--- /dev/null
+From 8138e2fe38ad2cde5963685df47b1e4286776352 Mon Sep 17 00:00:00 2001
+From: Kevin Benton <blak111@gmail.com>
+Date: Tue, 25 Aug 2015 22:03:27 -0700
+Subject: [PATCH] Stop device_owner from being set to 'network:*'
+
+This patch adjusts the FieldCheck class in the policy engine to
+allow a regex rule. It then leverages that to prevent users from
+setting the device_owner field to anything that starts with
+'network:' on networks which they do not own.
+
+This policy adjustment is necessary because any ports with a
+device_owner that starts with 'network:' will not have any security
+group rules applied because it is assumed they are trusted network
+devices (e.g. router ports, DHCP ports, etc). These security rules
+include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
+and IP headers.
+
+Without this policy adjustment, tenants can abuse this trust when
+connected to a shared network with other tenants by setting their
+VM port's device_owner field to 'network:<anything>' and hijack other
+tenants' traffic via DHCP spoofing or MAC/IP spoofing.
+
+Closes-Bug: #1489111
+Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
+(cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f)
+---
+ etc/policy.json | 3 +++
+ neutron/api/v2/attributes.py | 2 +-
+ neutron/policy.py | 3 +++
+ neutron/tests/etc/policy.json | 3 +++
+ neutron/tests/unit/test_policy.py | 16 ++++++++++++++++
+ 5 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/etc/policy.json b/etc/policy.json
+index 8a5de9b..0f04eb2 100644
+--- a/etc/policy.json
++++ b/etc/policy.json
+@@ -46,7 +46,9 @@
+ "update_network:router:external": "rule:admin_only",
+ "delete_network": "rule:admin_or_owner",
+
++ "network_device": "field:port:device_owner=~^network:",
+ "create_port": "",
++ "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+@@ -61,6 +63,7 @@
+ "get_port:binding:host_id": "rule:admin_only",
+ "get_port:binding:profile": "rule:admin_only",
+ "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
++ "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
+ "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+ "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py
+index b9c179a..9ceee78 100644
+--- a/neutron/api/v2/attributes.py
++++ b/neutron/api/v2/attributes.py
+@@ -766,7 +766,7 @@ RESOURCE_ATTRIBUTE_MAP = {
+ 'is_visible': True},
+ 'device_owner': {'allow_post': True, 'allow_put': True,
+ 'validate': {'type:string': DEVICE_OWNER_MAX_LEN},
+- 'default': '',
++ 'default': '', 'enforce_policy': True,
+ 'is_visible': True},
+ 'tenant_id': {'allow_post': True, 'allow_put': False,
+ 'validate': {'type:string': TENANT_ID_MAX_LEN},
+diff --git a/neutron/policy.py b/neutron/policy.py
+index 9e586dd..961ae21 100644
+--- a/neutron/policy.py
++++ b/neutron/policy.py
+@@ -335,6 +335,7 @@ class FieldCheck(policy.Check):
+
+ self.field = field
+ self.value = conv_func(value)
++ self.regex = re.compile(value[1:]) if value.startswith('~') else None
+
+ def __call__(self, target_dict, cred_dict, enforcer):
+ target_value = target_dict.get(self.field)
+@@ -344,6 +345,8 @@ class FieldCheck(policy.Check):
+ "%(target_dict)s",
+ {'field': self.field, 'target_dict': target_dict})
+ return False
++ if self.regex:
++ return bool(self.regex.match(target_value))
+ return target_value == self.value
+
+
+diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
+index 8a5de9b..0f04eb2 100644
+--- a/neutron/tests/etc/policy.json
++++ b/neutron/tests/etc/policy.json
+@@ -46,7 +46,9 @@
+ "update_network:router:external": "rule:admin_only",
+ "delete_network": "rule:admin_or_owner",
+
++ "network_device": "field:port:device_owner=~^network:",
+ "create_port": "",
++ "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+@@ -61,6 +63,7 @@
+ "get_port:binding:host_id": "rule:admin_only",
+ "get_port:binding:profile": "rule:admin_only",
+ "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
++ "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
+ "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+ "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py
+index 3888ce3..4be404f 100644
+--- a/neutron/tests/unit/test_policy.py
++++ b/neutron/tests/unit/test_policy.py
+@@ -232,6 +232,7 @@ class NeutronPolicyTestCase(base.BaseTestCase):
+ "regular_user": "role:user",
+ "shared": "field:networks:shared=True",
+ "external": "field:networks:router:external=True",
++ "network_device": "field:port:device_owner=~^network:",
+ "default": '@',
+
+ "create_network": "rule:admin_or_owner",
+@@ -243,6 +244,7 @@ class NeutronPolicyTestCase(base.BaseTestCase):
+ "create_subnet": "rule:admin_or_network_owner",
+ "create_port:mac": "rule:admin_or_network_owner or "
+ "rule:context_is_advsvc",
++ "create_port:device_owner": "not rule:network_device",
+ "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+ "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
+ "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
+@@ -312,6 +314,20 @@ class NeutronPolicyTestCase(base.BaseTestCase):
+ self._test_nonadmin_action_on_attr('create', 'shared', True,
+ common_policy.PolicyNotAuthorized)
+
++ def test_create_port_device_owner_regex(self):
++ blocked_values = ('network:', 'network:abdef', 'network:dhcp',
++ 'network:router_interface')
++ for val in blocked_values:
++ self._test_advsvc_action_on_attr(
++ 'create', 'port', 'device_owner', val,
++ common_policy.PolicyNotAuthorized
++ )
++ ok_values = ('network', 'networks', 'my_network:test', 'my_network:')
++ for val in ok_values:
++ self._test_advsvc_action_on_attr(
++ 'create', 'port', 'device_owner', val
++ )
++
+ def test_advsvc_get_network_works(self):
+ self._test_advsvc_action_on_attr('get', 'network', 'shared', False)
+
+--
+1.9.1
+
+++ /dev/null
-From e0c8cbc5dd610b4c580935ea56436495a6d4eb26 Mon Sep 17 00:00:00 2001
-From: Aaron Rosen <aaronorosen@gmail.com>
-Date: Wed, 3 Jun 2015 16:19:39 -0700
-Subject: [PATCH] Provide work around for 0.0.0.0/0 ::/0 for ipset
-
-Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if
-these addresses were inputted as allowed address pairs. This causes
-ipset to raise an error as it does not work with zero prefix sizes.
-To solve this problem we use two ipset rules to represent this:
-
-Ipv4: 0.0.0.0/1 and 128.0.0.1/1
-IPv6: ::/1' and '8000::/1
-
-All of this logic is handled via _sanitize_addresses() in the ipset_manager
-which is called to convert the input.
-
-Closes-bug: 1461054
-
-Conflicts:
- neutron/agent/linux/ipset_manager.py
- neutron/tests/unit/agent/linux/test_ipset_manager.py
-
-(cherry picked from commit 80a0fc3ba063e036b76e05e89b0cc54fc2d47c81)
----
- neutron/agent/linux/ipset_manager.py | 23 ++++++++++++++++++++++
- .../tests/unit/agent/linux/test_ipset_manager.py | 19 +++++++++++++++---
- 2 files changed, 39 insertions(+), 3 deletions(-)
-
-diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py
-index 0f76418..af59f1f 100644
---- a/neutron/agent/linux/ipset_manager.py
-+++ b/neutron/agent/linux/ipset_manager.py
-@@ -11,6 +11,8 @@
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
-+import netaddr
-+
- from neutron.agent.linux import utils as linux_utils
- from neutron.common import utils
-
-@@ -31,6 +33,26 @@ class IpsetManager(object):
- self.namespace = namespace
- self.ipset_sets = {}
-
-+ def _sanitize_addresses(self, addresses):
-+ """This method converts any address to ipset format.
-+
-+ If an address has a mask of /0 we need to cover to it to a mask of
-+ /1 as ipset does not support /0 length addresses. Instead we use two
-+ /1's to represent the /0.
-+ """
-+ sanitized_addresses = []
-+ for ip in addresses:
-+ if (netaddr.IPNetwork(ip).prefixlen == 0):
-+ if(netaddr.IPNetwork(ip).version == 4):
-+ sanitized_addresses.append('0.0.0.0/1')
-+ sanitized_addresses.append('128.0.0.0/1')
-+ elif (netaddr.IPNetwork(ip).version == 6):
-+ sanitized_addresses.append('::/1')
-+ sanitized_addresses.append('8000::/1')
-+ else:
-+ sanitized_addresses.append(ip)
-+ return sanitized_addresses
-+
- @staticmethod
- def get_name(id, ethertype):
- """Returns the given ipset name for an id+ethertype pair.
-@@ -51,6 +73,7 @@ class IpsetManager(object):
- add / remove new members, or swapped atomically if
- that's faster.
- """
-+ member_ips = self._sanitize_addresses(member_ips)
- set_name = self.get_name(id, ethertype)
- if not self.set_exists(id, ethertype):
- # The initial creation is handled with create/refresh to
-diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py
-index 4484008..a1c6dc5 100644
---- a/neutron/tests/unit/agent/linux/test_ipset_manager.py
-+++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py
-@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase):
- def expect_set(self, addresses):
- temp_input = ['create NETIPv4fake_sgid-new hash:net family inet']
- temp_input.extend('add NETIPv4fake_sgid-new %s' % ip
-- for ip in addresses)
-+ for ip in self.ipset._sanitize_addresses(addresses))
- input = '\n'.join(temp_input)
- self.expected_calls.extend([
- mock.call(['ipset', 'restore', '-exist'],
-@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase):
- self.expected_calls.extend(
- mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip],
- process_input=None,
-- run_as_root=True) for ip in addresses)
-+ run_as_root=True)
-+ for ip in self.ipset._sanitize_addresses(addresses))
-
- def expect_del(self, addresses):
-+
- self.expected_calls.extend(
- mock.call(['ipset', 'del', TEST_SET_NAME, ip],
- process_input=None,
-- run_as_root=True) for ip in addresses)
-+ run_as_root=True)
-+ for ip in self.ipset._sanitize_addresses(addresses))
-
- def expect_create(self):
- self.expected_calls.append(
-@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest):
- self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS)
- self.verify_mock_calls()
-
-+ def test_set_members_adding_all_zero_ipv4(self):
-+ self.expect_set(['0.0.0.0/0'])
-+ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0'])
-+ self.verify_mock_calls()
-+
-+ def test_set_members_adding_all_zero_ipv6(self):
-+ self.expect_set(['::/0'])
-+ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0'])
-+ self.verify_mock_calls()
-+
- def test_destroy(self):
- self.add_first_ip()
- self.expect_destroy()
---
-1.9.1
--- /dev/null
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+inherit distutils-r1 linux-info user
+
+DESCRIPTION="A virtual network service for Openstack"
+HOMEPAGE="https://launchpad.net/neutron"
+SRC_URI="https://launchpad.net/${PN}/kilo/${PV}/+download/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="compute-only dhcp doc l3 metadata openvswitch linuxbridge server test sqlite mysql postgres"
+REQUIRED_USE="!compute-only? ( || ( mysql postgres sqlite ) )
+ compute-only? ( !mysql !postgres !sqlite !dhcp !l3 !metadata !server
+ || ( openvswitch linuxbridge ) )"
+
+DEPEND="
+ dev-python/setuptools[${PYTHON_USEDEP}]
+ >=dev-python/pbr-0.8[${PYTHON_USEDEP}]
+ <dev-python/pbr-1.0[${PYTHON_USEDEP}]
+ app-admin/sudo
+ test? (
+ ${RDEPEND}
+ >=dev-python/hacking-0.10.0[${PYTHON_USEDEP}]
+ <dev-python/hacking-0.11[${PYTHON_USEDEP}]
+ >=dev-python/cliff-1.10.0[${PYTHON_USEDEP}]
+ <dev-python/cliff-1.11.0[${PYTHON_USEDEP}]
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+ >=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}]
+ <dev-python/fixtures-1.3.0[${PYTHON_USEDEP}]
+ >=dev-python/mock-1.0[${PYTHON_USEDEP}]
+ <dev-python/mock-1.1.0[${PYTHON_USEDEP}]
+ >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
+ >=dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}]
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
+ <dev-python/sphinx-1.3[${PYTHON_USEDEP}]
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-sphinx-2.6.0[${PYTHON_USEDEP}]
+ >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
+ >=dev-python/testtools-0.9.36[${PYTHON_USEDEP}]
+ !~dev-python/testtools-1.2.0[${PYTHON_USEDEP}]
+ >=dev-python/testscenarios-0.4[${PYTHON_USEDEP}]
+ >=dev-python/webtest-2.0[${PYTHON_USEDEP}]
+ >=dev-python/oslotest-1.5.1[${PYTHON_USEDEP}]
+ <dev-python/oslotest-1.6.0[${PYTHON_USEDEP}]
+ >=dev-python/tempest-lib-0.4.0[${PYTHON_USEDEP}]
+ <dev-python/tempest-lib-0.5.0[${PYTHON_USEDEP}]
+ )"
+
+RDEPEND="
+ dev-python/paste[${PYTHON_USEDEP}]
+ >=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
+ >=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+ !~dev-python/routes-2.0[${PYTHON_USEDEP}]
+ >=dev-python/eventlet-0.16.1[${PYTHON_USEDEP}]
+ !~dev-python/eventlet-0.17.0[${PYTHON_USEDEP}]
+ >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
+ >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
+ >=dev-python/requests-2.2.0[${PYTHON_USEDEP}]
+ !~dev-python/requests-2.4.0[${PYTHON_USEDEP}]
+ dev-python/jsonrpclib[${PYTHON_USEDEP}]
+ >=dev-python/jinja-2.6[${PYTHON_USEDEP}]
+ >=dev-python/keystonemiddleware-1.5.0[${PYTHON_USEDEP}]
+ <dev-python/keystonemiddleware-1.6.0[${PYTHON_USEDEP}]
+ >=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}]
+ >=dev-python/python-neutronclient-2.3.11[${PYTHON_USEDEP}]
+ <dev-python/python-neutronclient-2.5.0[${PYTHON_USEDEP}]
+ >=dev-python/retrying-1.2.3[${PYTHON_USEDEP}]
+ !~dev-python/retrying-1.3.0[${PYTHON_USEDEP}]
+ compute-only? (
+ >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
+ <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
+ )
+ sqlite? (
+ >=dev-python/sqlalchemy-0.9.7[sqlite,${PYTHON_USEDEP}]
+ <=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}]
+ )
+ mysql? (
+ dev-python/mysql-python
+ >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
+ <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
+ )
+ postgres? (
+ dev-python/psycopg:2
+ >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
+ <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
+ )
+ >=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
+ >=dev-python/python-keystoneclient-1.2.0[${PYTHON_USEDEP}]
+ <dev-python/python-keystoneclient-1.4.0[${PYTHON_USEDEP}]
+ >=dev-python/alembic-0.7.2[${PYTHON_USEDEP}]
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/stevedore-1.3.0[${PYTHON_USEDEP}]
+ <dev-python/stevedore-1.4.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-concurrency-1.8.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}]
+ <dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-context-0.3.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-db-1.7.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-db-1.8.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-i18n-1.6.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-log-1.0.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-log-1.1.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-messaging-1.8.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-messaging-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-middleware-1.0.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-middleware-1.1.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-rootwrap-1.6.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-rootwrap-1.7.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-serialization-1.5.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-utils-1.4.0[${PYTHON_USEDEP}]
+ <dev-python/oslo-utils-1.5.0[${PYTHON_USEDEP}]
+ >=dev-python/python-novaclient-2.22.0[${PYTHON_USEDEP}]
+ <dev-python/python-novaclient-2.24.0[${PYTHON_USEDEP}]
+ dev-python/pyudev[${PYTHON_USEDEP}]
+ sys-apps/iproute2
+ net-misc/bridge-utils
+ net-firewall/ipset
+ net-firewall/iptables
+ net-firewall/ebtables
+ openvswitch? ( net-misc/openvswitch )
+ dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
+
+PATCHES=(
+ "${FILESDIR}/CVE-2015-5240_2015.1.1.patch"
+)
+
+pkg_setup() {
+ linux-info_pkg_setup
+ CONFIG_CHECK_MODULES="VLAN_8021Q IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \
+ IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 \
+ NF_NAT_IPV4 NF_NAT NF_CONNTRACK IP_NF_FILTER IP_NF_IPTABLES NETFILTER_XTABLES"
+ if linux_config_exists; then
+ for module in ${CONFIG_CHECK_MODULES}; do
+ linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel"
+ done
+ fi
+ enewgroup neutron
+ enewuser neutron -1 -1 /var/lib/neutron neutron
+}
+
+pkg_config() {
+ fperms 0700 /var/log/neutron
+ fowners neutron:neutron /var/log neutron
+}
+
+src_prepare() {
+ #it's /bin/ip not /sbin/ip
+ sed -i 's/sbin\/ip\,/bin\/ip\,/g' etc/neutron/rootwrap.d/*
+ distutils-r1_src_prepare
+}
+
+python_compile_all() {
+ use doc && make -C doc html
+}
+
+python_test() {
+ # https://bugs.launchpad.net/neutron/+bug/1234857
+ # https://bugs.launchpad.net/swift/+bug/1249727
+ # https://bugs.launchpad.net/neutron/+bug/1251657
+ # turn multiprocessing off, testr will use it --parallel
+ local DISTUTILS_NO_PARALLEL_BUILD=1
+ # Move tests out that attempt net connection, have failures
+ mv $(find . -name test_ovs_tunnel.py) . || die
+ sed -e 's:test_app_using_ipv6_and_ssl:_&:' \
+ -e 's:test_start_random_port_with_ipv6:_&:' \
+ -i neutron/tests/unit/test_wsgi.py || die
+ testr init
+ testr run --parallel || die "failed testsuite under python2.7"
+}
+
+python_install() {
+ distutils-r1_python_install
+ if use server; then
+ newinitd "${FILESDIR}/neutron.initd" "neutron-server"
+ newconfd "${FILESDIR}/neutron-server.confd" "neutron-server"
+ dosym /etc/neutron/plugin.ini /etc/neutron/plugins/ml2/ml2_conf.ini
+ fi
+ if use dhcp; then
+ newinitd "${FILESDIR}/neutron.initd" "neutron-dhcp-agent"
+ newconfd "${FILESDIR}/neutron-dhcp-agent.confd" "neutron-dhcp-agent"
+ fi
+ if use l3; then
+ newinitd "${FILESDIR}/neutron.initd" "neutron-l3-agent"
+ newconfd "${FILESDIR}/neutron-l3-agent.confd" "neutron-l3-agent"
+ fi
+ if use metadata; then
+ newinitd "${FILESDIR}/neutron.initd" "neutron-metadata-agent"
+ newconfd "${FILESDIR}/neutron-metadata-agent.confd" "neutron-metadata-agent"
+ fi
+ if use openvswitch; then
+ newinitd "${FILESDIR}/neutron.initd" "neutron-openvswitch-agent"
+ newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-openvswitch-agent"
+ newinitd "${FILESDIR}/neutron.initd" "neutron-ovs-cleanup"
+ newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-ovs-cleanup"
+ fi
+ if use linuxbridge; then
+ newinitd "${FILESDIR}/neutron.initd" "neutron-linuxbridge-agent"
+ newconfd "${FILESDIR}/neutron-linuxbridge-agent.confd" "neutron-linuxbridge-agent"
+ fi
+ diropts -m 755 -o neutron -g neutron
+ dodir /var/log/neutron /var/lib/neutron
+ keepdir /etc/neutron
+ insinto /etc/neutron
+ insopts -m 0640 -o neutron -g neutron
+
+ doins etc/*
+ # stupid renames
+ rm "${D}etc/neutron/quantum"
+ insinto /etc/neutron
+ doins -r "etc/neutron/plugins"
+ insopts -m 0640 -o root -g root
+ doins "etc/rootwrap.conf"
+ doins -r "etc/neutron/rootwrap.d"
+
+ insopts -m 0644
+ insinto "/usr/lib64/python2.7/site-packages/neutron/db/migration/alembic_migrations/"
+ doins -r "neutron/db/migration/alembic_migrations/versions"
+
+ #add sudoers definitions for user neutron
+ insinto /etc/sudoers.d/
+ insopts -m 0440 -o root -g root
+ newins "${FILESDIR}/neutron.sudoersd" neutron
+
+ #remove superfluous stuff
+ rm -R "${D}/usr/etc/"
+}
+
+python_install_all() {
+ use doc && local HTML_DOCS=( doc/build/html/. )
+ distutils-r1_python_install_all
+}
+
+pkg_postinst() {
+ elog
+ elog "neutron-server's conf.d file may need updating to include additional ini files"
+ elog "We currently assume the ml2 plugin will be used but do not make assumptions"
+ elog "on if you will use openvswitch or linuxbridge (or something else)"
+ elog
+ elog "Other conf.d files may need updating too, but should be good for the default use case"
+ elog
+}
projects / gentoo.git / commitdiff