summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-08-23 15:20:09 +0000
committerGerrit Code Review <review@openstack.org>2018-08-23 15:20:09 +0000
commit56138d8f06f531fadc184b0e0efa537c9ad66022 (patch)
tree8c74efacbcfa10c3333244b772f34c22cd706eee
parent574af47cbb9ffe880cb0c778f4991aca319a3f3b (diff)
parent8c5d7de6938dc44c807cfa4bbd01cbecc12e797c (diff)
Merge "Add rootwrap filter for systemctl control of dnsmasq"
-rw-r--r--releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml11
-rw-r--r--rootwrap.d/ironic-inspector-firewall.filters6
-rw-r--r--rootwrap.d/ironic-inspector.filters10
3 files changed, 21 insertions, 6 deletions
diff --git a/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml
new file mode 100644
index 0000000..49a393a
--- /dev/null
+++ b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml
@@ -0,0 +1,11 @@
1---
2fixes:
3 - |
4 A new rootwrap filter is now included to allow control of the systemd
5 dnsmasq service used by ironic-inspector. This fixes a permission issue
6 when systemctl commands are used as ``dnsmasq_start_command`` and
7 ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
8 See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
9
10 .. Note:: The filter uses the systemd service name used by the RDO
11 distrubution (``openstack-ironic-inspector-dnsmasq.service``).
diff --git a/rootwrap.d/ironic-inspector-firewall.filters b/rootwrap.d/ironic-inspector-firewall.filters
deleted file mode 100644
index 893454f..0000000
--- a/rootwrap.d/ironic-inspector-firewall.filters
+++ /dev/null
@@ -1,6 +0,0 @@
1# ironic-inspector-rootwrap command filters for firewall manipulation
2# This file should be owned by (and only-writeable by) the root user
3
4[Filters]
5# ironic_inspector/firewall.py
6iptables: CommandFilter, iptables, root
diff --git a/rootwrap.d/ironic-inspector.filters b/rootwrap.d/ironic-inspector.filters
new file mode 100644
index 0000000..352dd84
--- /dev/null
+++ b/rootwrap.d/ironic-inspector.filters
@@ -0,0 +1,10 @@
1# This file should be owned by (and only-writeable by) the root user
2
3[Filters]
4# ironic-inspector-rootwrap command filters for firewall manipulation
5# ironic_inspector/firewall.py
6iptables: CommandFilter, iptables, root
7
8# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
9# ironic_inspector/pxe_filter/dnsmasq.py
10systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service