Merge "Add rootwrap filter for systemctl control of dnsmasq"

releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml

@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    A new rootwrap filter is now included to allow control of the systemd
+    dnsmasq service used by ironic-inspector. This fixes a permission issue
+    when systemctl commands are used as ``dnsmasq_start_command`` and
+    ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
+    See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
+
+    .. Note:: The filter uses the systemd service name used by the RDO
+              distrubution (``openstack-ironic-inspector-dnsmasq.service``).

rootwrap.d/ironic-inspector-firewall.filters

@@ -1,6 +0,0 @@
-# ironic-inspector-rootwrap command filters for firewall manipulation
-# This file should be owned by (and only-writeable by) the root user
-
-[Filters]
-# ironic_inspector/firewall.py
-iptables: CommandFilter, iptables, root

rootwrap.d/ironic-inspector.filters

@@ -0,0 +1,10 @@
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# ironic-inspector-rootwrap command filters for firewall manipulation
+# ironic_inspector/firewall.py
+iptables: CommandFilter, iptables, root
+
+# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
+# ironic_inspector/pxe_filter/dnsmasq.py
+systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service