diff --git a/CVE-2024-53916-Fix-the-tagging-policy-engine.patch b/CVE-2024-53916-Fix-the-tagging-policy-engine.patch new file mode 100644 index 0000000000000000000000000000000000000000..e519c56383d07b7846d759ed1bfca27b4d5a7985 --- /dev/null +++ b/CVE-2024-53916-Fix-the-tagging-policy-engine.patch @@ -0,0 +1,268 @@ +diff --git a/neutron/extensions/tagging.py b/neutron/extensions/tagging.py +index 30b5b06..63e35ba 100644 +--- a/neutron/extensions/tagging.py ++++ b/neutron/extensions/tagging.py +@@ -12,7 +12,10 @@ + # under the License. + + import abc ++import collections + import copy ++import functools ++import itertools + + from neutron_lib.api.definitions import port + from neutron_lib.api import extensions as api_extensions +@@ -29,6 +32,16 @@ from neutron._i18n import _ + from neutron.api import extensions + from neutron.api.v2 import resource as api_resource + ++from neutron.objects import network as network_obj ++from neutron.objects import network_segment_range as network_segment_range_obj ++from neutron.objects import ports as ports_obj ++from neutron.objects.qos import policy as policy_obj ++from neutron.objects import router as router_obj ++from neutron.objects import securitygroup as securitygroup_obj ++from neutron.objects import subnet as subnet_obj ++from neutron.objects import subnetpool as subnetpool_obj ++from neutron.objects import trunk as trunk_obj ++from neutron import policy + + TAG = 'tag' + TAGS = TAG + 's' +@@ -56,6 +69,34 @@ TAG_ATTRIBUTE_MAP_PORTS[TAGS] = { + 'default': [], 'is_visible': True, 'is_filter': True + } + ++PARENTS = { ++ 'floatingips': router_obj.FloatingIP, ++ 'network_segment_ranges': network_segment_range_obj.NetworkSegmentRange, ++ 'networks': network_obj.Network, ++ 'policies': policy_obj.QosPolicy, ++ 'ports': ports_obj.Port, ++ 'routers': router_obj.Router, ++ 'security_groups': securitygroup_obj.SecurityGroup, ++ 'subnets': ('networks', subnet_obj.Subnet), ++ 'subnetpools': subnetpool_obj.SubnetPool, ++ 'trunks': trunk_obj.Trunk, ++} ++ResourceInfo = collections.namedtuple( ++ 'ResourceInfo', ['project_id', ++ 'parent_type', ++ 'parent_id', ++ 'upper_parent_type', ++ 'upper_parent_id', ++ ]) ++EMPTY_RESOURCE_INFO = ResourceInfo(None, None, None, None, None) ++ ++def _policy_init(f): ++ @functools.wraps(f) ++ def func(self, *args, **kwargs): ++ policy.init() ++ return f(self, *args, **kwargs) ++ return func ++ + + class TagResourceNotFound(exceptions.NotFound): + message = _("Resource %(resource)s %(resource_id)s could not be found.") +@@ -95,6 +136,59 @@ class TaggingController(object): + self.plugin = directory.get_plugin(TAG_PLUGIN_TYPE) + self.supported_resources = TAG_SUPPORTED_RESOURCES + ++ def _get_target(self, res_info): ++ target = {'id': res_info.parent_id, ++ 'tenant_id': res_info.project_id, ++ 'project_id': res_info.project_id} ++ if res_info.upper_parent_type: ++ res_id = (self.supported_resources[res_info.upper_parent_type] + ++ '_id') ++ target[res_id] = res_info.upper_parent_id ++ return target ++ ++ def _get_resource_info(self, context, kwargs): ++ """Return the tag parent resource information ++ ++ Some parent resources, like the subnets, depend on other upper parent ++ resources (networks). In that case, it is needed to provide the upper ++ parent resource information. ++ ++ :param kwargs: dictionary with the parent resource ID, along with other ++ information not needed. It is formated as ++ {"resource_id": "id", ...} ++ :return: ``ResourceInfo`` named tuple with the parent and upper parent ++ information and the project ID (of the parent or upper ++ parent). ++ """ ++ for key, parent_type in itertools.product( ++ kwargs.keys(), self.supported_resources.keys()): ++ if key != self.supported_resources[parent_type] + '_id': ++ continue ++ ++ parent_id = kwargs[key] ++ parent_obj = PARENTS[parent_type] ++ if isinstance(parent_obj, tuple): ++ upper_parent_type = parent_obj[0] ++ parent_obj = parent_obj[1] ++ res_id = (self.supported_resources[upper_parent_type] + ++ '_id') ++ upper_parent_id = parent_obj.get_values( ++ context.elevated(), res_id, id=parent_id)[0] ++ else: ++ upper_parent_type = upper_parent_id = None ++ ++ try: ++ project_id = parent_obj.get_values( ++ context.elevated(), 'project_id', id=parent_id)[0] ++ except IndexError: ++ return EMPTY_RESOURCE_INFO ++ ++ return ResourceInfo(project_id, parent_type, parent_id, ++ upper_parent_type, upper_parent_id) ++ ++ # This should never be returned. ++ return EMPTY_RESOURCE_INFO ++ + def _get_parent_resource_and_id(self, kwargs): + for key in kwargs: + for resource in self.supported_resources: +@@ -102,68 +196,103 @@ class TaggingController(object): + return resource, kwargs[key] + return None, None + ++ @_policy_init + def index(self, request, **kwargs): +- # GET /v2.0/networks/{network_id}/tags +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- return self.plugin.get_tags(request.context, parent, parent_id) +- ++ # GET /v2.0/{parent_resource}/{parent_resource_id}/tags ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'get_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ return self.plugin.get_tags(ctx, rinfo.parent_type, rinfo.parent_id) ++ ++ @_policy_init + def show(self, request, id, **kwargs): +- # GET /v2.0/networks/{network_id}/tags/{tag} ++ # GET /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag} + # id == tag + validate_tag(id) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- return self.plugin.get_tag(request.context, parent, parent_id, id) +- ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'get_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ return self.plugin.get_tag(ctx, rinfo.parent_type, rinfo.parent_id, id) ++ ++ @_policy_init + def create(self, request, **kwargs): + # not supported + # POST /v2.0/networks/{network_id}/tags + raise webob.exc.HTTPNotFound("not supported") + ++ @_policy_init + def update(self, request, id, **kwargs): +- # PUT /v2.0/networks/{network_id}/tags/{tag} ++ # PUT /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag} + # id == tag + validate_tag(id) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'create.start', +- parent, parent_id, [id]) +- result = self.plugin.update_tag(request.context, parent, parent_id, id) +- notify_tag_action(request.context, 'create.end', +- parent, parent_id, [id]) ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'update_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'create.start', rinfo.parent_type, ++ rinfo.parent_id, [id]) ++ result = self.plugin.update_tag(ctx, rinfo.parent_type, ++ rinfo.parent_id, id) ++ notify_tag_action(ctx, 'create.end', rinfo.parent_type, ++ rinfo.parent_id, [id]) + return result + ++ ++ @_policy_init + def update_all(self, request, body, **kwargs): +- # PUT /v2.0/networks/{network_id}/tags ++ # PUT /v2.0/{parent_resource}/{parent_resource_id}/tags + # body: {"tags": ["aaa", "bbb"]} + validate_tags(body) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'update.start', +- parent, parent_id, body['tags']) +- result = self.plugin.update_tags(request.context, parent, +- parent_id, body) +- notify_tag_action(request.context, 'update.end', +- parent, parent_id, body['tags']) ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'update_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'update.start', rinfo.parent_type, ++ rinfo.parent_id, body['tags']) ++ result = self.plugin.update_tags(ctx, rinfo.parent_type, ++ rinfo.parent_id, body) ++ notify_tag_action(ctx, 'update.end', rinfo.parent_type, ++ rinfo.parent_id, body['tags']) + return result + ++ @_policy_init + def delete(self, request, id, **kwargs): +- # DELETE /v2.0/networks/{network_id}/tags/{tag} ++ # DELETE /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag} + # id == tag + validate_tag(id) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'delete.start', +- parent, parent_id, [id]) +- result = self.plugin.delete_tag(request.context, parent, parent_id, id) +- notify_tag_action(request.context, 'delete.end', +- parent, parent_id, [id]) ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'delete_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'delete.start', rinfo.parent_type, ++ rinfo.parent_id, [id]) ++ result = self.plugin.delete_tag(ctx, rinfo.parent_type, ++ rinfo.parent_id, id) ++ notify_tag_action(ctx, 'delete.end', rinfo.parent_type, ++ rinfo.parent_id, [id]) + return result + ++ @_policy_init + def delete_all(self, request, **kwargs): +- # DELETE /v2.0/networks/{network_id}/tags +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'delete_all.start', +- parent, parent_id) +- result = self.plugin.delete_tags(request.context, parent, parent_id) +- notify_tag_action(request.context, 'delete_all.end', +- parent, parent_id) ++ # DELETE /v2.0/{parent_resource}/{parent_resource_id}/tags ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'delete_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'delete_all.start', rinfo.parent_type, ++ rinfo.parent_id) ++ result = self.plugin.delete_tags(ctx, rinfo.parent_type, ++ rinfo.parent_id) ++ notify_tag_action(ctx, 'delete_all.end', rinfo.parent_type, ++ rinfo.parent_id) + return result + + diff --git a/README.en.md b/README.en.md index faaa6031b263a8e52cacb3ec81f1e35ef0560f0d..f52e8df100d72b123e6711cb506f7186130b15ee 100644 --- a/README.en.md +++ b/README.en.md @@ -1,3 +1,36 @@ # openstack-neutron -OpenStack services are exclusively released in the openEuler LTS version. Please refer to other Multi-Version branches for the Spec source code. \ No newline at end of file +#### Description +Neutron is an OpenStack project to provide "network connectivity as a service" between interface devices (e.g., vNICs) managed by other OpenStack services + +#### Software Architecture +Software architecture description + +#### Installation + +1. xxxx +2. xxxx +3. xxxx + +#### Instructions + +1. xxxx +2. xxxx +3. xxxx + +#### Contribution + +1. Fork the repository +2. Create Feat_xxx branch +3. Commit your code +4. Create Pull Request + + +#### Gitee Feature + +1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md +2. Gitee blog [blog.gitee.com](https://blog.gitee.com) +3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) +4. The most valuable open source project [GVP](https://gitee.com/gvp) +5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) +6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md index 76d3293e48fb86f48f1b267dac0846e49663378a..c007c5513d951680717225c82730be5f95274388 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,37 @@ # openstack-neutron -openstack服务只在openEuler LTS版本发布,Spec源码请参考其他Multi-Version分支。 \ No newline at end of file +#### 介绍 +Neutron is an OpenStack project to provide "network connectivity as a service" between interface devices (e.g., vNICs) managed by other OpenStack services + +#### 软件架构 +软件架构说明 + + +#### 安装教程 + +1. xxxx +2. xxxx +3. xxxx + +#### 使用说明 + +1. xxxx +2. xxxx +3. xxxx + +#### 参与贡献 + +1. Fork 本仓库 +2. 新建 Feat_xxx 分支 +3. 提交代码 +4. 新建 Pull Request + + +#### 特技 + +1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md +2. Gitee 官方博客 [blog.gitee.com](https://blog.gitee.com) +3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解 Gitee 上的优秀开源项目 +4. [GVP](https://gitee.com/gvp) 全称是 Gitee 最有价值开源项目,是综合评定出的优秀开源项目 +5. Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) +6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/conf.README b/conf.README new file mode 100644 index 0000000000000000000000000000000000000000..ee8799767cdf17ba1842f5ef2be15a026ba1cd63 --- /dev/null +++ b/conf.README @@ -0,0 +1,9 @@ +This directory can be used to configure Neutron services with custom +user-defined configuration files. To use the facility, just drop a file (or a +symlink) that has .conf file name extension into an appropriate directory to +make a service read it during initialization. 'common' directory is read by all +Neutron services. + +Note that user-defined configuration files override any configuration values +defined in other files read by services. Service specific configuration +directories beat common one. diff --git a/neutron-22.1.0.tar.gz b/neutron-22.1.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..9d348cae9e834d4a7179146e7c912233ac5cdfc7 Binary files /dev/null and b/neutron-22.1.0.tar.gz differ diff --git a/neutron-destroy-patch-ports.service b/neutron-destroy-patch-ports.service new file mode 100644 index 0000000000000000000000000000000000000000..130601e17252d348b4b72800bf584afe94e55468 --- /dev/null +++ b/neutron-destroy-patch-ports.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron Destroy Patch Ports +After=syslog.target network.target openvswitch.service +Before=neutron-openvswitch-agent.service + +[Service] +Type=oneshot +User=neutron +ExecStart=/usr/bin/python -m neutron.cmd.destroy_patch_ports --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-openvswitch-agent +PrivateTmp=false +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/neutron-dhcp-agent.service b/neutron-dhcp-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..a407f5686c62ee723533e0ace14505081582a757 --- /dev/null +++ b/neutron-dhcp-agent.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron DHCP Agent +After=syslog.target network.target + +[Service] +Type=simple +User=neutron +ExecStart=/usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-dhcp-agent --log-file /var/log/neutron/dhcp-agent.log +PrivateTmp=false +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-dist.conf b/neutron-dist.conf new file mode 100644 index 0000000000000000000000000000000000000000..0637f10918f1290993573f0357322b4b657c4795 --- /dev/null +++ b/neutron-dist.conf @@ -0,0 +1,10 @@ +[DEFAULT] +verbose = True +lock_path = $state_path/lock +allow_overlapping_ips = True +use_stderr = False +api_paste_config = /usr/share/neutron/api-paste.ini + +[agent] +root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf +root_helper_daemon = sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf diff --git a/neutron-enable-bridge-firewall.sh b/neutron-enable-bridge-firewall.sh new file mode 100755 index 0000000000000000000000000000000000000000..ae7a141cd3ab85c4bb388a1df843db9924f3a102 --- /dev/null +++ b/neutron-enable-bridge-firewall.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# This script is triggered on every ovs/linuxbridge agent start. Its intent is +# to make sure the firewall for bridged traffic is enabled before we start an +# agent that may atttempt to set firewall rules on a bridge (a common thing for +# linuxbridge and ovs/hybrid backend setup). + +# before enabling the firewall, load the relevant module +/usr/sbin/modprobe bridge + +# on newer kernels (3.18+), sysctl knobs are split into a separate module; +# attempt to load it, but don't fail if it's missing (f.e. when running against +# an older kernel version) +/usr/sbin/modprobe br_netfilter 2>> /dev/null || : + +# now enable the firewall in case it's disabled (f.e. rhel 7.2 and earlier) +for proto in ip ip6; do + /usr/sbin/sysctl -w net.bridge.bridge-nf-call-${proto}tables=1 +done diff --git a/neutron-l2-agent-sysctl.conf b/neutron-l2-agent-sysctl.conf new file mode 100644 index 0000000000000000000000000000000000000000..6692625100a0a3bef426ba8d65e72ee67130e1c9 --- /dev/null +++ b/neutron-l2-agent-sysctl.conf @@ -0,0 +1,2 @@ +net.bridge.bridge-nf-call-ip6tables = 1 +net.bridge.bridge-nf-call-iptables = 1 diff --git a/neutron-l2-agent.modules b/neutron-l2-agent.modules new file mode 100755 index 0000000000000000000000000000000000000000..3e64115a6cbefe561a16828fbe3705a5198e5fc7 --- /dev/null +++ b/neutron-l2-agent.modules @@ -0,0 +1,4 @@ +#!/bin/sh +/sbin/modprobe -b bridge >/dev/null 2>&1 +/sbin/modprobe -b br_netfilter >/dev/null 2>&1 +exit 0 diff --git a/neutron-l3-agent.service b/neutron-l3-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..469d3ce17c48c7da36cc1ba6b299c4fe082958a6 --- /dev/null +++ b/neutron-l3-agent.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron Layer 3 Agent +After=syslog.target network.target + +[Service] +Type=simple +User=neutron +ExecStart=/usr/bin/neutron-l3-agent --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/l3_agent --config-file /etc/neutron/neutron.conf --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-l3-agent --log-file /var/log/neutron/l3-agent.log +PrivateTmp=false +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-linuxbridge-agent.service b/neutron-linuxbridge-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..bbd73f3dd241d0cd76494055e0e68b37ee9d0ef2 --- /dev/null +++ b/neutron-linuxbridge-agent.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Neutron Linux Bridge Agent +After=syslog.target network.target + +[Service] +Type=simple +User=neutron +PermissionsStartOnly=true +ExecStartPre=/usr/bin/neutron-enable-bridge-firewall.sh +ExecStart=/usr/bin/neutron-linuxbridge-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-linuxbridge-agent --log-file /var/log/neutron/linuxbridge-agent.log +PrivateTmp=true +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-linuxbridge-cleanup.service b/neutron-linuxbridge-cleanup.service new file mode 100644 index 0000000000000000000000000000000000000000..579d901e7f0d02b8853385e7a008e06600b83956 --- /dev/null +++ b/neutron-linuxbridge-cleanup.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Neutron Linux Bridge Cleanup Utility +After=syslog.target network.target +Before=neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-l3-agent.service openstack-nova-compute.service + +[Service] +Type=oneshot +User=neutron +ExecStart=/usr/bin/neutron-linuxbridge-cleanup --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-linuxbridge-cleanup --log-file /var/log/neutron/linuxbridge-cleanup.log +ExecStop=/usr/bin/neutron-linuxbridge-cleanup --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-linuxbridge-cleanup --log-file /var/log/neutron/linuxbridge-cleanup.log +PrivateTmp=true +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/neutron-macvtap-agent.service b/neutron-macvtap-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..ba7e4010b41ea853c182d9a29e4416dc04e15787 --- /dev/null +++ b/neutron-macvtap-agent.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron macvtap L2 agent +After=syslog.target + +[Service] +Type=simple +User=neutron +ExecStart=/usr/bin/neutron-macvtap-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-macvtap-agent --log-file /var/log/neutron/macvtap-agent.log +PrivateTmp=true +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-metadata-agent.service b/neutron-metadata-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..62a3106ce71631c21d3b05cf4cc6d8f8ccd0063d --- /dev/null +++ b/neutron-metadata-agent.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron Metadata Agent +After=syslog.target network.target + +[Service] +Type=simple +User=neutron +ExecStart=/usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metadata_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metadata-agent --log-file /var/log/neutron/metadata-agent.log +PrivateTmp=false +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-metering-agent.service b/neutron-metering-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..618b341c2af615b7ae2bcefd9c5aff628fbad0e1 --- /dev/null +++ b/neutron-metering-agent.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron Metering Agent +After=syslog.target network.target + +[Service] +Type=simple +User=neutron +ExecStart=/usr/bin/neutron-metering-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/metering_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-metering-agent --log-file /var/log/neutron/metering-agent.log +PrivateTmp=false +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-netns-cleanup.service b/neutron-netns-cleanup.service new file mode 100644 index 0000000000000000000000000000000000000000..7a730e4b741cd25f5dc8e05efa2eadbd69c309f4 --- /dev/null +++ b/neutron-netns-cleanup.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Neutron Netns Cleanup Utility +After=syslog.target network.target openvswitch.service +Before=neutron-openvswitch-agent.service neutron-dhcp-agent.service neutron-l3-agent.service openstack-nova-compute.service + +[Service] +Type=oneshot +User=neutron +ExecStart=/usr/bin/neutron-netns-cleanup --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-netns-cleanup --log-file /var/log/neutron/netns-cleanup.log +ExecStop=/usr/bin/neutron-netns-cleanup --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-netns-cleanup --log-file /var/log/neutron/netns-cleanup.log --force +PrivateTmp=false +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/neutron-openvswitch-agent.service b/neutron-openvswitch-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..25b10c2477c37660b4364772f6930807716a9696 --- /dev/null +++ b/neutron-openvswitch-agent.service @@ -0,0 +1,18 @@ +[Unit] +Description=OpenStack Neutron Open vSwitch Agent +After=syslog.target network.target network.service openvswitch.service +PartOf=network.service +Requires=openvswitch.service + +[Service] +Type=simple +User=neutron +PermissionsStartOnly=true +ExecStartPre=/usr/bin/neutron-enable-bridge-firewall.sh +ExecStart=/usr/bin/neutron-openvswitch-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-openvswitch-agent --log-file /var/log/neutron/openvswitch-agent.log +PrivateTmp=true +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-ovn-metadata-agent.service b/neutron-ovn-metadata-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..51907558a0e3ec6b5b9e44074c804515a3b2915e --- /dev/null +++ b/neutron-ovn-metadata-agent.service @@ -0,0 +1,18 @@ +[Unit] +Description=OpenStack Neutron OVN Metadata Agent +After=syslog.target network.target openvswitch.service +Requires=openvswitch.service + +[Service] +Type=simple +User=neutron +PermissionsStartOnly=true +ExecStart=/usr/bin/neutron-ovn-metadata-agent --config-file /etc/neutron/neutron_ovn_metadata_agent.ini --config-dir /etc/neutron/conf.d/neutron-ovn-metadata-agent --log-file /var/log/neutron/neutron-ovn-metadata-agent.log +PrivateTmp=false +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target +# (TODO) - Backwards compatibility in systemd service +Alias=networking-ovn-metadata-agent diff --git a/neutron-ovs-cleanup.service b/neutron-ovs-cleanup.service new file mode 100644 index 0000000000000000000000000000000000000000..82bfa1a2d3340bfcd34c4f8af16db0f542bb3fed --- /dev/null +++ b/neutron-ovs-cleanup.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Neutron Open vSwitch Cleanup Utility +After=syslog.target network.target openvswitch.service +Before=neutron-openvswitch-agent.service neutron-dhcp-agent.service neutron-l3-agent.service openstack-nova-compute.service + +[Service] +Type=oneshot +User=neutron +ExecStart=/usr/bin/neutron-ovs-cleanup --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-ovs-cleanup --log-file /var/log/neutron/ovs-cleanup.log +ExecStop=/usr/bin/neutron-ovs-cleanup --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-ovs-cleanup --log-file /var/log/neutron/ovs-cleanup.log +PrivateTmp=true +RemainAfterExit=yes +TimeoutSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/neutron-rpc-server.service b/neutron-rpc-server.service new file mode 100644 index 0000000000000000000000000000000000000000..6aca43298f51d94d92cd59a36d63556ae689c06d --- /dev/null +++ b/neutron-rpc-server.service @@ -0,0 +1,15 @@ +[Unit] +Description=OpenStack Neutron (RPC only) Server +After=syslog.target network.target + +[Service] +Type=notify +User=neutron +ExecStart=/usr/bin/neutron-rpc-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-rpc-server --log-file /var/log/neutron/rpc-server.log +PrivateTmp=true +NotifyAccess=all +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-server.service b/neutron-server.service new file mode 100644 index 0000000000000000000000000000000000000000..e68024cb9dc06e474b1ac9473bff93c3d892b4d6 --- /dev/null +++ b/neutron-server.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenStack Neutron Server +After=syslog.target network.target + +[Service] +Type=notify +User=neutron +ExecStart=/usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/share/neutron/server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-server --log-file /var/log/neutron/server.log +PrivateTmp=true +NotifyAccess=all +KillMode=process +Restart=on-failure +TimeoutStartSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/neutron-sriov-nic-agent.service b/neutron-sriov-nic-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..8233cbfa0985937c7b76bf66470c5861a461b74f --- /dev/null +++ b/neutron-sriov-nic-agent.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack Neutron SR-IOV NIC Agent +After=syslog.target network.target + +[Service] +Type=simple +User=neutron +ExecStart=/usr/bin/neutron-sriov-nic-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/sriov_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-sriov-nic-agent --log-file /var/log/neutron/sriov-nic-agent.log +PrivateTmp=false +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/neutron-sudoers b/neutron-sudoers new file mode 100644 index 0000000000000000000000000000000000000000..9273f587bf395ea71557eb93f845d571b976259d --- /dev/null +++ b/neutron-sudoers @@ -0,0 +1,4 @@ +Defaults:neutron !requiretty + +neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * +neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf diff --git a/neutron.logrotate b/neutron.logrotate new file mode 100644 index 0000000000000000000000000000000000000000..fc1c70b2488bad56a85407e0c709753ca4ea5629 --- /dev/null +++ b/neutron.logrotate @@ -0,0 +1,7 @@ +/var/log/neutron/*.log { + rotate 14 + size 10M + missingok + compress + copytruncate +} diff --git a/openstack-neutron.spec b/openstack-neutron.spec new file mode 100644 index 0000000000000000000000000000000000000000..a1d8e62a2c10f792f8b933879e0acb6fb8bc939a --- /dev/null +++ b/openstack-neutron.spec @@ -0,0 +1,866 @@ +%{!?upstream_version: %global upstream_version %{version}%{?milestone}} +%global service neutron + +%define cleanup_orphan_rootwrap_daemons() \ +for pid in $(ps -f --ppid 1 | awk '/.*neutron-rootwrap-daemon/ { print $2 }'); do \ + kill $(ps --ppid $pid -o pid=) \ +done \ +%nil + +%global common_desc \ +Neutron is a virtual network service for Openstack. Just like \ +OpenStack Nova provides an API to dynamically request and configure \ +virtual servers, Neutron provides an API to dynamically request and \ +configure virtual networks. These networks connect "interfaces" from \ +other OpenStack services (e.g., virtual NICs from Nova VMs). The \ +Neutron API supports extensions to provide advanced network \ +capabilities (e.g., QoS, ACLs, network monitoring, etc.) + +Name: openstack-%{service} +Version: 22.1.0 +Release: 2 +Summary: OpenStack Networking Service + +License: ASL 2.0 +URL: http://launchpad.net/%{service}/ + +Source0: https://tarballs.openstack.org/%{service}/%{service}-%{upstream_version}.tar.gz + +Source1: %{service}.logrotate +Source2: %{service}-sudoers +Source10: neutron-server.service +Source11: neutron-linuxbridge-agent.service +Source12: neutron-openvswitch-agent.service +Source15: neutron-dhcp-agent.service +Source16: neutron-l3-agent.service +Source17: neutron-metadata-agent.service +Source18: neutron-ovs-cleanup.service +Source19: neutron-macvtap-agent.service +Source20: neutron-metering-agent.service +Source21: neutron-sriov-nic-agent.service +Source22: neutron-netns-cleanup.service +Source29: neutron-rpc-server.service + +Source30: %{service}-dist.conf +Source31: conf.README +Source32: neutron-linuxbridge-cleanup.service +Source33: neutron-enable-bridge-firewall.sh +Source34: neutron-l2-agent-sysctl.conf +# We use the legacy service to load modules because it allows to gracefully +# ignore a missing kernel module (f.e. br_netfilter on earlier kernels). It's +# essentially because .modules files are shell scripts. +Source35: neutron-l2-agent.modules +Source36: neutron-destroy-patch-ports.service +Source37: neutron-ovn-metadata-agent.service +Patch1: CVE-2024-53916-Fix-the-tagging-policy-engine.patch +# Required for tarball sources verification + +BuildArch: noarch + +BuildRequires: git-core +BuildRequires: openstack-macros +BuildRequires: python3-devel +BuildRequires: python3-babel +BuildRequires: python3-keystoneauth1 >= 3.14.0 +BuildRequires: python3-keystonemiddleware +BuildRequires: python3-neutron-lib +BuildRequires: python3-novaclient +BuildRequires: python3-oslo-cache +BuildRequires: python3-oslo-concurrency +BuildRequires: python3-oslo-config +BuildRequires: python3-oslo-db +BuildRequires: python3-oslo-log +BuildRequires: python3-oslo-messaging +BuildRequires: python3-oslo-policy +BuildRequires: python3-oslo-privsep +BuildRequires: python3-oslo-rootwrap +BuildRequires: python3-oslo-service +BuildRequires: python3-oslo-upgradecheck +BuildRequires: python3-oslo-versionedobjects +BuildRequires: python3-osprofiler >= 1.3.0 +BuildRequires: python3-ovsdbapp +BuildRequires: python3-pbr >= 4.0.0 +BuildRequires: python3-psutil >= 3.2.2 +BuildRequires: python3-pyroute2 >= 0.5.13 +BuildRequires: python3-pecan >= 1.3.2 +BuildRequires: python3-tenacity >= 4.4.0 +BuildRequires: python3-os-vif +BuildRequires: systemd + + +Requires: openstack-%{service}-common = %{version}-%{release} + +# dnsmasq is not a hard requirement, but is currently the only option +# when neutron-dhcp-agent is deployed. +Requires: dnsmasq >= 2.76 +Requires: dnsmasq-utils >= 2.76 + +# radvd is not a hard requirement, but is currently the only option +# for IPv6 deployments. +Requires: radvd + +# dibbler is not a hard requirement, but is currently the default option +# for IPv6 prefix delegation. +Requires: dibbler-client + +# conntrack is not a hard requirement, but is currently used by L3 agent +# to immediately drop connections after a floating IP is disassociated +Requires: conntrack-tools + +# keepalived is not a hard requirement, but is currently used by DVR L3 +# agent +Requires: keepalived + +# haproxy implements metadata proxy process +Requires: haproxy >= 1.5.0 + +# Those are not hard requirements, ipset is used by ipset-cleanup in the subpackage, +# iptables is used by the l3-agent which currently is not in a separate package, +# iputils provides tools like arping which are used by l3-agent and iproute-tc +# (or iproute in case of CentOS 7 and RHEL 7), provides tc binary which is +# used by e.g. l3-agent and openvswitch-agent when QoS extension is enabled +# in agent's config. +Requires: ipset +Requires: iptables +Requires: iputils +Requires: iproute-tc + + +%{?systemd_ordering} + + + +%description +%{common_desc} + + +%package -n python3-%{service} +Summary: Neutron Python libraries +%{?python_provide:%python_provide python3-%{service}} +Requires: python3-alembic >= 0.9.6 +Requires: python3-debtcollector >= 1.19.0 +Requires: python3-designateclient >= 2.7.0 +Requires: python3-eventlet >= 0.22.1 +Requires: python3-greenlet >= 0.4.10 +Requires: python3-futurist >= 1.2.0 +Requires: python3-jinja2 >= 2.10 +Requires: python3-keystoneauth1 >= 3.14.0 +Requires: python3-keystonemiddleware >= 5.1.0 +Requires: python3-netaddr >= 0.7.18 +Requires: python3-neutronclient >= 6.7.0 +Requires: python3-neutron-lib >= 2.9.0 +Requires: python3-novaclient >= 9.1.0 +Requires: python3-os-vif >= 1.15.1 +Requires: python3-oslo-cache >= 1.26.0 +Requires: python3-oslo-concurrency >= 3.26.0 +Requires: python3-oslo-config >= 8.0.0 +Requires: python3-oslo-context >= 2.22.0 +Requires: python3-oslo-db >= 4.44.0 +Requires: python3-oslo-i18n >= 3.20.0 +Requires: python3-oslo-log >= 4.3.0 +Requires: python3-oslo-messaging >= 7.0.0 +Requires: python3-oslo-middleware >= 3.31.0 +Requires: python3-oslo-policy >= 3.6.2 +Requires: python3-oslo-privsep >= 2.3.0 +Requires: python3-oslo-reports >= 1.18.0 +Requires: python3-oslo-rootwrap >= 5.8.0 +Requires: python3-oslo-serialization >= 2.25.0 +Requires: python3-oslo-service >= 1.31.0 +Requires: python3-oslo-upgradecheck >= 1.3.0 +Requires: python3-oslo-utils >= 4.5.0 +Requires: python3-oslo-versionedobjects >= 1.35.1 +Requires: python3-osprofiler >= 2.3.0 +Requires: python3-ovsdbapp >= 1.7.0 +Requires: python3-pecan >= 1.3.2 +Requires: python3-pbr >= 4.0.0 +Requires: python3-psutil >= 5.3.0 +Requires: python3-pyroute2 >= 0.5.13 +Requires: python3-requests >= 2.18.0 +Requires: python3-tenacity >= 6.0.0 +Requires: python3-routes >= 2.3.1 +Requires: python3-os-ken >= 0.3.0 +Requires: python3-sqlalchemy >= 1.2.0 +Requires: python3-stevedore >= 1.20.0 +Requires: python3-tooz >= 1.58.0 +Requires: python3-webob >= 1.8.2 +Requires: python3-openstacksdk >= 0.31.2 +Requires: python3-pyOpenSSL >= 17.1.0 +Requires: python3-packaging >= 20.4 + +Requires: python3-httplib2 >= 0.9.1 +Requires: python3-netifaces >= 0.10.4 +Requires: python3-paste >= 2.0.2 +Requires: python3-paste-deploy >= 1.5.0 +Requires: python3-decorator >= 3.4.0 + +Provides: python3-networking-ovn = %{version}-%{release} + + +%description -n python3-%{service} +%{common_desc} + +This package contains the Neutron Python library. + + +%package -n python3-%{service}-tests +Summary: Neutron tests +%{?python_provide:%python_provide python3-%{service}-tests} +Requires: python3-%{service} = %{version}-%{release} +Requires: python3-ddt >= 1.0.1 +Requires: python3-fixtures >= 3.0.0 +Requires: python3-mock >= 2.0 +Requires: python3-subunit >= 0.0.18 +Requires: python3-testrepository >= 0.0.18 +Requires: python3-testtools >= 1.4.0 +Requires: python3-testresources >= 0.2.4 +Requires: python3-testscenarios >= 0.4 +Requires: python3-oslotest >= 1.10.0 +Requires: python3-os-testr >= 0.7.0 +Requires: python3-PyMySQL >= 0.6.2 +Requires: python3-tempest >= 12.1.0 + +Requires: python3-webtest >= 2.0 + + +# pstree is used during functional testing to ensure our internal +# libraries managing processes work correctly. +Requires: psmisc +# nfs-utils is needed because it creates user with uid 65534 which +# is required by neutron functional tests. +Requires: nfs-utils + + +%description -n python3-%{service}-tests +%{common_desc} + +This package contains Neutron test files. + + +%package common +Summary: Neutron common files +Requires(pre): shadow-utils +Requires: python3-%{service} = %{version}-%{release} +Requires: sudo + + +%description common +%{common_desc} + +This package contains Neutron common files. + + +%package linuxbridge +Summary: Neutron Linuxbridge agent +Requires: ebtables +Requires: ipset +Requires: iproute +Requires: iptables +Requires: conntrack-tools +# kmod is needed to get access to /usr/sbin/modprobe needed by +# neutron-enable-bridge-firewall.sh triggered by the service unit file +Requires: kmod +Requires: openstack-%{service}-common = %{version}-%{release} + + +%description linuxbridge +%{common_desc} + +This package contains the Neutron agent that implements virtual +networks using VLAN or VXLAN using Linuxbridge technology. + + +%package macvtap-agent +Summary: Neutron macvtap agent +Requires: openstack-%{service}-common = %{version}-%{release} + + +%description macvtap-agent +%{common_desc} + +This package contains the Neutron agent that implements +macvtap attachments for libvirt qemu/kvm instances. + + +%package ml2 +Summary: Neutron ML2 plugin +Requires: openstack-%{service}-common = %{version}-%{release} +# needed for brocade and cisco drivers +#(TODO) ncclient is not in reuirement projects so it should be requirement in neutron +# plugin packages, not in main neutron. Remove this lines completely if everythin keeps +# working. +#Requires: python3-ncclient + + +%description ml2 +%{common_desc} + +This package contains a Neutron plugin that allows the use of drivers +to support separately extensible sets of network types and the mechanisms +for accessing those types. + + +%package openvswitch +Summary: Neutron openvswitch plugin +Requires: openstack-%{service}-common = %{version}-%{release} +# We require openvswitch when using vsctl to access ovsdb; +# but if we use native access, then we just need python bindings. +# since we don't know what users actually use, we depend on both. +Requires: ipset +Requires: iptables +Requires: openvswitch +Requires: python3-openvswitch >= 2.10.0 +# kmod is needed to get access to /usr/sbin/modprobe needed by +# neutron-enable-bridge-firewall.sh triggered by the service unit file +Requires: kmod + + +%description openvswitch +%{common_desc} + +This package contains the Neutron plugin that implements virtual +networks using Open vSwitch. + + +%package metering-agent +Summary: Neutron bandwidth metering agent +Requires: iptables +Requires: openstack-%{service}-common = %{version}-%{release} + + +%description metering-agent +%{common_desc} + +This package contains the Neutron agent responsible for generating bandwidth +utilization notifications. + + +%package rpc-server +Summary: Neutron (RPC only) Server +Requires: openstack-%{service}-common = %{version}-%{release} + + +%description rpc-server +%{common_desc} + +This package contains an alternative Neutron server that handles AMQP RPC +workload only. + + +%package sriov-nic-agent +Summary: Neutron SR-IOV NIC agent +Requires: openstack-%{service}-common = %{version}-%{release} + + +%description sriov-nic-agent +%{common_desc} + +This package contains the Neutron agent to support advanced features of +SR-IOV network cards. + + +%package ovn-metadata-agent +Summary: OVN metadata agent +BuildRequires: systemd +Requires: python3-%{service} = %{version}-%{release} +Requires: openvswitch >= 2.10.0 +Provides: python3-networking-ovn-metadata-agent = %{version}-%{release} +%{?systemd_requires} + +%description ovn-metadata-agent +OVN provides virtual networking for Open vSwitch and is a component of the +Open vSwitch project. + +This package contains the agent that implements the metadata proxy so that VM's +can retrieve metadata from OpenStack Nova. + +%package ovn-migration-tool +Summary: networking-ovn ML2/OVS to OVN migration tool +Requires: python3-%{service} = %{version}-%{release} +Provides: python3-networking-ovn-migration-tool = %{version}-%{release} + +%description ovn-migration-tool + +This package provides the necessary tools to update an existing ML2/OVS +OpenStack to OVN based backend. + + +%prep +%autosetup -n %{service}-%{upstream_version} -S git +sed -i 's/\/usr\/bin\/python/\/usr\/bin\/python3/' %{SOURCE36} + +find %{service} -name \*.py -exec sed -i '/\/usr\/bin\/env python/{d;q}' {} + + +# Let's handle dependencies ourseleves +%py_req_cleanup + +# Kill egg-info in order to generate new SOURCES.txt +rm -rf neutron.egg-info + + +%build +export SKIP_PIP_INSTALL=1 +%{py3_build} +# Generate i18n files +# (amoralej) we can remove '-D neutron' once https://review.openstack.org/#/c/485070/ is merged +%{__python3} setup.py compile_catalog -d build/lib/%{service}/locale -D neutron + +# Generate configuration files +PYTHONPATH=. +for file in `ls etc/oslo-config-generator/*`; do + oslo-config-generator --config-file=$file +done + +find etc -name *.sample | while read filename +do + filedir=$(dirname $filename) + file=$(basename $filename .sample) + mv ${filename} ${filedir}/${file} +done + +# Loop through values in neutron-dist.conf and make sure that the values +# are substituted into the neutron.conf as comments. Some of these values +# will have been uncommented as a way of upstream setting defaults outside +# of the code. For notification_driver, there are commented examples +# above uncommented settings, so this specifically skips those comments +# and instead comments out the actual settings and substitutes the +# correct default values. +while read name eq value; do + test "$name" && test "$value" || continue + if [ "$name" = "notification_driver" ]; then + sed -ri "0,/^$name *=/{s!^$name *=.*!# $name = $value!}" etc/%{service}.conf + else + sed -ri "0,/^(#)? *$name *=/{s!^(#)? *$name *=.*!# $name = $value!}" etc/%{service}.conf + fi +done < %{SOURCE30} + +%install +%{py3_install} + +# Remove unused files +rm -rf %{buildroot}%{python3_sitelib}/bin +rm -rf %{buildroot}%{python3_sitelib}/doc +rm -rf %{buildroot}%{python3_sitelib}/tools + +# Move rootwrap files to proper location +install -d -m 755 %{buildroot}%{_datarootdir}/%{service}/rootwrap +mv %{buildroot}/usr/etc/%{service}/rootwrap.d/*.filters %{buildroot}%{_datarootdir}/%{service}/rootwrap + +# Move config files to proper location +install -d -m 755 %{buildroot}%{_sysconfdir}/%{service} +mv %{buildroot}/usr/etc/%{service}/* %{buildroot}%{_sysconfdir}/%{service} +mv %{buildroot}%{_sysconfdir}/%{service}/api-paste.ini %{buildroot}%{_datadir}/%{service}/api-paste.ini + +# The generated config files are not moved automatically by setup.py +install -d -m 755 %{buildroot}%{_sysconfdir}/%{service}/plugins/ml2 + +mv etc/%{service}.conf %{buildroot}%{_sysconfdir}/%{service}/%{service}.conf +mv etc/neutron/ovn.ini %{buildroot}%{_sysconfdir}/%{service}/ovn.ini +for agent in dhcp l3 metadata metering neutron_ovn_metadata +do + mv etc/${agent}_agent.ini %{buildroot}%{_sysconfdir}/%{service}/${agent}_agent.ini +done +for file in linuxbridge_agent ml2_conf openvswitch_agent sriov_agent +do + mv etc/%{service}/plugins/ml2/${file}.ini %{buildroot}%{_sysconfdir}/%{service}/plugins/ml2/${file}.ini +done + +# (TODO) Backwards compatibility for networking-ovn-metadata-agent.ini + +install -d -m 755 %{buildroot}%{_sysconfdir}/neutron/plugins/networking-ovn +ln -s /etc/neutron/neutron_ovn_metadata_agent.ini %{buildroot}%{_sysconfdir}/%{service}/plugins/networking-ovn/networking-ovn-metadata-agent.ini + +# (TODO) Backwards compatibility for ovn.ini +ln -s /etc/neutron/ovn.ini %{buildroot}%{_sysconfdir}/%{service}/plugins/networking-ovn/networking-ovn.ini + +# (TODO) Backwards compatibility for networking-ovn-metadata-agent executable +ln -s %{_bindir}/neutron-ovn-metadata-agent %{buildroot}%{_bindir}/networking-ovn-metadata-agent + +# Install logrotate +install -p -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/openstack-%{service} + +# Install sudoers +install -p -D -m 440 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudoers.d/%{service} + +# Install systemd units +install -p -D -m 644 %{SOURCE10} %{buildroot}%{_unitdir}/neutron-server.service +install -p -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/neutron-linuxbridge-agent.service +install -p -D -m 644 %{SOURCE12} %{buildroot}%{_unitdir}/neutron-openvswitch-agent.service +install -p -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/neutron-dhcp-agent.service +install -p -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/neutron-l3-agent.service +install -p -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/neutron-metadata-agent.service +install -p -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/neutron-ovs-cleanup.service +install -p -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/neutron-macvtap-agent.service +install -p -D -m 644 %{SOURCE20} %{buildroot}%{_unitdir}/neutron-metering-agent.service +install -p -D -m 644 %{SOURCE21} %{buildroot}%{_unitdir}/neutron-sriov-nic-agent.service +install -p -D -m 644 %{SOURCE22} %{buildroot}%{_unitdir}/neutron-netns-cleanup.service +install -p -D -m 644 %{SOURCE29} %{buildroot}%{_unitdir}/neutron-rpc-server.service +install -p -D -m 644 %{SOURCE32} %{buildroot}%{_unitdir}/neutron-linuxbridge-cleanup.service +install -p -D -m 644 %{SOURCE36} %{buildroot}%{_unitdir}/neutron-destroy-patch-ports.service +install -p -D -m 644 %{SOURCE37} %{buildroot}%{_unitdir}/neutron-ovn-metadata-agent.service + +# (TODO) - Backwards compatibility for systemd unit networking-ovn-metadata-agent + +ln -s %{_unitdir}/neutron-ovn-metadata-agent.service %{buildroot}%{_unitdir}/networking-ovn-metadata-agent.service + +# Install helper scripts +install -p -D -m 755 %{SOURCE33} %{buildroot}%{_bindir}/neutron-enable-bridge-firewall.sh + +# Install sysctl and modprobe config files to enable bridge firewalling +# NOTE(ihrachys) we effectively duplicate same settings for each affected l2 +# agent. This can be revisited later. +install -p -D -m 644 %{SOURCE34} %{buildroot}%{_sysctldir}/99-neutron-openvswitch-agent.conf +install -p -D -m 644 %{SOURCE34} %{buildroot}%{_sysctldir}/99-neutron-linuxbridge-agent.conf +install -p -D -m 755 %{SOURCE35} %{buildroot}%{_sysconfdir}/sysconfig/modules/neutron-openvswitch-agent.modules +install -p -D -m 755 %{SOURCE35} %{buildroot}%{_sysconfdir}/sysconfig/modules/neutron-linuxbridge-agent.modules + +# Install README file that describes how to configure services with custom configuration files +install -p -D -m 755 %{SOURCE31} %{buildroot}%{_sysconfdir}/%{service}/conf.d/README + +# Setup directories +install -d -m 755 %{buildroot}%{_datadir}/%{service} +install -d -m 755 %{buildroot}%{_sharedstatedir}/%{service} +install -d -m 755 %{buildroot}%{_localstatedir}/log/%{service} +install -d -m 755 %{buildroot}%{_localstatedir}/run/%{service} +install -d -m 755 %{buildroot}%{_sysconfdir}/%{service}/kill_scripts + +# Install dist conf +install -p -D -m 640 %{SOURCE30} %{buildroot}%{_datadir}/%{service}/%{service}-dist.conf + +# Create and populate configuration directory for L3 agent that is not accessible for user modification +mkdir -p %{buildroot}%{_datadir}/%{service}/l3_agent +ln -s %{_sysconfdir}/%{service}/l3_agent.ini %{buildroot}%{_datadir}/%{service}/l3_agent/l3_agent.conf + +# Create dist configuration directory for neutron-server (may be filled by advanced services) +mkdir -p %{buildroot}%{_datadir}/%{service}/server + +# Create configuration directories for all services that can be populated by users with custom *.conf files +mkdir -p %{buildroot}/%{_sysconfdir}/%{service}/conf.d/common +for service in server rpc-server ovs-cleanup netns-cleanup linuxbridge-cleanup macvtap-agent; do + mkdir -p %{buildroot}/%{_sysconfdir}/%{service}/conf.d/%{service}-$service +done +for service in linuxbridge openvswitch dhcp l3 metadata metering sriov-nic ovn-metadata; do + mkdir -p %{buildroot}/%{_sysconfdir}/%{service}/conf.d/%{service}-$service-agent +done + +# Install i18n .mo files (.po and .pot are not required) +install -d -m 755 %{buildroot}%{_datadir} +rm -f %{buildroot}%{python3_sitelib}/%{service}/locale/*/LC_*/%{service}*po +rm -f %{buildroot}%{python3_sitelib}/%{service}/locale/*pot +mv %{buildroot}%{python3_sitelib}/%{service}/locale %{buildroot}%{_datadir}/locale + +# Find language files +%find_lang %{service} --all-name + +%pre common +getent group %{service} >/dev/null || groupadd -r %{service} +getent passwd %{service} >/dev/null || \ + useradd -r -g %{service} -d %{_sharedstatedir}/%{service} -s /sbin/nologin \ + -c "OpenStack Neutron Daemons" %{service} +exit 0 + + +%post +%systemd_post neutron-dhcp-agent.service +%systemd_post neutron-l3-agent.service +%systemd_post neutron-metadata-agent.service +%systemd_post neutron-server.service +%systemd_post neutron-netns-cleanup.service +%systemd_post neutron-ovs-cleanup.service +%systemd_post neutron-linuxbridge-cleanup.service + + +%preun +%systemd_preun neutron-dhcp-agent.service +%systemd_preun neutron-l3-agent.service +%systemd_preun neutron-metadata-agent.service +%systemd_preun neutron-server.service +%systemd_preun neutron-netns-cleanup.service +%systemd_preun neutron-ovs-cleanup.service +%systemd_preun neutron-linuxbridge-cleanup.service + + +%postun +%systemd_postun_with_restart neutron-dhcp-agent.service +%systemd_postun_with_restart neutron-l3-agent.service +%systemd_postun_with_restart neutron-metadata-agent.service +%systemd_postun_with_restart neutron-server.service +%cleanup_orphan_rootwrap_daemons + + +%post macvtap-agent +%systemd_post neutron-macvtap-agent.service + + +%preun macvtap-agent +%systemd_preun neutron-macvtap-agent.service + + +%postun macvtap-agent +%systemd_postun_with_restart neutron-macvtap-agent.service +%cleanup_orphan_rootwrap_daemons + + +%post linuxbridge +%systemd_post neutron-linuxbridge-agent.service + + +%preun linuxbridge +%systemd_preun neutron-linuxbridge-agent.service + + +%postun linuxbridge +%systemd_postun_with_restart neutron-linuxbridge-agent.service +%cleanup_orphan_rootwrap_daemons + +%post openvswitch +%systemd_post neutron-openvswitch-agent.service +%systemd_post neutron-destroy-patch-ports.service + +if [ $1 -ge 2 ]; then + # We're upgrading + + # Detect if the neutron-openvswitch-agent is running + ovs_agent_running=0 + systemctl status neutron-openvswitch-agent > /dev/null 2>&1 && ovs_agent_running=1 || : + + # If agent is running, stop it + [ $ovs_agent_running -eq 1 ] && systemctl stop neutron-openvswitch-agent > /dev/null 2>&1 || : + + # Search all orphaned neutron-rootwrap-daemon processes and since all are triggered by sudo, + # get the actual rootwrap-daemon process. + %cleanup_orphan_rootwrap_daemons + + # If agent was running, start it back with new code + [ $ovs_agent_running -eq 1 ] && systemctl start neutron-openvswitch-agent > /dev/null 2>&1 || : +fi + + +%preun openvswitch +%systemd_preun neutron-openvswitch-agent.service +%systemd_preun neutron-destroy-patch-ports.service + + +%post metering-agent +%systemd_post neutron-metering-agent.service + + +%preun metering-agent +%systemd_preun neutron-metering-agent.service + + +%postun metering-agent +%systemd_postun_with_restart neutron-metering-agent.service +%cleanup_orphan_rootwrap_daemons + + +%post sriov-nic-agent +%systemd_post neutron-sriov-nic-agent.service + + +%preun sriov-nic-agent +%systemd_preun neutron-sriov-nic-agent.service + + +%postun sriov-nic-agent +%systemd_postun_with_restart neutron-sriov-nic-agent.service +%cleanup_orphan_rootwrap_daemons + + +%post ovn-metadata-agent +%systemd_post neutron-ovn-metadata-agent.service + + +%preun ovn-metadata-agent +%systemd_preun neutron-ovn-metadata-agent.service + + +%postun ovn-metadata-agent +%systemd_postun_with_restart neutron-ovn-metadata-agent.service + + +%files +%license LICENSE +%{_bindir}/neutron-api +%{_bindir}/neutron-db-manage +%{_bindir}/neutron-debug +%{_bindir}/neutron-dhcp-agent +%{_bindir}/neutron-ipset-cleanup +%{_bindir}/neutron-keepalived-state-change +%{_bindir}/neutron-l3-agent +%{_bindir}/neutron-linuxbridge-cleanup +%{_bindir}/neutron-metadata-agent +%{_bindir}/neutron-netns-cleanup +%{_bindir}/neutron-ovs-cleanup +%{_bindir}/neutron-pd-notify +%{_bindir}/neutron-sanity-check +%{_bindir}/neutron-status +%{_bindir}/neutron-server +%{_bindir}/neutron-usage-audit +%{_bindir}/neutron-ovn-metadata-agent +%{_bindir}/networking-ovn-metadata-agent +%{_bindir}/neutron-ovn-db-sync-util +%{_bindir}/ml2ovn-trace +%{_bindir}/neutron-sanitize-port-binding-profile-allocation +%{_bindir}/neutron-sanitize-port-mac-addresses +%{_bindir}/neutron-ovn-agent +%{_bindir}/neutron-remove-duplicated-port-bindings +%{_unitdir}/neutron-dhcp-agent.service +%{_unitdir}/neutron-l3-agent.service +%{_unitdir}/neutron-metadata-agent.service +%{_unitdir}/neutron-server.service +%{_unitdir}/neutron-netns-cleanup.service +%{_unitdir}/neutron-ovs-cleanup.service +%{_unitdir}/neutron-linuxbridge-cleanup.service +%attr(-, root, %{service}) %{_datadir}/%{service}/api-paste.ini +%dir %{_datadir}/%{service}/l3_agent +%dir %{_datadir}/%{service}/server +%{_datadir}/%{service}/l3_agent/*.conf +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/dhcp_agent.ini +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/l3_agent.ini +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/metadata_agent.ini +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-dhcp-agent +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-l3-agent +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-metadata-agent +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-server +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-netns-cleanup +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-ovs-cleanup +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-linuxbridge-cleanup +%dir %{_sysconfdir}/%{service}/kill_scripts + +%files -n python3-%{service}-tests +%license LICENSE +%{python3_sitelib}/%{service}/tests + +%files -n python3-%{service} +%license LICENSE +%{python3_sitelib}/%{service} +%{python3_sitelib}/%{service}-*.egg-info +%exclude %{python3_sitelib}/%{service}/tests + + +%files common -f %{service}.lang +%license LICENSE +%doc README.rst +# though this script is not exactly needed on all nodes but for ovs and +# linuxbridge agents only, it's probably good enough to put it here +%{_bindir}/neutron-enable-bridge-firewall.sh +%{_bindir}/neutron-rootwrap +%{_bindir}/neutron-rootwrap-daemon +%dir %{_sysconfdir}/%{service} +%{_sysconfdir}/%{service}/conf.d/README +%dir %{_sysconfdir}/%{service}/conf.d +%dir %{_sysconfdir}/%{service}/conf.d/common +%dir %{_sysconfdir}/%{service}/plugins +%attr(-, root, %{service}) %{_datadir}/%{service}/%{service}-dist.conf +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/%{service}.conf +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/ovn.ini +%{_sysconfdir}/%{service}/plugins/networking-ovn/networking-ovn.ini +%config(noreplace) %{_sysconfdir}/%{service}/rootwrap.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/* +%{_sysconfdir}/sudoers.d/%{service} +%dir %attr(0755, %{service}, %{service}) %{_sharedstatedir}/%{service} +%dir %attr(0750, %{service}, %{service}) %{_localstatedir}/log/%{service} +%dir %{_datarootdir}/%{service} +%dir %{_datarootdir}/%{service}/rootwrap +%{_datarootdir}/%{service}/rootwrap/rootwrap.filters + +%files linuxbridge +%license LICENSE +%{_bindir}/neutron-linuxbridge-agent +%{_unitdir}/neutron-linuxbridge-agent.service +%dir %{_sysconfdir}/%{service}/plugins/ml2 +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/plugins/ml2/linuxbridge_agent.ini +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-linuxbridge-agent +%{_sysctldir}/99-neutron-linuxbridge-agent.conf +%{_sysconfdir}/sysconfig/modules/neutron-linuxbridge-agent.modules + + +%files macvtap-agent +%license LICENSE +%{_bindir}/neutron-macvtap-agent +%{_unitdir}/neutron-macvtap-agent.service +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-macvtap-agent + + +%files ml2 +%license LICENSE +%doc %{service}/plugins/ml2/README +%dir %{_sysconfdir}/%{service}/plugins/ml2 +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/plugins/ml2/*.ini +%exclude %{_sysconfdir}/%{service}/plugins/ml2/linuxbridge_agent.ini +%exclude %{_sysconfdir}/%{service}/plugins/ml2/openvswitch_agent.ini + + +%files openvswitch +%license LICENSE +%{_bindir}/neutron-openvswitch-agent +%{_unitdir}/neutron-openvswitch-agent.service +%{_unitdir}/neutron-destroy-patch-ports.service +%dir %{_sysconfdir}/%{service}/plugins/ml2 +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/plugins/ml2/openvswitch_agent.ini +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-openvswitch-agent +%{_sysctldir}/99-neutron-openvswitch-agent.conf +%{_sysconfdir}/sysconfig/modules/neutron-openvswitch-agent.modules + + +%files metering-agent +%license LICENSE +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/metering_agent.ini +%{_unitdir}/neutron-metering-agent.service +%{_bindir}/neutron-metering-agent +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-metering-agent + + +%files rpc-server +%license LICENSE +%{_bindir}/neutron-rpc-server +%{_unitdir}/neutron-rpc-server.service +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-rpc-server + + +%files sriov-nic-agent +%license LICENSE +%{_unitdir}/neutron-sriov-nic-agent.service +%{_bindir}/neutron-sriov-nic-agent +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/plugins/ml2/sriov_agent.ini +%dir %{_sysconfdir}/%{service}/conf.d/%{service}-sriov-nic-agent + + +%files ovn-metadata-agent +%license LICENSE +%{_bindir}/neutron-ovn-metadata-agent +%{_bindir}/networking-ovn-metadata-agent +%{_unitdir}/neutron-ovn-metadata-agent.service +%{_unitdir}/networking-ovn-metadata-agent.service +%config(noreplace) %attr(0640, root, %{service}) %{_sysconfdir}/%{service}/neutron_ovn_metadata_agent.ini +%dir %{_sysconfdir}/neutron/plugins/networking-ovn +%{_sysconfdir}/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini +/etc/neutron/plugins/networking-ovn/networking-ovn.ini +%dir %{_sysconfdir}/neutron/conf.d/neutron-ovn-metadata-agent + + +%files ovn-migration-tool +%license LICENSE +%{_bindir}/neutron-ovn-migration-mtu +%{_bindir}/ovn_migration.sh +%{_datadir}/ansible/neutron-ovn-migration/ + +%changelog +* Fri Nov 29 2024 wangjing - 22.1.0-2 +- add CVE-2024-53916-Fix-the-tagging-policy-engine.patch + +* Tue Apr 16 2024 wangjing - 22.1.0-1 +- update package of version 22.1.0 + +* Tue Jul 19 2022 renliang16 - 20.0.0-1 +- Upgrade package openstack-neutron to version 20.0.0 + +* Thu Sep 09 2021 wangxiyuan 18.1.0-2 +- Add conntrack-tools to linuxbride Requires + +* Fri Jul 23 2021 liksh 18.1.0-1 +- Update to 18.1.0 + +* Fri Jan 15 2021 joec88 17.0.0-1 +- openEuler build release +