openstack
/
cookbook-openstack-network
Code Issues Proposed changes

Allow rootwrap configuration via attributes 

Change-Id: I48174db291512cded9b371eaf5699e97af6a0ca0
Partial-Bug: #1347861
This commit is contained in:
Mark Vanderwiel 2014-07-23 14:25:36 -05:00
parent 6eebbbabff
commit 3442ec6376
5 changed files with 82 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -8,6 +8,7 @@ This file is used to list changes made in each version of cookbook-openstack-net
* Allow dhcp_delete_namespaces and router_dhcp_namespaces to be overridden.
* Add support for openvswitch agent MTU size of veth interfaces
* fix fauxhai version for suse and redhat
* Allow rootwrap.conf attributes
## 9.1.0
* python_packages database client attributes have been migrated to

6
attributes/default.rb
View File

@ -178,6 +178,12 @@ default['openstack']['network']['allow_overlapping_ips'] = 'False'
# use neutron root wrap
default['openstack']['network']['use_rootwrap'] = true
# rootwrap.conf
default['openstack']['network']['rootwrap']['filters_path'] = '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap'
default['openstack']['network']['rootwrap']['exec_dirs'] = '/sbin,/usr/sbin,/bin,/usr/bin'
default['openstack']['network']['rootwrap']['use_syslog'] = false
default['openstack']['network']['rootwrap']['syslog_log_facility'] = 'syslog'
default['openstack']['network']['rootwrap']['syslog_log_level'] = 'ERROR'
# DHCP lease duration
default['openstack']['network']['dhcp_lease_duration'] = 86400

32
spec/server_spec.rb
View File

@ -660,5 +660,37 @@ describe 'openstack-network::server' do
end
end
end
describe 'rootwrap.conf' do
let(:file) { chef_run.template('/etc/neutron/rootwrap.conf') }
it 'creates the /etc/neutron/rootwrap.conf file' do
expect(chef_run).to create_template(file.name).with(
user: 'neutron',
group: 'neutron',
mode: 0644
)
end
context 'template contents' do
it 'shows the custom banner' do
node.set['openstack']['network']['custom_template_banner'] = 'banner'
expect(chef_run).to render_file(file.name).with_content(/^banner$/)
end
it 'sets the default attributes' do
[
%r(^filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap$),
%r(^exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin$),
/^use_syslog=false$/,
/^syslog_log_facility=syslog$/,
/^syslog_log_level=ERROR$/
].each do |line|
expect(chef_run).to render_file(file.name).with_content(line)
end
end
end
end
end
end

24
spec/spec_helper.rb
View File

@ -50,38 +50,38 @@ MOCK_NODE_NETWORK_DATA =
shared_context 'neutron-stubs' do
before do
Chef::Recipe.any_instance.stub(:rabbit_servers)
allow_any_instance_of(Chef::Recipe).to receive(:rabbit_servers)
.and_return('1.1.1.1:5672,2.2.2.2:5672')
Chef::Recipe.any_instance.stub(:config_by_role)
allow_any_instance_of(Chef::Recipe).to receive(:config_by_role)
.with('rabbitmq-server', 'queue').and_return(
host: 'rabbit-host',
port: 'rabbit-port'
)
Chef::Recipe.any_instance.stub(:config_by_role)
allow_any_instance_of(Chef::Recipe).to receive(:config_by_role)
.with('glance-api', 'glance').and_return []
Chef::Recipe.any_instance.stub(:secret)
allow_any_instance_of(Chef::Recipe).to receive(:secret)
.with('secrets', 'openstack_identity_bootstrap_token')
.and_return('bootstrap-token')
Chef::Recipe.any_instance.stub(:secret)
allow_any_instance_of(Chef::Recipe).to receive(:secret)
.with('secrets', 'neutron_metadata_secret')
.and_return('metadata-secret')
Chef::Recipe.any_instance.stub(:get_password)
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('db', anything)
.and_return('neutron')
Chef::Recipe.any_instance.stub(:get_password)
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('service', 'openstack-network')
.and_return('neutron-pass')
Chef::Recipe.any_instance.stub(:get_password)
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('user', 'guest')
.and_return('mq-pass')
Chef::Application.stub(:fatal!)
Chef::Recipe.any_instance.stub(:get_password)
allow(Chef::Application).to receive(:fatal!)
allow_any_instance_of(Chef::Recipe).to receive(:get_password)
.with('service', 'openstack-compute')
.and_return('nova-pass')
Chef::Resource::RubyBlock.any_instance.stub(:openstack_command_env)
allow_any_instance_of(Chef::Resource::RubyBlock).to receive(:openstack_command_env)
.with('admin', 'admin')
.and_return({})
Chef::Resource::RubyBlock.any_instance.stub(:identity_uuid)
allow_any_instance_of(Chef::Resource::RubyBlock).to receive(:identity_uuid)
.with('tenant', 'name', 'service', {})
.and_return('000-UUID-FROM-CLI')

32
templates/default/rootwrap.conf.erb
View File

@ -1,6 +1,36 @@
<%= node["openstack"]["network"]["custom_template_banner"] %>
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
filters_path=<%= node['openstack']['network']['rootwrap']['filters_path'] %>
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=<%= node['openstack']['network']['rootwrap']['exec_dirs'] %>
# Enable logging to syslog
# Default value is False
use_syslog=<%= node['openstack']['network']['rootwrap']['use_syslog'] %>
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=<%= node['openstack']['network']['rootwrap']['syslog_log_facility'] %>
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=<%= node['openstack']['network']['rootwrap']['syslog_log_level'] %>
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>