diff options
| author |   Matthew Thode <mthode@mthode.org> | 2015-09-08 09:38:59 -0500 |
|---|---|---|
| committer | Matthew Thode <mthode@mthode.org> | 2015-09-08 09:55:10 -0500 |
| commit | c061e9d47edb942d6c2bfa1a241d415b75431111 (patch) | |
| tree | 18378cfbf013ff4f1dcb6a18e376c149da55e220 /sys-cluster | |
| parent | Version bump, drop old (diff) | |
| download | gentoo-c061e9d47edb942d6c2bfa1a241d415b75431111.tar.gz gentoo-c061e9d47edb942d6c2bfa1a241d415b75431111.tar.bz2 gentoo-c061e9d47edb942d6c2bfa1a241d415b75431111.zip | |
sys-cluster/neutron: fixing CVE-2015-5240
Package-Manager: portage-2.2.20.1
Diffstat (limited to 'sys-cluster')
| -rw-r--r-- | sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch | 155 | ||||
| -rw-r--r-- | sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch | 127 | ||||
| -rw-r--r-- | sys-cluster/neutron/neutron-2015.1.1-r1.ebuild | 252 |
3 files changed, 407 insertions, 127 deletions
diff --git a/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch b/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch new file mode 100644 index 000000000000..ccb2a66bce9b --- /dev/null +++ b/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch @@ -0,0 +1,155 @@ +From 8138e2fe38ad2cde5963685df47b1e4286776352 Mon Sep 17 00:00:00 2001 +From: Kevin Benton <blak111@gmail.com> +Date: Tue, 25 Aug 2015 22:03:27 -0700 +Subject: [PATCH] Stop device_owner from being set to 'network:*' + +This patch adjusts the FieldCheck class in the policy engine to +allow a regex rule. It then leverages that to prevent users from +setting the device_owner field to anything that starts with +'network:' on networks which they do not own. + +This policy adjustment is necessary because any ports with a +device_owner that starts with 'network:' will not have any security +group rules applied because it is assumed they are trusted network +devices (e.g. router ports, DHCP ports, etc). These security rules +include the anti-spoofing protection for DHCP, IPv6 ICMP messages, +and IP headers. + +Without this policy adjustment, tenants can abuse this trust when +connected to a shared network with other tenants by setting their +VM port's device_owner field to 'network:<anything>' and hijack other +tenants' traffic via DHCP spoofing or MAC/IP spoofing. + +Closes-Bug: #1489111 +Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9 +(cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f) +--- + etc/policy.json | 3 +++ + neutron/api/v2/attributes.py | 2 +- + neutron/policy.py | 3 +++ + neutron/tests/etc/policy.json | 3 +++ + neutron/tests/unit/test_policy.py | 16 ++++++++++++++++ + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/etc/policy.json b/etc/policy.json +index 8a5de9b..0f04eb2 100644 +--- a/etc/policy.json ++++ b/etc/policy.json +@@ -46,7 +46,9 @@ + "update_network:router:external": "rule:admin_only", + "delete_network": "rule:admin_or_owner", + ++ "network_device": "field:port:device_owner=~^network:", + "create_port": "", ++ "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", + "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", + "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", + "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", +@@ -61,6 +63,7 @@ + "get_port:binding:host_id": "rule:admin_only", + "get_port:binding:profile": "rule:admin_only", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", ++ "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", + "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", + "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", + "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", +diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py +index b9c179a..9ceee78 100644 +--- a/neutron/api/v2/attributes.py ++++ b/neutron/api/v2/attributes.py +@@ -766,7 +766,7 @@ RESOURCE_ATTRIBUTE_MAP = { + 'is_visible': True}, + 'device_owner': {'allow_post': True, 'allow_put': True, + 'validate': {'type:string': DEVICE_OWNER_MAX_LEN}, +- 'default': '', ++ 'default': '', 'enforce_policy': True, + 'is_visible': True}, + 'tenant_id': {'allow_post': True, 'allow_put': False, + 'validate': {'type:string': TENANT_ID_MAX_LEN}, +diff --git a/neutron/policy.py b/neutron/policy.py +index 9e586dd..961ae21 100644 +--- a/neutron/policy.py ++++ b/neutron/policy.py +@@ -335,6 +335,7 @@ class FieldCheck(policy.Check): + + self.field = field + self.value = conv_func(value) ++ self.regex = re.compile(value[1:]) if value.startswith('~') else None + + def __call__(self, target_dict, cred_dict, enforcer): + target_value = target_dict.get(self.field) +@@ -344,6 +345,8 @@ class FieldCheck(policy.Check): + "%(target_dict)s", + {'field': self.field, 'target_dict': target_dict}) + return False ++ if self.regex: ++ return bool(self.regex.match(target_value)) + return target_value == self.value + + +diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json +index 8a5de9b..0f04eb2 100644 +--- a/neutron/tests/etc/policy.json ++++ b/neutron/tests/etc/policy.json +@@ -46,7 +46,9 @@ + "update_network:router:external": "rule:admin_only", + "delete_network": "rule:admin_or_owner", + ++ "network_device": "field:port:device_owner=~^network:", + "create_port": "", ++ "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", + "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", + "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", + "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", +@@ -61,6 +63,7 @@ + "get_port:binding:host_id": "rule:admin_only", + "get_port:binding:profile": "rule:admin_only", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", ++ "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", + "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", + "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", + "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", +diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py +index 3888ce3..4be404f 100644 +--- a/neutron/tests/unit/test_policy.py ++++ b/neutron/tests/unit/test_policy.py +@@ -232,6 +232,7 @@ class NeutronPolicyTestCase(base.BaseTestCase): + "regular_user": "role:user", + "shared": "field:networks:shared=True", + "external": "field:networks:router:external=True", ++ "network_device": "field:port:device_owner=~^network:", + "default": '@', + + "create_network": "rule:admin_or_owner", +@@ -243,6 +244,7 @@ class NeutronPolicyTestCase(base.BaseTestCase): + "create_subnet": "rule:admin_or_network_owner", + "create_port:mac": "rule:admin_or_network_owner or " + "rule:context_is_advsvc", ++ "create_port:device_owner": "not rule:network_device", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", + "get_port": "rule:admin_or_owner or rule:context_is_advsvc", + "delete_port": "rule:admin_or_owner or rule:context_is_advsvc", +@@ -312,6 +314,20 @@ class NeutronPolicyTestCase(base.BaseTestCase): + self._test_nonadmin_action_on_attr('create', 'shared', True, + common_policy.PolicyNotAuthorized) + ++ def test_create_port_device_owner_regex(self): ++ blocked_values = ('network:', 'network:abdef', 'network:dhcp', ++ 'network:router_interface') ++ for val in blocked_values: ++ self._test_advsvc_action_on_attr( ++ 'create', 'port', 'device_owner', val, ++ common_policy.PolicyNotAuthorized ++ ) ++ ok_values = ('network', 'networks', 'my_network:test', 'my_network:') ++ for val in ok_values: ++ self._test_advsvc_action_on_attr( ++ 'create', 'port', 'device_owner', val ++ ) ++ + def test_advsvc_get_network_works(self): + self._test_advsvc_action_on_attr('get', 'network', 'shared', False) + +-- +1.9.1 + diff --git a/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch b/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch deleted file mode 100644 index c6c2230c9bd3..000000000000 --- a/sys-cluster/neutron/files/cve-2015-3221_2015.1.0.patch +++ /dev/null @@ -1,127 +0,0 @@ -From e0c8cbc5dd610b4c580935ea56436495a6d4eb26 Mon Sep 17 00:00:00 2001 -From: Aaron Rosen <aaronorosen@gmail.com> -Date: Wed, 3 Jun 2015 16:19:39 -0700 -Subject: [PATCH] Provide work around for 0.0.0.0/0 ::/0 for ipset - -Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if -these addresses were inputted as allowed address pairs. This causes -ipset to raise an error as it does not work with zero prefix sizes. -To solve this problem we use two ipset rules to represent this: - -Ipv4: 0.0.0.0/1 and 128.0.0.1/1 -IPv6: ::/1' and '8000::/1 - -All of this logic is handled via _sanitize_addresses() in the ipset_manager -which is called to convert the input. - -Closes-bug: 1461054 - -Conflicts: - neutron/agent/linux/ipset_manager.py - neutron/tests/unit/agent/linux/test_ipset_manager.py - -(cherry picked from commit 80a0fc3ba063e036b76e05e89b0cc54fc2d47c81) ---- - neutron/agent/linux/ipset_manager.py | 23 ++++++++++++++++++++++ - .../tests/unit/agent/linux/test_ipset_manager.py | 19 +++++++++++++++--- - 2 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py -index 0f76418..af59f1f 100644 ---- a/neutron/agent/linux/ipset_manager.py -+++ b/neutron/agent/linux/ipset_manager.py -@@ -11,6 +11,8 @@ - # See the License for the specific language governing permissions and - # limitations under the License. - -+import netaddr -+ - from neutron.agent.linux import utils as linux_utils - from neutron.common import utils - -@@ -31,6 +33,26 @@ class IpsetManager(object): - self.namespace = namespace - self.ipset_sets = {} - -+ def _sanitize_addresses(self, addresses): -+ """This method converts any address to ipset format. -+ -+ If an address has a mask of /0 we need to cover to it to a mask of -+ /1 as ipset does not support /0 length addresses. Instead we use two -+ /1's to represent the /0. -+ """ -+ sanitized_addresses = [] -+ for ip in addresses: -+ if (netaddr.IPNetwork(ip).prefixlen == 0): -+ if(netaddr.IPNetwork(ip).version == 4): -+ sanitized_addresses.append('0.0.0.0/1') -+ sanitized_addresses.append('128.0.0.0/1') -+ elif (netaddr.IPNetwork(ip).version == 6): -+ sanitized_addresses.append('::/1') -+ sanitized_addresses.append('8000::/1') -+ else: -+ sanitized_addresses.append(ip) -+ return sanitized_addresses -+ - @staticmethod - def get_name(id, ethertype): - """Returns the given ipset name for an id+ethertype pair. -@@ -51,6 +73,7 @@ class IpsetManager(object): - add / remove new members, or swapped atomically if - that's faster. - """ -+ member_ips = self._sanitize_addresses(member_ips) - set_name = self.get_name(id, ethertype) - if not self.set_exists(id, ethertype): - # The initial creation is handled with create/refresh to -diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py -index 4484008..a1c6dc5 100644 ---- a/neutron/tests/unit/agent/linux/test_ipset_manager.py -+++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py -@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase): - def expect_set(self, addresses): - temp_input = ['create NETIPv4fake_sgid-new hash:net family inet'] - temp_input.extend('add NETIPv4fake_sgid-new %s' % ip -- for ip in addresses) -+ for ip in self.ipset._sanitize_addresses(addresses)) - input = '\n'.join(temp_input) - self.expected_calls.extend([ - mock.call(['ipset', 'restore', '-exist'], -@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase): - self.expected_calls.extend( - mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip], - process_input=None, -- run_as_root=True) for ip in addresses) -+ run_as_root=True) -+ for ip in self.ipset._sanitize_addresses(addresses)) - - def expect_del(self, addresses): -+ - self.expected_calls.extend( - mock.call(['ipset', 'del', TEST_SET_NAME, ip], - process_input=None, -- run_as_root=True) for ip in addresses) -+ run_as_root=True) -+ for ip in self.ipset._sanitize_addresses(addresses)) - - def expect_create(self): - self.expected_calls.append( -@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest): - self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS) - self.verify_mock_calls() - -+ def test_set_members_adding_all_zero_ipv4(self): -+ self.expect_set(['0.0.0.0/0']) -+ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0']) -+ self.verify_mock_calls() -+ -+ def test_set_members_adding_all_zero_ipv6(self): -+ self.expect_set(['::/0']) -+ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0']) -+ self.verify_mock_calls() -+ - def test_destroy(self): - self.add_first_ip() - self.expect_destroy() --- -1.9.1 diff --git a/sys-cluster/neutron/neutron-2015.1.1-r1.ebuild b/sys-cluster/neutron/neutron-2015.1.1-r1.ebuild new file mode 100644 index 000000000000..b262ff95b909 --- /dev/null +++ b/sys-cluster/neutron/neutron-2015.1.1-r1.ebuild @@ -0,0 +1,252 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 linux-info user + +DESCRIPTION="A virtual network service for Openstack" +HOMEPAGE="https://launchpad.net/neutron" +SRC_URI="https://launchpad.net/${PN}/kilo/${PV}/+download/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="compute-only dhcp doc l3 metadata openvswitch linuxbridge server test sqlite mysql postgres" +REQUIRED_USE="!compute-only? ( || ( mysql postgres sqlite ) ) + compute-only? ( !mysql !postgres !sqlite !dhcp !l3 !metadata !server + || ( openvswitch linuxbridge ) )" + +DEPEND=" + dev-python/setuptools[${PYTHON_USEDEP}] + >=dev-python/pbr-0.8[${PYTHON_USEDEP}] + <dev-python/pbr-1.0[${PYTHON_USEDEP}] + app-admin/sudo + test? ( + ${RDEPEND} + >=dev-python/hacking-0.10.0[${PYTHON_USEDEP}] + <dev-python/hacking-0.11[${PYTHON_USEDEP}] + >=dev-python/cliff-1.10.0[${PYTHON_USEDEP}] + <dev-python/cliff-1.11.0[${PYTHON_USEDEP}] + >=dev-python/coverage-3.6[${PYTHON_USEDEP}] + >=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}] + <dev-python/fixtures-1.3.0[${PYTHON_USEDEP}] + >=dev-python/mock-1.0[${PYTHON_USEDEP}] + <dev-python/mock-1.1.0[${PYTHON_USEDEP}] + >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}] + >=dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] + !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] + <dev-python/sphinx-1.3[${PYTHON_USEDEP}] + >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] + <dev-python/oslo-sphinx-2.6.0[${PYTHON_USEDEP}] + >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}] + >=dev-python/testtools-0.9.36[${PYTHON_USEDEP}] + !~dev-python/testtools-1.2.0[${PYTHON_USEDEP}] + >=dev-python/testscenarios-0.4[${PYTHON_USEDEP}] + >=dev-python/webtest-2.0[${PYTHON_USEDEP}] + >=dev-python/oslotest-1.5.1[${PYTHON_USEDEP}] + <dev-python/oslotest-1.6.0[${PYTHON_USEDEP}] + >=dev-python/tempest-lib-0.4.0[${PYTHON_USEDEP}] + <dev-python/tempest-lib-0.5.0[${PYTHON_USEDEP}] + )" + +RDEPEND=" + dev-python/paste[${PYTHON_USEDEP}] + >=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}] + >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] + !~dev-python/routes-2.0[${PYTHON_USEDEP}] + >=dev-python/eventlet-0.16.1[${PYTHON_USEDEP}] + !~dev-python/eventlet-0.17.0[${PYTHON_USEDEP}] + >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] + >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}] + >=dev-python/requests-2.2.0[${PYTHON_USEDEP}] + !~dev-python/requests-2.4.0[${PYTHON_USEDEP}] + dev-python/jsonrpclib[${PYTHON_USEDEP}] + >=dev-python/jinja-2.6[${PYTHON_USEDEP}] + >=dev-python/keystonemiddleware-1.5.0[${PYTHON_USEDEP}] + <dev-python/keystonemiddleware-1.6.0[${PYTHON_USEDEP}] + >=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}] + >=dev-python/python-neutronclient-2.3.11[${PYTHON_USEDEP}] + <dev-python/python-neutronclient-2.5.0[${PYTHON_USEDEP}] + >=dev-python/retrying-1.2.3[${PYTHON_USEDEP}] + !~dev-python/retrying-1.3.0[${PYTHON_USEDEP}] + compute-only? ( + >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] + ) + sqlite? ( + >=dev-python/sqlalchemy-0.9.7[sqlite,${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}] + ) + mysql? ( + dev-python/mysql-python + >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] + ) + postgres? ( + dev-python/psycopg:2 + >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}] + <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] + ) + >=dev-python/webob-1.2.3[${PYTHON_USEDEP}] + >=dev-python/python-keystoneclient-1.2.0[${PYTHON_USEDEP}] + <dev-python/python-keystoneclient-1.4.0[${PYTHON_USEDEP}] + >=dev-python/alembic-0.7.2[${PYTHON_USEDEP}] + >=dev-python/six-1.9.0[${PYTHON_USEDEP}] + >=dev-python/stevedore-1.3.0[${PYTHON_USEDEP}] + <dev-python/stevedore-1.4.0[${PYTHON_USEDEP}] + >=dev-python/oslo-concurrency-1.8.0[${PYTHON_USEDEP}] + <dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}] + >=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}] + <dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}] + >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}] + <dev-python/oslo-context-0.3.0[${PYTHON_USEDEP}] + >=dev-python/oslo-db-1.7.0[${PYTHON_USEDEP}] + <dev-python/oslo-db-1.8.0[${PYTHON_USEDEP}] + >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}] + <dev-python/oslo-i18n-1.6.0[${PYTHON_USEDEP}] + >=dev-python/oslo-log-1.0.0[${PYTHON_USEDEP}] + <dev-python/oslo-log-1.1.0[${PYTHON_USEDEP}] + >=dev-python/oslo-messaging-1.8.0[${PYTHON_USEDEP}] + <dev-python/oslo-messaging-1.9.0[${PYTHON_USEDEP}] + >=dev-python/oslo-middleware-1.0.0[${PYTHON_USEDEP}] + <dev-python/oslo-middleware-1.1.0[${PYTHON_USEDEP}] + >=dev-python/oslo-rootwrap-1.6.0[${PYTHON_USEDEP}] + <dev-python/oslo-rootwrap-1.7.0[${PYTHON_USEDEP}] + >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}] + <dev-python/oslo-serialization-1.5.0[${PYTHON_USEDEP}] + >=dev-python/oslo-utils-1.4.0[${PYTHON_USEDEP}] + <dev-python/oslo-utils-1.5.0[${PYTHON_USEDEP}] + >=dev-python/python-novaclient-2.22.0[${PYTHON_USEDEP}] + <dev-python/python-novaclient-2.24.0[${PYTHON_USEDEP}] + dev-python/pyudev[${PYTHON_USEDEP}] + sys-apps/iproute2 + net-misc/bridge-utils + net-firewall/ipset + net-firewall/iptables + net-firewall/ebtables + openvswitch? ( net-misc/openvswitch ) + dhcp? ( net-dns/dnsmasq[dhcp-tools] )" + +PATCHES=( + "${FILESDIR}/CVE-2015-5240_2015.1.1.patch" +) + +pkg_setup() { + linux-info_pkg_setup + CONFIG_CHECK_MODULES="VLAN_8021Q IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \ + IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 \ + NF_NAT_IPV4 NF_NAT NF_CONNTRACK IP_NF_FILTER IP_NF_IPTABLES NETFILTER_XTABLES" + if linux_config_exists; then + for module in ${CONFIG_CHECK_MODULES}; do + linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel" + done + fi + enewgroup neutron + enewuser neutron -1 -1 /var/lib/neutron neutron +} + +pkg_config() { + fperms 0700 /var/log/neutron + fowners neutron:neutron /var/log neutron +} + +src_prepare() { + #it's /bin/ip not /sbin/ip + sed -i 's/sbin\/ip\,/bin\/ip\,/g' etc/neutron/rootwrap.d/* + distutils-r1_src_prepare +} + +python_compile_all() { + use doc && make -C doc html +} + +python_test() { + # https://bugs.launchpad.net/neutron/+bug/1234857 + # https://bugs.launchpad.net/swift/+bug/1249727 + # https://bugs.launchpad.net/neutron/+bug/1251657 + # turn multiprocessing off, testr will use it --parallel + local DISTUTILS_NO_PARALLEL_BUILD=1 + # Move tests out that attempt net connection, have failures + mv $(find . -name test_ovs_tunnel.py) . || die + sed -e 's:test_app_using_ipv6_and_ssl:_&:' \ + -e 's:test_start_random_port_with_ipv6:_&:' \ + -i neutron/tests/unit/test_wsgi.py || die + testr init + testr run --parallel || die "failed testsuite under python2.7" +} + +python_install() { + distutils-r1_python_install + if use server; then + newinitd "${FILESDIR}/neutron.initd" "neutron-server" + newconfd "${FILESDIR}/neutron-server.confd" "neutron-server" + dosym /etc/neutron/plugin.ini /etc/neutron/plugins/ml2/ml2_conf.ini + fi + if use dhcp; then + newinitd "${FILESDIR}/neutron.initd" "neutron-dhcp-agent" + newconfd "${FILESDIR}/neutron-dhcp-agent.confd" "neutron-dhcp-agent" + fi + if use l3; then + newinitd "${FILESDIR}/neutron.initd" "neutron-l3-agent" + newconfd "${FILESDIR}/neutron-l3-agent.confd" "neutron-l3-agent" + fi + if use metadata; then + newinitd "${FILESDIR}/neutron.initd" "neutron-metadata-agent" + newconfd "${FILESDIR}/neutron-metadata-agent.confd" "neutron-metadata-agent" + fi + if use openvswitch; then + newinitd "${FILESDIR}/neutron.initd" "neutron-openvswitch-agent" + newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-openvswitch-agent" + newinitd "${FILESDIR}/neutron.initd" "neutron-ovs-cleanup" + newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-ovs-cleanup" + fi + if use linuxbridge; then + newinitd "${FILESDIR}/neutron.initd" "neutron-linuxbridge-agent" + newconfd "${FILESDIR}/neutron-linuxbridge-agent.confd" "neutron-linuxbridge-agent" + fi + diropts -m 755 -o neutron -g neutron + dodir /var/log/neutron /var/lib/neutron + keepdir /etc/neutron + insinto /etc/neutron + insopts -m 0640 -o neutron -g neutron + + doins etc/* + # stupid renames + rm "${D}etc/neutron/quantum" + insinto /etc/neutron + doins -r "etc/neutron/plugins" + insopts -m 0640 -o root -g root + doins "etc/rootwrap.conf" + doins -r "etc/neutron/rootwrap.d" + + insopts -m 0644 + insinto "/usr/lib64/python2.7/site-packages/neutron/db/migration/alembic_migrations/" + doins -r "neutron/db/migration/alembic_migrations/versions" + + #add sudoers definitions for user neutron + insinto /etc/sudoers.d/ + insopts -m 0440 -o root -g root + newins "${FILESDIR}/neutron.sudoersd" neutron + + #remove superfluous stuff + rm -R "${D}/usr/etc/" +} + +python_install_all() { + use doc && local HTML_DOCS=( doc/build/html/. ) + distutils-r1_python_install_all +} + +pkg_postinst() { + elog + elog "neutron-server's conf.d file may need updating to include additional ini files" + elog "We currently assume the ml2 plugin will be used but do not make assumptions" + elog "on if you will use openvswitch or linuxbridge (or something else)" + elog + elog "Other conf.d files may need updating too, but should be good for the default use case" + elog +} |