summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHarald Jensås <hjensas@redhat.com>2018-08-17 18:08:39 +0200
committerHarald Jensås <hjensas@redhat.com>2018-08-21 11:43:20 +0200
commit8c5d7de6938dc44c807cfa4bbd01cbecc12e797c (patch)
treeb4b39476090ded9faa52dacd9f857b9202ef3708
parentbe06e77dabbbd5ffa4ff48a1a676305c4db2f581 (diff)
Add rootwrap filter for systemctl control of dnsmasq
The dnsmasq pxe filter takes start/stop commands for the dnsmasq service as options. Restarting the systemd service requries root access. This change adds a rootwrap filter to allow systemctl control of the dnsmasq service. NOTE: The systemd service name is the one used in the RDO distribution. Additional filters may be needed for other distributions. Story: 2002818 Task: 24754 Change-Id: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6
Notes
Notes (review): Code-Review+1: Kaifeng Wang <kaifeng.w@gmail.com> Code-Review+2: Julia Kreger <juliaashleykreger@gmail.com> Code-Review+1: zhaixiaojun <zhaixiaojun@gohighsec.com> Code-Review+2: Dmitry Tantsur <divius.inside@gmail.com> Workflow+1: Dmitry Tantsur <divius.inside@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 23 Aug 2018 15:20:09 +0000 Reviewed-on: https://review.openstack.org/593114 Project: openstack/ironic-inspector Branch: refs/heads/master
-rw-r--r--releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml11
-rw-r--r--rootwrap.d/ironic-inspector-firewall.filters6
-rw-r--r--rootwrap.d/ironic-inspector.filters10
3 files changed, 21 insertions, 6 deletions
diff --git a/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml
new file mode 100644
index 0000000..49a393a
--- /dev/null
+++ b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml
@@ -0,0 +1,11 @@
1---
2fixes:
3 - |
4 A new rootwrap filter is now included to allow control of the systemd
5 dnsmasq service used by ironic-inspector. This fixes a permission issue
6 when systemctl commands are used as ``dnsmasq_start_command`` and
7 ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
8 See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
9
10 .. Note:: The filter uses the systemd service name used by the RDO
11 distrubution (``openstack-ironic-inspector-dnsmasq.service``).
diff --git a/rootwrap.d/ironic-inspector-firewall.filters b/rootwrap.d/ironic-inspector-firewall.filters
deleted file mode 100644
index 893454f..0000000
--- a/rootwrap.d/ironic-inspector-firewall.filters
+++ /dev/null
@@ -1,6 +0,0 @@
1# ironic-inspector-rootwrap command filters for firewall manipulation
2# This file should be owned by (and only-writeable by) the root user
3
4[Filters]
5# ironic_inspector/firewall.py
6iptables: CommandFilter, iptables, root
diff --git a/rootwrap.d/ironic-inspector.filters b/rootwrap.d/ironic-inspector.filters
new file mode 100644
index 0000000..352dd84
--- /dev/null
+++ b/rootwrap.d/ironic-inspector.filters
@@ -0,0 +1,10 @@
1# This file should be owned by (and only-writeable by) the root user
2
3[Filters]
4# ironic-inspector-rootwrap command filters for firewall manipulation
5# ironic_inspector/firewall.py
6iptables: CommandFilter, iptables, root
7
8# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
9# ironic_inspector/pxe_filter/dnsmasq.py
10systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service