Add rootwrap filter for systemctl control of dnsmasq

The dnsmasq pxe filter takes start/stop commands for the
dnsmasq service as options. Restarting the systemd service
requries root access.

This change adds a rootwrap filter to allow systemctl
control of the dnsmasq service.

NOTE: The systemd service name is the one used in the RDO
distribution. Additional filters may be needed for other
distributions.

Story: 2002818
Task: 24754
Change-Id: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6
This commit is contained in:
Harald Jensås 2018-08-17 18:08:39 +02:00
parent be06e77dab
commit 8c5d7de693
3 changed files with 21 additions and 6 deletions

View File

@ -0,0 +1,11 @@
---
fixes:
- |
A new rootwrap filter is now included to allow control of the systemd
dnsmasq service used by ironic-inspector. This fixes a permission issue
when systemctl commands are used as ``dnsmasq_start_command`` and
``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
.. Note:: The filter uses the systemd service name used by the RDO
distrubution (``openstack-ironic-inspector-dnsmasq.service``).

View File

@ -1,6 +0,0 @@
# ironic-inspector-rootwrap command filters for firewall manipulation
# This file should be owned by (and only-writeable by) the root user
[Filters]
# ironic_inspector/firewall.py
iptables: CommandFilter, iptables, root

View File

@ -0,0 +1,10 @@
# This file should be owned by (and only-writeable by) the root user
[Filters]
# ironic-inspector-rootwrap command filters for firewall manipulation
# ironic_inspector/firewall.py
iptables: CommandFilter, iptables, root
# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
# ironic_inspector/pxe_filter/dnsmasq.py
systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service