openstack_release() <= self.trusty_juno:
             services.update({'neutron-vpn-agent': conf_file})
+        if self._get_openstack_release() < self.xenial_newton:
+            services.update({'neutron-lbaas-agent': conf_file})
+        if self._get_openstack_release() >= self.xenial_newton:
+            services.update({'neutron-lbaasv2-agent': conf_file})
 
         # Make config change, check for svc restart, conf file mod time change
         u.log.debug('Making config change on {}...'.format(juju_service))
@@ -1101,6 +1106,11 @@ class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
         if self._get_openstack_release() >= self.xenial_mitaka:
             services['neutron-l3-agent'] = (
                 '/etc/apparmor.d/usr.bin.neutron-l3-agent')
+        if self._get_openstack_release() >= self.xenial_newton:
+            services.pop('neutron-lbaas-agent')
+            services['neutron-lbaasv2-agent'] = ('/etc/apparmor.d/'
+                                                 'usr.bin.neutron-lbaasv2-'
+                                                 'agent')
 
         sentry = self.neutron_gateway_sentry
         juju_service = 'neutron-gateway'

unit_tests/test_neutron_utils.py

@@ -552,7 +552,7 @@ class TestNeutronUtils(CharmTestCase):
             neutron_utils.PHY_NIC_MTU_CONF: ['os-charm-phy-nic-mtu'],
             neutron_utils.NEUTRON_DHCP_AA_PROFILE_PATH: ['neutron-dhcp-agent'],
             neutron_utils.NEUTRON_L3_AA_PROFILE_PATH: ['neutron-vpn-agent'],
-            neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH:
+            neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH:
             ['neutron-lbaasv2-agent'],
             neutron_utils.NEUTRON_METADATA_AA_PROFILE_PATH:
             ['neutron-metadata-agent'],
@@ -637,12 +637,14 @@ class TestNeutronUtils(CharmTestCase):
 
     def test_resolve_config_files_ovs_liberty(self):
         self._set_distrib_codename('trusty')
+        self.os_release.return_value = 'liberty'
         self.is_relation_made = False
         actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
                                                         'liberty')
         actual_configs = actual_map[neutron_utils.OVS].keys()
         INC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF]
-        EXC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF]
+        EXC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF,
+                      neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH]
         for config in INC_CONFIG:
             self.assertTrue(config in actual_configs)
         for config in EXC_CONFIG:
@@ -650,12 +652,14 @@ class TestNeutronUtils(CharmTestCase):
 
     def test_resolve_config_files_ovs_mitaka(self):
         self._set_distrib_codename('trusty')
+        self.os_release.return_value = 'mitaka'
         self.is_relation_made = False
         actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
                                                         'mitaka')
         actual_configs = actual_map[neutron_utils.OVS].keys()
         INC_CONFIG = [neutron_utils.NEUTRON_OVS_AGENT_CONF]
-        EXC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF]
+        EXC_CONFIG = [neutron_utils.NEUTRON_ML2_PLUGIN_CONF,
+                      neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH]
         for config in INC_CONFIG:
             self.assertTrue(config in actual_configs)
         for config in EXC_CONFIG:
@@ -663,23 +667,40 @@ class TestNeutronUtils(CharmTestCase):
 
     def test_resolve_config_files_ovs_trusty(self):
         self._set_distrib_codename('trusty')
+        self.os_release.return_value = 'mitaka'
         self.is_relation_made = False
         actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
                                                         'mitaka')
         actual_configs = actual_map[neutron_utils.OVS].keys()
         INC_CONFIG = [neutron_utils.EXT_PORT_CONF,
-                      neutron_utils.PHY_NIC_MTU_CONF]
+                      neutron_utils.PHY_NIC_MTU_CONF,
+                      neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH]
         for config in INC_CONFIG:
             self.assertTrue(config in actual_configs)
 
     def test_resolve_config_files_ovs_xenial(self):
         self._set_distrib_codename('xenial')
+        self.os_release.return_value = 'mitaka'
         self.is_relation_made = False
         actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
                                                         'mitaka')
         actual_configs = actual_map[neutron_utils.OVS].keys()
         EXC_CONFIG = [neutron_utils.EXT_PORT_CONF,
-                      neutron_utils.PHY_NIC_MTU_CONF]
+                      neutron_utils.PHY_NIC_MTU_CONF,
+                      neutron_utils.NEUTRON_LBAASV2_AA_PROFILE_PATH]
+        for config in EXC_CONFIG:
+            self.assertTrue(config not in actual_configs)
+
+    def test_resolve_config_files_ovs_newton(self):
+        self._set_distrib_codename('xenial')
+        self.os_release.return_value = 'newton'
+        self.is_relation_made = False
+        actual_map = neutron_utils.resolve_config_files(neutron_utils.OVS,
+                                                        'newton')
+        actual_configs = actual_map[neutron_utils.OVS].keys()
+        EXC_CONFIG = [neutron_utils.EXT_PORT_CONF,
+                      neutron_utils.PHY_NIC_MTU_CONF,
+                      neutron_utils.NEUTRON_LBAAS_AA_PROFILE_PATH]
         for config in EXC_CONFIG:
             self.assertTrue(config not in actual_configs)