make internal interface name consistent

Change-Id: Id65c88fb1e59d252d447aa57f49b8da75c0d9722
2016-04-11 18:21:12 -07:00 · 2016-04-11 18:21:12 -07:00 · 16d52b3158
parent de7743ea55
commit 16d52b3158
14 changed files with 444 additions and 41 deletions
--- a/deployment_scripts/ivs_packages/ubuntu/ivs-dbg_3.6.0_amd64.deb
+++ b/deployment_scripts/ivs_packages/ubuntu/ivs-dbg_3.6.0_amd64.deb
--- a/deployment_scripts/ivs_packages/ubuntu/ivs_3.6.0_amd64.deb
+++ b/deployment_scripts/ivs_packages/ubuntu/ivs_3.6.0_amd64.deb
--- a/deployment_scripts/puppet/modules/bcf/files/p_v/bcf_rest_client.py
+++ b/deployment_scripts/puppet/modules/bcf/files/p_v/bcf_rest_client.py
@ -202,7 +202,7 @@ class RestLib(object):
    @debug_func(log_return=True)
    def program_segment_and_membership_rule(
        server, cookie, tenant, segment, internal_port, vlan,
-        port=BCF_CONTROLLER_PORT):
+        bcf_version, port=BCF_CONTROLLER_PORT):

        existing_segments = RestLib.get_os_mgmt_segments(
            server, cookie, tenant, port)
@ -247,10 +247,18 @@ class RestLib(object):

        pg_rule_url = (r'''applications/bcf/tenant[name="%(tenant)s"]/'''
                       '''segment[name="%(segment)s"]/'''
-                       '''interface-group-membership-rule''' %
+                       '''port-group-membership-rule''' %
                       {'tenant': tenant,
                        'segment': segment})
-        rule_data = {"interface-group": ANY, "vlan": vlan}
+        rule_data = {"port-group": ANY, "vlan": vlan}
+        if "3.6" in bcf_version:
+            pg_rule_url = (r'''applications/bcf/tenant[name="%(tenant)s"]/'''
+                           '''segment[name="%(segment)s"]/'''
+                           '''interface-group-membership-rule''' %
+                           {'tenant': tenant,
+                            'segment': segment})
+            rule_data = {"interface-group": ANY, "vlan": vlan}
+
        try:
            ret = RestLib.post(cookie, pg_rule_url, server, port,
                               json.dumps(rule_data))
@ -293,6 +301,8 @@ if __name__ == '__main__':
                        help="Openstack management tenant.")
    parser.add_argument("-f", "--fuel-cluster-id", required=True,
                        help="The custer id of the fuel environment")
+    parser.add_argument("-b", "--bcf-version", required=True,
+                        help="The BCF version")
    args = parser.parse_args()

    ctrls = args.controllers.split(',')
@ -308,7 +318,7 @@ if __name__ == '__main__':
            seg_vlan = int(vlan)
            RestLib.program_segment_and_membership_rule(
                active_server, cookie, args.management_tenant,
-                segment_name, internal_port, seg_vlan)
+                segment_name, internal_port, seg_vlan, args.bcf_version)

        sys.exit(0)
    except Exception as e:
--- a/deployment_scripts/puppet/modules/bcf/files/p_v/ivs-setup.sh
+++ b/deployment_scripts/puppet/modules/bcf/files/p_v/ivs-setup.sh
@ -1,7 +1,7 @@
 #!/bin/bash

-if [ "$#" -ne 6 ]; then
-  echo "Usage: $0 <management interface> <management ip> <uplinks> <all used interfaces> <bridges' ip>" >&2
+if [ "$#" -ne 7 ]; then
+  echo "Usage: $0 <management interface> <management ip> <uplinks> <all used interfaces> <bridges' ip> <fuel_deployment_id> <bcf_version>" >&2
  exit 1
 fi

@ -15,6 +15,7 @@ declare -a interfaces=($4)
 IFS='{}'
 read -ra array1 <<< $5
 deployment_id=$6
+bcf_version=$7

 cdr2mask ()
 {
@ -25,10 +26,10 @@ cdr2mask ()
 }

 # install ivs
-dpkg --force-all -i /etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs_3.5.0_amd64.deb
-dpkg --force-all -i /etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs-dbg_3.5.0_amd64.deb
 apt-get install -y libnl-genl-3-200
 apt-get -f install -y
+dpkg --force-all -i "/etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs_${bcf_version}_amd64.deb"
+dpkg --force-all -i "/etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs-dbg_${bcf_version}_amd64.deb"
 apt-get install -y apport

 # full installation
@ -49,17 +50,20 @@ for (( i=0; i<$len; i++ )); do
    IFS='=>'
    declare -a bridge_ip=(${entry})
    key=$(echo "${bridge_ip[0]}" | sed -e 's/"//' -e 's/"//')
-    itf_ip=$(echo "${bridge_ip[2]}" | sed -e 's/\[//'  -e 's/"//' -e 's/"//' -e 's/]//')
-    IFS='/'
-    declare -a ip_address=(${itf_ip})
-    netmask=$( cdr2mask ${ip_address[1]} )
+    netmask=""
+    if [[ "$key" =~ "br-storage" ]] || [[ "$key" =~ "br-mgmt" ]]; then
+        itf_ip=$(echo "${bridge_ip[2]}" | sed -e 's/\[//'  -e 's/"//' -e 's/"//' -e 's/]//')
+        IFS='/'
+        declare -a ip_address=(${itf_ip})
+        netmask=$( cdr2mask ${ip_address[1]} )
+    fi
    internal_interface=""
    if [[ "$key" =~ "br-storage" ]]; then
-        internal_interface="s${deployment_id}"
+        internal_interface="sto${deployment_id}"
    elif [[ "$key" =~ "br-mgmt" ]]; then
-        internal_interface="m${deployment_id}"
+        internal_interface="mgm${deployment_id}"
    elif [[ "$key" =~ "br-ex" ]]; then
-        internal_interface="e${deployment_id}"
+        internal_interface="ex${deployment_id}"
    fi

    if [[ "$internal_interface" =~ "$deployment_id" ]]; then
@ -71,7 +75,8 @@ for (( i=0; i<$len; i++ )); do

            ifconfig $internal_interface up
            ip link set $internal_interface up
-            ifconfig $internal_interface ${ip_address[0]} netmask ${netmask}
+            ifconfig $internal_interface ${ip_address[0]}
+            ifconfig $internal_interface netmask ${netmask}
        fi
        echo -e '\n' >> /etc/network/interfaces

@ -91,8 +96,6 @@ echo -e '  bridge_ports' ${mgmt_itf} >> /etc/network/interfaces
 echo -e '  address' ${mgmt_ip} >> /etc/network/interfaces
 echo -e '\n' >> /etc/network/interfaces

-exit 0
-
 #reset uplinks to move them out of bond
 len=${#uplinks[@]}
 for (( i=0; i<$len; i++ )); do
@ -132,7 +135,5 @@ easy_install pip
 puppet module install --force puppetlabs-inifile
 puppet module install --force puppetlabs-stdlib

-set -e
-
 exit 0

--- a/deployment_scripts/puppet/modules/bcf/files/rootwrap/api-metadata.filters
+++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/api-metadata.filters
@ -0,0 +1,13 @@
+# nova-rootwrap command filters for api-metadata nodes
+# This is needed on nova-api hosts running with "metadata" in enabled_apis
+# or when running nova-api-metadata
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
--- a/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-compute-ipmi.filters
+++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-compute-ipmi.filters
@ -0,0 +1,9 @@
+# nova-rootwrap command filters for compute nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/baremetal/ipmi.py: 'ipmitool', ..
+ipmitool: CommandFilter, ipmitool, root
+
+# nova/virt/baremetal/ipmi.py: 'kill', '-TERM', str(console_pid)
+kill_shellinaboxd: KillFilter, root, /usr/local/bin/shellinaboxd, -15, -TERM
--- a/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-deploy-helper.filters
+++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-deploy-helper.filters
@ -0,0 +1,11 @@
+# nova-rootwrap command filters for nova-baremetal-deploy-helper
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova-baremetal-deploy-helper
+iscsiadm: CommandFilter, iscsiadm, root
+sfdisk: CommandFilter, sfdisk, root
+dd: CommandFilter, dd, root
+mkswap: CommandFilter, mkswap, root
+blkid: CommandFilter, blkid, root
+mkfs: CommandFilter, mkfs, root
--- a/deployment_scripts/puppet/modules/bcf/files/rootwrap/compute.filters
+++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/compute.filters
@ -0,0 +1,228 @@
+# nova-rootwrap command filters for compute nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
+# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
+kpartx: CommandFilter, kpartx, root
+
+# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
+# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
+tune2fs: CommandFilter, tune2fs, root
+
+# nova/virt/disk/mount/api.py: 'mount', mapped_device
+# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
+# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
+# nova/virt/configdrive.py: 'mount', device, mountdir
+# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
+mount: CommandFilter, mount, root
+
+# nova/virt/disk/mount/api.py: 'umount', mapped_device
+# nova/virt/disk/api.py: 'umount' target
+# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
+# nova/virt/configdrive.py: 'umount', mountdir
+umount: CommandFilter, umount, root
+
+# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
+# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
+qemu-nbd: CommandFilter, qemu-nbd, root
+
+# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
+# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
+losetup: CommandFilter, losetup, root
+
+# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
+# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
+blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
+
+# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
+tee: CommandFilter, tee, root
+
+# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
+mkdir: CommandFilter, mkdir, root
+
+# nova/virt/disk/vfs/localfs.py: 'chown'
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+chown: CommandFilter, chown, root
+
+# nova/virt/disk/vfs/localfs.py: 'chmod'
+chmod: CommandFilter, chmod, root
+
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+# nova/network/linux_net.py: 'ip', 'route', 'add', ..
+# nova/network/linux_net.py: 'ip', 'route', 'del', .
+# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ip: CommandFilter, ip, root
+
+# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
+# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
+tunctl: CommandFilter, tunctl, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+dd: CommandFilter, dd, root
+
+# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
+iscsiadm: CommandFilter, iscsiadm, root
+
+# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev
+# nova/virt/libvirt/volume.py: 'aoe-discover'
+aoe-revalidate: CommandFilter, aoe-revalidate, root
+aoe-discover: CommandFilter, aoe-discover, root
+
+# nova/virt/xenapi/vm_utils.py: parted, --script, ...
+# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
+parted: CommandFilter, parted, root
+
+# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
+pygrub: CommandFilter, pygrub, root
+
+# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
+fdisk: CommandFilter, fdisk, root
+
+# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
+# nova/virt/disk/api.py: e2fsck, -f, -p, image
+e2fsck: CommandFilter, e2fsck, root
+
+# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
+# nova/virt/disk/api.py: resize2fs, image
+resize2fs: CommandFilter, resize2fs, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, arping, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, brctl, root
+
+# nova/virt/libvirt/utils.py: 'mkswap'
+# nova/virt/xenapi/vm_utils.py: 'mkswap'
+mkswap: CommandFilter, mkswap, root
+
+# nova/virt/xenapi/vm_utils.py: 'mkfs'
+# nova/utils.py: 'mkfs', fs, path, label
+mkfs: CommandFilter, mkfs, root
+
+# nova/virt/libvirt/utils.py: 'qemu-img'
+qemu-img: CommandFilter, qemu-img, root
+
+# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
+readlink: CommandFilter, readlink, root
+
+# nova/virt/disk/api.py: 'touch', target
+touch: CommandFilter, touch, root
+
+# nova/virt/disk/api.py:
+mkfs.ext3: CommandFilter, mkfs.ext3, root
+mkfs.ntfs: CommandFilter, mkfs.ntfs, root
+
+# nova/virt/libvirt/connection.py:
+read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+
+# nova/virt/libvirt/connection.py:
+lvremove: CommandFilter, lvremove, root
+
+# nova/virt/libvirt/utils.py:
+lvcreate: CommandFilter, lvcreate, root
+
+# nova/virt/libvirt/utils.py:
+lvs: CommandFilter, lvs, root
+
+# nova/virt/libvirt/utils.py:
+vgs: CommandFilter, vgs, root
+
+# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ...
+tgtadm: CommandFilter, tgtadm, root
+
+# nova/utils.py:read_file_as_root: 'cat', file_path
+# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
+read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
+read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
+
+# nova/virt/libvirt/volume.py: 'multipath' '-R'
+multipath: CommandFilter, multipath, root
+
+# nova/virt/libvirt/utils.py:
+systool: CommandFilter, systool, root
+
+# nova/virt/libvirt/volume.py:
+sginfo: CommandFilter, sginfo, root
+sg_scan: CommandFilter, sg_scan, root
+ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.*
+
+# nova/volume/encryptors.py:
+# nova/virt/libvirt/dmcrypt.py:
+cryptsetup: CommandFilter, cryptsetup, root
+
+# nova/virt/xenapi/vm_utils.py:
+xenstore-read: CommandFilter, xenstore-read, root
+
+# nova/virt/baremetal/tilera.py: 'rpc.mountd'
+rpc.mountd: CommandFilter, rpc.mountd, root
+
+# nova/virt/libvirt/utils.py:
+rbd: CommandFilter, rbd, root
+
+# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
+shred: CommandFilter, shred, root
+
+# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
+cp: CommandFilter, cp, root
+
+# nova/virt/xenapi/vm_utils.py:
+sync: CommandFilter, sync, root
+
--- a/deployment_scripts/puppet/modules/bcf/files/rootwrap/network.filters
+++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/network.filters
@ -0,0 +1,94 @@
+# nova-rootwrap command filters for network nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+# nova/network/linux_net.py: 'ip', 'route', 'add', ..
+# nova/network/linux_net.py: 'ip', 'route', 'del', .
+# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ip: CommandFilter, ip, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
+# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
+# nova/network/linux_net.py: 'ivs-ctl', ....
+ivs-ctl: CommandFilter, ivs-ctl, root
+
+# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
+ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
+
+# nova/virt/libvirt/vif.py: 'ebrctl', ...
+ebrctl: CommandFilter, ebrctl, root
+
+# nova/virt/libvirt/vif.py: 'mm-ctl', ...
+mm-ctl: CommandFilter, mm-ctl, root
+
+# nova/network/linux_net.py: 'ebtables', '-D' ...
+# nova/network/linux_net.py: 'ebtables', '-I' ...
+ebtables: CommandFilter, ebtables, root
+ebtables_usr: CommandFilter, ebtables, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, iptables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, arping, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, brctl, root
+
+# nova/network/linux_net.py: 'sysctl', ....
+sysctl: CommandFilter, sysctl, root
+
+# nova/network/linux_net.py: 'conntrack'
+conntrack: CommandFilter, conntrack, root
--- a/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp
+++ b/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp
@ -179,11 +179,11 @@ class bcf::p_only::reconfigure_neutron {
      value             => '/etc/neutron/plugins/ml2',
      notify            => Service['neutron-server'],
    }
-    if $bcf::params::openstack::bcf_controller_2 == ':8000' {
-        $server = $bcf::params::openstack::bcf_controller_1
+    if $bcf::params::openstack::bcf_controller_2 == '' {
+        $server = "${bcf::params::openstack::bcf_controller_1}:8000"
    }
    else {
-        $server = "${bcf::params::openstack::bcf_controller_1},${bcf::params::openstack::bcf_controller_2}"
+        $server = "${bcf::params::openstack::bcf_controller_1}:8000,${bcf::params::openstack::bcf_controller_2}:8000"
    }

    ini_setting { 'ml2 restproxy servers':
--- a/deployment_scripts/puppet/modules/bcf/manifests/p_v/compute.pp
+++ b/deployment_scripts/puppet/modules/bcf/manifests/p_v/compute.pp
@ -29,7 +29,7 @@ class bcf::p_v::compute {
    $mgmt_ip = $bcf::existing_bridges['br-fw-admin']['IP']
    if has_key($bcf::existing_bridges, 'br-storage') {
        $bridge_ips['br-storage'] = $bcf::existing_bridges['br-storage']['IP']
-        $ivs_internal_ports['br-storage'] = "s${bcf::deployment_id}"
+        $ivs_internal_ports['br-storage'] = "sto${bcf::deployment_id}"
    }

    if has_key($bcf::existing_bridges, 'br-prv') {
@ -38,12 +38,12 @@ class bcf::p_v::compute {

    if has_key($bcf::existing_bridges, 'br-mgmt') {
        $bridge_ips['br-mgmt'] = $bcf::existing_bridges['br-mgmt']['IP']
-        $ivs_internal_ports['br-mgmt'] = "m${bcf::deployment_id}"
+        $ivs_internal_ports['br-mgmt'] = "mgm${bcf::deployment_id}"
    }

    if has_key($bcf::existing_bridges, 'br-ex') {
        $bridge_ips['br-ex'] = $bcf::existing_bridges['br-ex']['IP']
-        $ivs_internal_ports['br-ex'] = "e${bcf::deployment_id}"
+        $ivs_internal_ports['br-ex'] = "ex${bcf::deployment_id}"
    }

    $bridge_list = split(inline_template("<%= @bridge_ips.keys.join(',') %>", ','))
@ -54,8 +54,31 @@ class bcf::p_v::compute {
    notice("bigswitch bond_name ${bcf::bond_name}")
    notice("bigswitch interfaces ${interfaces}")

+    # Install rootwrap filter
+    file { '/etc/neutron/rootwrap.d/network.filters':
+      ensure  => 'file',
+      source  => 'puppet:///modules/bcf/rootwrap/network.filters',
+    }
+    file { '/etc/neutron/rootwrap.d/api-metadata.filters':
+      ensure  => 'file',
+      source  => 'puppet:///modules/bcf/rootwrap/api-metadata.filters',
+    }
+    file { '/etc/neutron/rootwrap.d/baremetal-deploy-helper.filters':
+      ensure  => 'file',
+      source  => 'puppet:///modules/bcf/rootwrap/baremetal-deploy-helper.filters',
+    }
+    file { '/etc/neutron/rootwrap.d/baremetal-compute-ipmi.filters':
+      ensure  => 'file',
+      source  => 'puppet:///modules/bcf/rootwrap/baremetal-compute-ipmi.filters',
+    }
+    file { '/etc/neutron/rootwrap.d/compute.filters':
+      ensure  => 'file',
+      source  => 'puppet:///modules/bcf/rootwrap/compute.filters',
+    }
+
    package { 'python-pip':
      ensure => 'installed',
+      require => File['/etc/neutron/rootwrap.d/network.filters']
    }
    exec { 'bsnstacklib':
      command => 'pip install "bsnstacklib<2015.2"',
@ -74,9 +97,10 @@ class bcf::p_v::compute {
      require => File['/etc/bigswitch']
    }
    exec { 'clean up ovs bridges':
-      command => "bash /etc/bigswitch/bridge-cleanup.sh ${bridge_list} ${bcf::bond_name}",
-      path    => '/usr/local/bin/:/usr/bin/:/bin',
-      require => File['/etc/bigswitch/bridge-cleanup.sh']
+      command   => "bash /etc/bigswitch/bridge-cleanup.sh ${bridge_list} ${bcf::bond_name}",
+      path      => '/sbin:/usr/local/bin/:/usr/bin/:/bin',
+      logoutput => true,
+      require   => File['/etc/bigswitch/bridge-cleanup.sh']
    }
    file { '/etc/bigswitch/ivs-setup.sh':
      ensure  => 'file',
@ -84,9 +108,10 @@ class bcf::p_v::compute {
      require => EXEC['clean up ovs bridges']
    }
    exec { 'set up ivs':
-      command => "bash /etc/bigswitch/ivs-setup.sh ${bcf::mgmt_itf} ${mgmt_ip} ${bcf::itfs} ${interfaces} \'${bridge_ips}\' ${bcf::deployment_id}",
-      path    => '/usr/local/bin/:/usr/bin/:/bin',
-      require => File['/etc/bigswitch/ivs-setup.sh']
+      command   => "bash /etc/bigswitch/ivs-setup.sh ${bcf::mgmt_itf} ${mgmt_ip} ${bcf::itfs} ${interfaces} \'${bridge_ips}\' ${bcf::deployment_id} ${bcf::params::openstack::bcf_version}",
+      path      => '/sbin:/usr/local/bin/:/usr/bin/:/bin',
+      logoutput => true,
+      require   => File['/etc/bigswitch/ivs-setup.sh']
    }
    file { '/etc/default/ivs':
      ensure  => file,
@ -219,7 +244,7 @@ start on runlevel [2345]
 stop on runlevel [!2345]
 respawn
 script
-    exec /usr/local/bin/neutron-bsn-agent --config-file=/etc/neutron/neutron.conf --config-dir /etc/neutron/conf.d/common --log-file=/var/log/neutron/neutron-bsn-agent.log
+    exec /usr/local/bin/neutron-bsn-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/plugin.ini --log-file=/var/log/neutron/neutron-bsn-agent.log
 end script
 ",
    }
--- a/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp
+++ b/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp
@ -282,7 +282,7 @@ class bcf::p_v::reconfigure_neutron {
      source  => 'puppet:///modules/bcf/p_v/bcf_rest_client.py',
    }
    exec { 'Openstack segment membership':
-      command => "python /etc/bigswitch/bcf_rest_client.py -u ${bcf::params::openstack::bcf_username} -p ${bcf::params::openstack::bcf_password} -c ${rest_server} -m ${bcf::params::openstack::bcf_os_mgmt_tenant} -f ${bcf::params::openstack::deployment_id}",
+      command => "python /etc/bigswitch/bcf_rest_client.py -u ${bcf::params::openstack::bcf_username} -p ${bcf::params::openstack::bcf_password} -c ${rest_server} -m ${bcf::params::openstack::bcf_os_mgmt_tenant} -f ${bcf::deployment_id} -b ${bcf::params::openstack::bcf_version}",
      path    => '/usr/local/bin/:/usr/bin/:/bin',
      require => FILE['/etc/bigswitch/bcf_rest_client.py']
    }
--- a/deployment_scripts/puppet/modules/bcf/manifests/params/openstack.pp
+++ b/deployment_scripts/puppet/modules/bcf/manifests/params/openstack.pp
@ -18,7 +18,6 @@ class bcf::params::openstack {
  $virtual_cluster_name  = 'OpenStackCluster'
  $ceph_virtual_cluster_name  = 'CephCluster'

-  $deployment_id         = hiera('deployment_id')
  $quantum_settings      = hiera('quantum_settings')
  $keystone_vip          = hiera('management_vip')
  $auth_user             = 'neutron'
@ -45,5 +44,6 @@ class bcf::params::openstack {
  $bcf_password          = $bcf_hash['bcf_controller_password']
  $bcf_instance_id       = $bcf_hash['openstack_instance_id']
  $bcf_os_mgmt_tenant    = $bcf_hash['openstack_mgmt_tenant']
+  $bcf_version           = $bcf_hash['bcf_version']
  $access_tenant         = 'services'
 }
--- a/environment_config.yaml
+++ b/environment_config.yaml
@ -20,7 +20,7 @@ attributes:
  bcf_controller_1:
    value: ""
    label: "BCF Controller1"
-    description: "BCF Controller' IP address"
+    description: "BCF Controller' IP address."
    weight: 10
    type: "text"
    regex:
@ -30,7 +30,7 @@ attributes:
  bcf_controller_2:
    value: ""
    label: "BCF Controller2"
-    description: "The second BCF Controller' IP address"
+    description: "The second BCF Controller' IP address."
    weight: 11
    type: "text"
    regex:
@ -40,27 +40,39 @@ attributes:
  bcf_controller_username:
    value: ""
    label: "BCF Controller Username"
-    description: "Username to access BCF controllers"
+    description: "Username to access BCF controllers."
    weight: 20
    type: "text"

  bcf_controller_password:
    value: ""
    label: "BCF Controller Password"
-    description: "Password to access BCF controllers"
+    description: "Password to access BCF controllers."
    weight: 21
    type: "password"

  openstack_instance_id:
    value: ""
    label: "Openstack Instance ID"
-    description: "The Openstack instance ID that is unique within the BCF fabric"
+    description: "The Openstack instance ID that is unique within the BCF fabric."
    weight: 30
    type: "text"

  openstack_mgmt_tenant:
    value: ""
    label: "Management Tenant"
-    description: "The BCF Management Tenant"
+    description: "The BCF Management Tenant. Not needed in P_Only mode."
    weight: 40
    type: "text"
+
+  bcf_version:
+    type: "select"
+    weight: 50
+    value: "3.5.0"
+    label: "BCF Fabric Version"
+    description: "The plugin supports BCF 3.5.0 or 3.6.0 release. Not needed in P_Only mode."
+    values:
+      - data: "3.5.0"
+        label: "3.5.0"
+      - data: "3.6.0"
+        label: "3.6.0"