Merge "Update neuron config file permissions"
diff --git a/.travis.yml b/.travis.yml
index 0846964..3bb1e13 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -20,23 +20,6 @@
- bundle install
env:
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=compute-dpdk
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=compute-dvr
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=compute-legacy
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=compute-sriov
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=compute-qos
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-cluster
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-nodvr
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-lbaas-octavia
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-fwaas-v1
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-l2gw
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-opendaylight
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=control-ovn
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=gateway-dvr
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=gateway-legacy
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=gateway-legacy-fwaas-v1
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=gateway-legacy-l2gw
- - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 SUITE=gateway-legacy-opendaylight
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=compute-dpdk
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=compute-dvr-fwaas-v1
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=compute-nonexternal-dvr
diff --git a/neutron/agents/_l2gw.sls b/neutron/agents/_l2gw.sls
index ddb665d..4a0d70f 100644
--- a/neutron/agents/_l2gw.sls
+++ b/neutron/agents/_l2gw.sls
@@ -8,6 +8,8 @@
/etc/neutron/l2gateway_agent.ini:
file.managed:
- source: salt://neutron/files/{{ gateway.version }}/l2gw/l2gateway_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: l2gw_agent_packages
diff --git a/neutron/agents/ovn_metadata.sls b/neutron/agents/ovn_metadata.sls
index f2e755b..fd7516d 100644
--- a/neutron/agents/ovn_metadata.sls
+++ b/neutron/agents/ovn_metadata.sls
@@ -9,6 +9,8 @@
file.managed:
- source: salt://neutron/files/{{ compute.version }}/ovn/metadata-agent.ini
- template: jinja
+ - mode: 0640
+ - group: neutron
- makedirs: true
- require:
- pkg: ovn_packages
@@ -16,6 +18,8 @@
/etc/neutron/neutron.conf:
file.managed:
- source: salt://neutron/files/{{ compute.version }}/neutron-generic.conf
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: ovn_packages
diff --git a/neutron/compute.sls b/neutron/compute.sls
index 5b1e3cf..1aba19f 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -2,15 +2,33 @@
{%- if compute.enabled %}
include:
-{% if compute.backend.engine == "ml2" %}
- {% if compute.dvr %}
- {%- if fwaas.get('enabled', False) %}
+ {% if compute.backend.engine == "ml2" and compute.dvr and fwaas.get('enabled', False) %}
- neutron.fwaas
- {%- endif %}
{%- endif %}
-{%- endif %}
- neutron._ssl.rabbitmq
+ {%- if not salt['user.info']('neutron') %}
+user_neutron:
+ user.present:
+ - name: neutron
+ - home: /var/lib/neutron
+ - shell: /bin/false
+ - system: True
+ - groups:
+ - neutron
+ - require_in:
+ - sls: neutron._ssl.rabbitmq
+ {% if compute.backend.engine == "ml2" and compute.dvr and fwaas.get('enabled', False) %}
+ - sls: neutron.fwaas
+ {%- endif %}
+group_neutron:
+ group.present:
+ - name: neutron
+ - system: True
+ - require_in:
+ - user: user_neutron
+ {%- endif %}
+
{% if compute.backend.engine == "ml2" %}
{% if compute.get('dhcp_agent_enabled', False) %}
@@ -35,6 +53,8 @@
/etc/neutron/dhcp_agent.ini:
file.managed:
- source: salt://neutron/files/{{ compute.version }}/dhcp_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_dhcp_agent_packages
diff --git a/neutron/fwaas.sls b/neutron/fwaas.sls
index 8b6f87d..6240a27 100644
--- a/neutron/fwaas.sls
+++ b/neutron/fwaas.sls
@@ -10,6 +10,8 @@
/etc/neutron/fwaas_driver.ini:
file.managed:
- source: salt://neutron/files/{{ fwaas.version }}/fwaas_driver.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_fwaas_packages
diff --git a/neutron/gateway.sls b/neutron/gateway.sls
index 6c5da92..a605722 100644
--- a/neutron/gateway.sls
+++ b/neutron/gateway.sls
@@ -12,6 +12,9 @@
- names: {{ gateway.pkgs }}
- require_in:
- sls: neutron._ssl.rabbitmq
+ {%- if fwaas.get('enabled', False) %}
+ - sls: neutron.fwaas
+ {%- endif %}
{%- if not grains.get('noservices', False) and pillar.haproxy is not defined %}
# NOTE(mpolenchuk): haproxy is used as a replacement for
@@ -28,6 +31,8 @@
/etc/neutron/neutron.conf:
file.managed:
- source: salt://neutron/files/{{ gateway.version }}/neutron-generic.conf
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_gateway_packages
@@ -45,6 +50,8 @@
/etc/neutron/l3_agent.ini:
file.managed:
- source: salt://neutron/files/{{ gateway.version }}/l3_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_gateway_packages
@@ -52,6 +59,8 @@
/etc/neutron/plugins/ml2/openvswitch_agent.ini:
file.managed:
- source: salt://neutron/files/{{ gateway.version }}/openvswitch_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_gateway_packages
@@ -60,6 +69,8 @@
/etc/neutron/dhcp_agent.ini:
file.managed:
- source: salt://neutron/files/{{ gateway.version }}/dhcp_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_gateway_packages
@@ -67,6 +78,8 @@
/etc/neutron/metadata_agent.ini:
file.managed:
- source: salt://neutron/files/{{ gateway.version }}/metadata_agent.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_gateway_packages
@@ -141,6 +154,8 @@
service.running:
- names: {{ gateway.services }}
- enable: true
+ - require:
+ - sls: neutron._ssl.rabbitmq
- watch:
- file: /etc/neutron/neutron.conf
- file: /etc/neutron/metadata_agent.ini
diff --git a/neutron/server.sls b/neutron/server.sls
index 5a410f8..25b7d3c 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -85,6 +85,9 @@
/etc/neutron/plugins/ml2/ml2_conf.ini:
file.managed:
- source: salt://neutron/files/{{ server.version }}/ml2_conf.ini
+ - mode: 0640
+ - user: root
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_server_packages
@@ -118,6 +121,9 @@
/etc/neutron/neutron.conf:
file.managed:
- source: salt://neutron/files/{{ server.version }}/neutron-server.conf
+ - mode: 0640
+ - user: root
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_server_packages
@@ -129,6 +135,8 @@
/etc/neutron/api-paste.ini:
file.managed:
- source: salt://neutron/files/{{ server.version }}/api-paste.ini
+ - mode: 0640
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_server_packages
@@ -162,6 +170,9 @@
file.managed:
- name: /etc/neutron/logging.conf
- source: salt://oslo_templates/files/logging/_logging.conf
+ - mode: 0640
+ - user: root
+ - group: neutron
- template: jinja
- makedirs: True
- defaults:
@@ -184,6 +195,9 @@
file.managed:
- name: /etc/neutron/logging/logging-{{ service_name }}.conf
- source: salt://oslo_templates/files/logging/_logging.conf
+ - mode: 0640
+ - user: root
+ - group: neutron
- template: jinja
- makedirs: True
- defaults:
@@ -230,6 +244,9 @@
/etc/default/neutron-server:
file.managed:
- source: salt://neutron/files/{{ server.version }}/neutron-server
+ - mode: 0640
+ - user: root
+ - group: neutron
- template: jinja
- require:
- pkg: neutron_server_packages
@@ -290,10 +307,10 @@
file.managed:
- source: salt://neutron/files/{{ server.version }}/midonet.ini
- user: root
- - group: root
- - mode: 644
+ - group: neutron
+ - mode: 640
- makedirs: true
- - dir_mode: 755
+ - dir_mode: 750
- template: jinja
- require_in:
- sls: neutron.db.offline_sync
@@ -329,10 +346,10 @@
file.managed:
- source: salt://neutron/files/{{ server.version }}/plugins/nsx.ini
- user: root
- - group: root
- - mode: 644
+ - group: neutron
+ - mode: 640
- makedirs: true
- - dir_mode: 755
+ - dir_mode: 750
- template: jinja
- require:
- pkg: vmware_neutron_packages
diff --git a/neutron/services/_l2gw.sls b/neutron/services/_l2gw.sls
index f91b83e..5224e12 100644
--- a/neutron/services/_l2gw.sls
+++ b/neutron/services/_l2gw.sls
@@ -9,6 +9,8 @@
file.managed:
- source: salt://neutron/files/{{ server.version }}/l2gw/l2gw_plugin.ini
- template: jinja
+ - mode: 0640
+ - group: neutron
- require_in:
- cmd: neutron_db_manage
- require: