Add rootwrap filters for ofagent

neutron-ofagent-agent currently relies on the fact the rootwrap
filters for neutron-openvswitch-agent covers what it needs.
as they are independent agents and their requirements are
getting more different, introduce a dedicated rootwrap filters
for ofagent.

Closes-Bug: #1392560
Change-Id: Iba205260a238431432caf8d9697268ceeef85eca

diff --git a/etc/neutron/rootwrap.d/ofagent.filters b/etc/neutron/rootwrap.d/ofagent.filters
new file mode 100644 (file)
index 0000000..11e4256
--- /dev/null
+++ b/etc/neutron/rootwrap.d/ofagent.filters
@@ -0,0 +1,16 @@
+# neutron-rootwrap command filters for nodes on which
+# neutron-ofagent-agent is expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# ovs_lib
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# ip_lib
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root

diff --git a/setup.cfg b/setup.cfg
index a021a4ee0307717bbf358a76a409f0c73f32a885..321aeb5cf94ef4ab6d9ed1fad9dd422d2c1c0ff0 100644 (file)
--- a/setup.cfg
+++ b/setup.cfg
@@ -43,6 +43,7 @@ data_files =
         etc/neutron/rootwrap.d/lbaas-haproxy.filters
         etc/neutron/rootwrap.d/linuxbridge-plugin.filters
         etc/neutron/rootwrap.d/nec-plugin.filters
+        etc/neutron/rootwrap.d/ofagent.filters
         etc/neutron/rootwrap.d/openvswitch-plugin.filters
         etc/neutron/rootwrap.d/ryu-plugin.filters
         etc/neutron/rootwrap.d/vpnaas.filters