Fix openstack CADF audit maps and installation

keuko · bbezak · commit 7f5a904e98d7 · 2024-01-17T11:52:20.000Z
This patch fixes missing pycadf's audit maps for services and change the way how pycadf is installed. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/905858 Closes-Bug: #2047941 Change-Id: I9b43d1a9990ad8aa7381ea81b0f2d692967be949
diff --git a/docker/ceilometer/ceilometer-base/Dockerfile.j2 b/docker/ceilometer/ceilometer-base/Dockerfile.j2
@@ -29,6 +29,7 @@ RUN ln -s ceilometer-base-source/* ceilometer \
     && {{ macros.install_pip(ceilometer_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/ceilometer \
     && cp -r /ceilometer/etc/ceilometer/* /etc/ceilometer/ \
+    && cp /etc/pycadf/ceilometer_api_audit_map.conf /etc/ceilometer/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ceilometer/rootwrap.conf \
     && if [ "$(ls /plugins)" ]; then \
         {{ macros.install_pip(ceilometer_base_plugins_pip_packages) }}; \
diff --git a/docker/cinder/cinder-base/Dockerfile.j2 b/docker/cinder/cinder-base/Dockerfile.j2
@@ -44,6 +44,7 @@ RUN ln -s cinder-base-source/* cinder \
     && {{ macros.install_pip(cinder_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/cinder \
     && cp -r /cinder/etc/cinder/* /etc/cinder/ \
+    && cp /etc/pycadf/cinder_api_audit_map.conf /etc/cinder/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \
diff --git a/docker/glance/glance-base/Dockerfile.j2 b/docker/glance/glance-base/Dockerfile.j2
@@ -41,6 +41,7 @@ RUN ln -s glance-base-source/* glance \
     && {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/glance \
     && cp -r /glance/etc/* /etc/glance/ \
+    && cp /etc/pycadf/glance_api_audit_map.conf /etc/glance/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
diff --git a/docker/gnocchi/gnocchi-base/Dockerfile.j2 b/docker/gnocchi/gnocchi-base/Dockerfile.j2
@@ -44,6 +44,7 @@ COPY gnocchi_sudoers /etc/sudoers.d/kolla_gnocchi_sudoers
 RUN ln -s gnocchi-base-source/* gnocchi \
     && {{ macros.install_pip(gnocchi_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/gnocchi \
+    && cp /etc/pycadf/gnocchi_api_audit_map.conf /etc/gnocchi/ \
     && chmod 750 /etc/sudoers.d \
     && chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \
     && touch /usr/local/bin/kolla_gnocchi_extend_start \
diff --git a/docker/heat/heat-base/Dockerfile.j2 b/docker/heat/heat-base/Dockerfile.j2
@@ -27,6 +27,7 @@ RUN ln -s heat-base-source/* heat \
     && {{ macros.install_pip(heat_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/heat \
     && cp -r /heat/etc/heat/* /etc/heat/ \
+    && cp /etc/pycadf/heat_api_audit_map.conf /etc/heat/ \
     && touch /usr/local/bin/kolla_heat_extend_start \
     && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start
 
diff --git a/docker/ironic/ironic-base/Dockerfile.j2 b/docker/ironic/ironic-base/Dockerfile.j2
@@ -22,6 +22,7 @@ RUN ln -s ironic-base-source/* ironic \
     && {{ macros.install_pip(ironic_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/ironic \
     && cp -r /var/lib/kolla/venv/etc/ironic/* /etc/ironic/ \
+    && cp /etc/pycadf/ironic_api_audit_map.conf /etc/ironic/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_ironic_sudoers \
diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2
@@ -74,6 +74,7 @@ RUN ln -s neutron-base-source/* neutron \
     && mkdir -p /etc/neutron \
     && cp -r /neutron/etc/* /etc/neutron/ \
     && cp -r /neutron/etc/neutron/* /etc/neutron/ \
+    && cp /etc/pycadf/neutron_api_audit_map.conf /etc/neutron/ \
     && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \
     && if [ "$(ls /plugins)" ]; then \
diff --git a/docker/nova/nova-base/Dockerfile.j2 b/docker/nova/nova-base/Dockerfile.j2
@@ -70,6 +70,7 @@ RUN ln -s nova-base-source/* nova \
     && {{ macros.install_pip(nova_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/nova/ \
     && cp -r /nova/etc/nova/* /etc/nova/ \
+    && cp /etc/pycadf/nova_api_audit_map.conf /etc/nova/ \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf \
     && if [ "$(ls /plugins)" ]; then \
         {{ macros.install_pip(nova_base_plugins_pip_packages) }}; \
diff --git a/docker/octavia/octavia-base/Dockerfile.j2 b/docker/octavia/octavia-base/Dockerfile.j2
@@ -28,6 +28,7 @@ RUN ln -s /octavia-base-source/* octavia \
     && {{ macros.install_pip(octavia_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/octavia \
     && cp -r /octavia/etc/* /etc/octavia/ \
+    && cp /octavia/etc/audit/octavia_api_audit_map.conf.sample /etc/octavia/octavia_api_audit_map.conf \
     && touch /usr/local/bin/kolla_octavia_extend_start \
     && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start
 
diff --git a/docker/openstack-base/Dockerfile.j2 b/docker/openstack-base/Dockerfile.j2
@@ -135,7 +135,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
         'pika',
         'prettytable',
         'psutil',
-        'pycadf',
+        '/pycadf',
         'pyinotify',
         'pymysql',
         'pyngus',
@@ -185,7 +185,14 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 %}
 
 ADD openstack-base-archive /openstack-base-source
-RUN ln -s openstack-base-source/* /requirements \
+ADD plugins-archive /openstack-base-source
+
+RUN ln -s openstack-base-source/plugins/* /pycadf \
+    && mkdir -p /etc/pycadf \
+    && cp /pycadf/etc/pycadf/* /etc/pycadf/
+
+RUN ln -s openstack-base-source/*requirements* /requirements \
+
 {# NOTE(mnasiadka): Remove ovs from upper-constraints.txt because python3-openvswitch
                     is usually newer than UC entry and older version would get installed
                     in venv (see https://launchpad.net/bugs/1961874).
diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2
@@ -36,6 +36,7 @@ RUN ln -s swift-base-source/* swift \
     && {{ macros.install_pip(swift_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/swift /var/cache/swift /var/lock/swift \
     && cp -r /swift/etc/* /etc/swift/ \
+    && cp /etc/pycadf/swift_api_audit_map.conf /etc/swift/ \
     && chown -R swift: /var/cache/swift /var/lock/swift \
     && chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_swift_sudoers \
diff --git a/docker/trove/trove-base/Dockerfile.j2 b/docker/trove/trove-base/Dockerfile.j2
@@ -21,6 +21,7 @@ RUN ln -s trove-base-source/* trove \
     && {{ macros.install_pip(trove_base_pip_packages | customizable("pip_packages")) }} \
     && mkdir -p /etc/trove \
     && cp -r /trove/etc/trove/* /etc/trove/ \
+    && cp /etc/pycadf/trove_api_audit_map.conf /etc/trove/ \
     && touch /usr/local/bin/kolla_trove_extend_start \
     && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start
 
diff --git a/kolla/common/sources.py b/kolla/common/sources.py
@@ -15,6 +15,10 @@
         'type': 'url',
         'location': ('$tarballs_base/openstack/requirements/'
                      'requirements-${openstack_branch}.tar.gz')},
+    'openstack-base-plugin-pycadf': {
+        'type': 'url',
+        'location': ('$tarballs_base/openstack/pycadf/'
+                     'pycadf-3.1.1.tar.gz')},
     'aodh-base': {
         'type': 'url',
         'location': ('$tarballs_base/openstack/aodh/'
diff --git a/releasenotes/notes/bug-2047941-895a319fd706d2b4.yaml b/releasenotes/notes/bug-2047941-895a319fd706d2b4.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes missing pycadf's audit map config
+    files `LP#2047941 <https://launchpad.net/bugs/2047941>`__.
