Delete the rootwrap.d filters
Delete the rootwrap.d filters templates and use the config provided by openstack upstream packages. Change-Id: Ia386d550e2dbd939038c913b2bd5c0dda1fc0a8c
This commit is contained in:
gengjh
parent
e10b15c783
commit
8eaa0eab1f
|
|
@ -1,14 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# This is needed because we should ping
|
||||
# from inside a namespace which requires root
|
||||
ping: RegExpFilter, /bin/ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
|
||||
ping6: RegExpFilter, /bin/ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# dhcp-agent
|
||||
ip_exec_dnsmasq: DnsmasqNetnsFilter, /sbin/ip, root
|
||||
dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root
|
||||
dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root
|
||||
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
||||
# it looks like these are the only signals needed, per
|
||||
# neutron/agent/linux/dhcp.py
|
||||
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP
|
||||
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
||||
|
||||
# dhcp-agent uses cat
|
||||
cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline
|
||||
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
|
||||
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, /usr/bin/neutron-ns-metadata-proxy, root
|
||||
# If installed from source (say, by devstack), the prefix will be
|
||||
# /usr/local instead of /usr/bin.
|
||||
metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
|
||||
kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
|
||||
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, /sbin/ip, root
|
||||
ip_usr: IpFilter, /usr/sbin/ip, root
|
||||
ip_exec: IpNetnsExecFilter, /sbin/ip, root
|
||||
ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# neutron/agent/linux/iptables_manager.py
|
||||
# "iptables-save", ...
|
||||
iptables-save: CommandFilter, /sbin/iptables-save, root
|
||||
iptables-restore: CommandFilter, /sbin/iptables-restore, root
|
||||
ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
|
||||
|
||||
# neutron/agent/linux/iptables_manager.py
|
||||
# "iptables", "-A", ...
|
||||
iptables: CommandFilter, /sbin/iptables, root
|
||||
ip6tables: CommandFilter, /sbin/ip6tables, root
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# arping
|
||||
arping: CommandFilter, /usr/bin/arping, root
|
||||
arping_sbin: CommandFilter, /sbin/arping, root
|
||||
|
||||
# l3_agent
|
||||
sysctl: CommandFilter, /sbin/sysctl, root
|
||||
route: CommandFilter, /sbin/route, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, /usr/bin/neutron-ns-metadata-proxy, root
|
||||
# If installed from source (say, by devstack), the prefix will be
|
||||
# /usr/local instead of /usr/bin.
|
||||
metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
|
||||
kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
|
||||
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, /sbin/ip, root
|
||||
ip_usr: IpFilter, /usr/sbin/ip, root
|
||||
ip_exec: IpNetnsExecFilter, /sbin/ip, root
|
||||
ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
|
||||
|
||||
# ovs_lib (if OVSInterfaceDriver is used)
|
||||
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
|
||||
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
|
||||
|
||||
# iptables_manager
|
||||
iptables-save: CommandFilter, /sbin/iptables-save, root
|
||||
iptables-restore: CommandFilter, /sbin/iptables-restore, root
|
||||
ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# haproxy
|
||||
haproxy: CommandFilter, /usr/sbin/haproxy, root
|
||||
|
||||
# lbaas-agent uses kill as well, that's handled by the generic KillFilter
|
||||
kill_haproxy_usr: KillFilter, root, /usr/sbin/haproxy, -9, -HUP
|
||||
|
||||
# lbaas-agent uses cat
|
||||
cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline
|
||||
|
||||
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
|
||||
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, /sbin/ip, root
|
||||
ip_usr: IpFilter, /usr/sbin/ip, root
|
||||
ip_exec: IpNetnsExecFilter, /sbin/ip, root
|
||||
ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# linuxbridge-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
brctl: CommandFilter, /sbin/brctl, root
|
||||
brctl_usr: CommandFilter, /usr/sbin/brctl, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, /sbin/ip, root
|
||||
ip_usr: IpFilter, /usr/sbin/ip, root
|
||||
ip_exec: IpNetnsExecFilter, /sbin/ip, root
|
||||
ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# nec_neutron_agent
|
||||
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
|
||||
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# openvswitch-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
|
||||
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
|
||||
ovs-ofctl: CommandFilter, /bin/ovs-ofctl, root
|
||||
ovs-ofctl_usr: CommandFilter, /usr/bin/ovs-ofctl, root
|
||||
ovs-ofctl_sbin: CommandFilter, /sbin/ovs-ofctl, root
|
||||
ovs-ofctl_sbin_usr: CommandFilter, /usr/sbin/ovs-ofctl, root
|
||||
xe: CommandFilter, /sbin/xe, root
|
||||
xe_usr: CommandFilter, /usr/sbin/xe, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, /sbin/ip, root
|
||||
ip_usr: IpFilter, /usr/sbin/ip, root
|
||||
ip_exec: IpNetnsExecFilter, /sbin/ip, root
|
||||
ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# ryu-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
|
||||
# neutron/plugins/ryu/agent/ryu_neutron_agent.py:
|
||||
# "ovs-vsctl", "--timeout=2", ...
|
||||
ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
|
||||
ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
|
||||
ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
|
||||
|
||||
# neutron/plugins/ryu/agent/ryu_neutron_agent.py:
|
||||
# "xe", "vif-param-get", ...
|
||||
xe: CommandFilter, /bin/xe, root
|
||||
xe_usr: CommandFilter, /usr/bin/xe, root
|
||||
|
|
@ -79,15 +79,6 @@ directory ::File.dirname node["openstack"]["network"]["api"]["auth"]["cache_dir"
|
|||
only_if { node["openstack"]["auth"]["strategy"] == "pki" }
|
||||
end
|
||||
|
||||
# This will copy recursively all the files in
|
||||
# /files/default/etc/neutron/rootwrap.d
|
||||
remote_directory "/etc/neutron/rootwrap.d" do
|
||||
source "etc/neutron/rootwrap.d"
|
||||
files_owner node["openstack"]["network"]["platform"]["user"]
|
||||
files_group node["openstack"]["network"]["platform"]["group"]
|
||||
files_mode 00700
|
||||
end
|
||||
|
||||
template "/etc/neutron/rootwrap.conf" do
|
||||
source "rootwrap.conf.erb"
|
||||
owner node["openstack"]["network"]["platform"]["user"]
|
||||
|
|
|
|||
Loading…
Reference in New Issue