openstack
/
openstack-ansible-os_neutron
Code Issues Proposed changes

Update paste, policy and rootwrap configurations 2017-03-16 

Change-Id: I616327635d2796ebec37905f63414d786c2d0591
This commit is contained in:
Andy McCrae 2017-03-16 10:19:49 +01:00 committed by Jesse Pretorius
parent 847ffa8d17
commit 4783d52ecd
4 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
files/rootwrap.d/dhcp.filters
View File

@ -22,9 +22,13 @@ mm-ctl: CommandFilter, mm-ctl, root
dhcp_release: CommandFilter, dhcp_release, root
dhcp_release6: CommandFilter, dhcp_release6, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
# RHEL invocation of the metadata proxy will report /usr/bin/python
# TODO(dalvarez): Remove kill_metadata* filters in Q release since
# neutron-ns-metadata-proxy is now replaced by haproxy. We keep them for now
# for the migration process
kill_metadata: KillFilter, root, python, -9
kill_metadata7: KillFilter, root, python2.7, -9
kill_metadata35: KillFilter, root, python3.5, -9

1
files/rootwrap.d/dibbler.filters
View File

@ -14,3 +14,4 @@
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root
kill_dibbler-client: KillFilter, root, dibbler-client, -9

3
files/rootwrap.d/iptables-firewall.filters
View File

@ -20,8 +20,5 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root

8
files/rootwrap.d/l3.filters
View File

@ -16,9 +16,13 @@ sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
# RHEL invocation of the metadata proxy will report /usr/bin/python
# TODO(dalvarez): Remove kill_metadata* filters in Q release since
# neutron-ns-metadata-proxy is now replaced by haproxy. We keep them for now
# for the migration process
kill_metadata: KillFilter, root, python, -15, -9
kill_metadata7: KillFilter, root, python2.7, -15, -9
kill_metadata35: KillFilter, root, python3.5, -15, -9