From be6ee6f397124dbf076cbad9f93b6ac5cb67facf Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Tue, 30 Mar 2021 14:49:26 +0000 Subject: [PATCH] Remove not needed rootwrap filters This patch moves all remaining filters to a single file. Since [1], the number of processes executed using rootwrap have been reduced to a small set. [1]https://storyboard.openstack.org/#!/story/2007686 Story: #2007686 Task: #41284 Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6 --- etc/neutron/rootwrap.d/debug.filters | 12 ------- etc/neutron/rootwrap.d/dhcp.filters | 21 ------------ etc/neutron/rootwrap.d/dibbler.filters | 16 ---------- etc/neutron/rootwrap.d/ipset-firewall.filters | 12 ------- etc/neutron/rootwrap.d/l3.filters | 32 ------------------- .../rootwrap.d/linuxbridge-plugin.filters | 13 -------- .../rootwrap.d/openvswitch-plugin.filters | 18 ----------- .../{privsep.filters => rootwrap.filters} | 26 +++++++++++++++ 8 files changed, 26 insertions(+), 124 deletions(-) delete mode 100644 etc/neutron/rootwrap.d/debug.filters delete mode 100644 etc/neutron/rootwrap.d/dhcp.filters delete mode 100644 etc/neutron/rootwrap.d/dibbler.filters delete mode 100644 etc/neutron/rootwrap.d/ipset-firewall.filters delete mode 100644 etc/neutron/rootwrap.d/l3.filters delete mode 100644 etc/neutron/rootwrap.d/linuxbridge-plugin.filters delete mode 100644 etc/neutron/rootwrap.d/openvswitch-plugin.filters rename etc/neutron/rootwrap.d/{privsep.filters => rootwrap.filters} (66%) diff --git a/etc/neutron/rootwrap.d/debug.filters b/etc/neutron/rootwrap.d/debug.filters deleted file mode 100644 index 33d5e575222..00000000000 --- a/etc/neutron/rootwrap.d/debug.filters +++ /dev/null @@ -1,12 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# "sleep" command, only for testing -sleep: RegExpFilter, sleep, root, sleep, \d+ diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters deleted file mode 100644 index 960ec31b01f..00000000000 --- a/etc/neutron/rootwrap.d/dhcp.filters +++ /dev/null @@ -1,21 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# dhcp-agent -dnsmasq: CommandFilter, dnsmasq, root - -mm-ctl: CommandFilter, mm-ctl, root - -# haproxy -haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* - -# ip_lib -ip: IpFilter, ip, root -ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/neutron/rootwrap.d/dibbler.filters b/etc/neutron/rootwrap.d/dibbler.filters deleted file mode 100644 index eea55252f35..00000000000 --- a/etc/neutron/rootwrap.d/dibbler.filters +++ /dev/null @@ -1,16 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# Filters for the dibbler-based reference implementation of the pluggable -# Prefix Delegation driver. Other implementations using an alternative agent -# should include a similar filter in this folder. - -# prefix_delegation_agent -dibbler-client: CommandFilter, dibbler-client, root diff --git a/etc/neutron/rootwrap.d/ipset-firewall.filters b/etc/neutron/rootwrap.d/ipset-firewall.filters deleted file mode 100644 index 52c66373b2a..00000000000 --- a/etc/neutron/rootwrap.d/ipset-firewall.filters +++ /dev/null @@ -1,12 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] -# neutron/agent/linux/iptables_firewall.py -# "ipset", "-A", ... -ipset: CommandFilter, ipset, root diff --git a/etc/neutron/rootwrap.d/l3.filters b/etc/neutron/rootwrap.d/l3.filters deleted file mode 100644 index fb00275e357..00000000000 --- a/etc/neutron/rootwrap.d/l3.filters +++ /dev/null @@ -1,32 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# l3_agent -route: CommandFilter, route, root -radvd: CommandFilter, radvd, root - -# haproxy -haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* - -# ip_lib -ip: IpFilter, ip, root -ip_exec: IpNetnsExecFilter, ip, root - -# iptables_manager -iptables-save: CommandFilter, iptables-save, root -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-save: CommandFilter, ip6tables-save, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# Keepalived -keepalived: CommandFilter, keepalived, root - -# keepalived state change monitor -keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root diff --git a/etc/neutron/rootwrap.d/linuxbridge-plugin.filters b/etc/neutron/rootwrap.d/linuxbridge-plugin.filters deleted file mode 100644 index 2ed1db28d78..00000000000 --- a/etc/neutron/rootwrap.d/linuxbridge-plugin.filters +++ /dev/null @@ -1,13 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# ip_lib -ip: IpFilter, ip, root -ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/etc/neutron/rootwrap.d/openvswitch-plugin.filters deleted file mode 100644 index 92234424ee5..00000000000 --- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters +++ /dev/null @@ -1,18 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# openvswitch-agent -# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl -ovs-ofctl: CommandFilter, ovs-ofctl, root -ovsdb-client: CommandFilter, ovsdb-client, root - -# ip_lib -ip: IpFilter, ip, root -ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/neutron/rootwrap.d/privsep.filters b/etc/neutron/rootwrap.d/rootwrap.filters similarity index 66% rename from etc/neutron/rootwrap.d/privsep.filters rename to etc/neutron/rootwrap.d/rootwrap.filters index 3e7d30b085d..a2f74e60414 100644 --- a/etc/neutron/rootwrap.d/privsep.filters +++ b/etc/neutron/rootwrap.d/rootwrap.filters @@ -20,6 +20,7 @@ # In particular, the oslo.config and python module path must not # be writeable by the unprivileged user. +# PRIVSEP # oslo.privsep default neutron context privsep: PathFilter, privsep-helper, root, --config-file, /etc/(?!\.\.).*, @@ -29,3 +30,28 @@ privsep: PathFilter, privsep-helper, root, # NOTE: A second `--config-file` arg can also be added above. Since # many neutron components are installed like that (eg: by devstack). # Adjust to suit local requirements. + +# DEBUG +sleep: RegExpFilter, sleep, root, sleep, \d+ + +# EXECUTE COMMANDS IN A NAMESPACE +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root + +# METADATA PROXY +haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* + +# DHCP +dnsmasq: CommandFilter, dnsmasq, root + +# DIBBLER +dibbler-client: CommandFilter, dibbler-client, root + +# L3 +radvd: CommandFilter, radvd, root +keepalived: CommandFilter, keepalived, root +keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root + +# OPEN VSWITCH +ovs-ofctl: CommandFilter, ovs-ofctl, root +ovsdb-client: CommandFilter, ovsdb-client, root