From 758067bded8de13efa3b1487b710f6eaf92b1474 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Wed, 1 Aug 2018 13:49:06 -0500 Subject: [PATCH] Nova: move rootwrap config to be values.yaml driven This PS updates the nova rootwrap config to be values.yaml driven, inline with neutron and cinder. Change-Id: I3df7e7de583a75234a6bc4a71a32bd0a8d369332 Signed-off-by: Pete Birley --- nova/templates/configmap-etc.yaml | 13 +- nova/templates/daemonset-compute.yaml | 18 +- nova/templates/deployment-api-metadata.yaml | 18 +- nova/templates/etc/_rootwrap.conf.tpl | 27 -- .../etc/rootwrap.d/_api-metadata.filters.tpl | 13 - .../etc/rootwrap.d/_compute.filters.tpl | 259 ----------- .../etc/rootwrap.d/_network.filters.tpl | 91 ---- nova/values.yaml | 409 +++++++++++++++++- 8 files changed, 422 insertions(+), 426 deletions(-) delete mode 100644 nova/templates/etc/_rootwrap.conf.tpl delete mode 100644 nova/templates/etc/rootwrap.d/_api-metadata.filters.tpl delete mode 100644 nova/templates/etc/rootwrap.d/_compute.filters.tpl delete mode 100644 nova/templates/etc/rootwrap.d/_network.filters.tpl diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 625eda396f..41cc854d95 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -227,13 +227,12 @@ data: nova_sudoers: | {{ $envAll.Values.conf.nova_sudoers | indent 4 }} rootwrap.conf: | -{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - api-metadata.filters: | -{{- tuple .Values.conf.rootwrap_filters.api_metadata "etc/rootwrap.d/_api-metadata.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - compute.filters: | -{{- tuple .Values.conf.rootwrap_filters.compute "etc/rootwrap.d/_compute.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - network.filters: | -{{- tuple .Values.conf.rootwrap_filters.network "etc/rootwrap.d/_network.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{- .Values.conf.rootwrap | indent 4 }} +{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} +{{- $filePrefix := replace "_" "-" $key }} + {{ printf "%s.filters" $filePrefix }}: | +{{ $value.content | indent 4 }} +{{- end }} nova.conf: | {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova | indent 4 }} logging.conf: | diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 29e4352b5e..d8401d0099 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -201,18 +201,16 @@ spec: mountPath: /etc/nova/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "compute" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }} - name: nova-etc - mountPath: /etc/nova/rootwrap.d/api-metadata.filters - subPath: api-metadata.filters - readOnly: true - - name: nova-etc - mountPath: /etc/nova/rootwrap.d/compute.filters - subPath: compute.filters - readOnly: true - - name: nova-etc - mountPath: /etc/nova/rootwrap.d/network.filters - subPath: network.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: nova-etc mountPath: /root/.ssh/config subPath: ssh-config diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 183edec78d..bcba71ccb2 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -133,18 +133,16 @@ spec: mountPath: /etc/nova/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "metadata" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }} - name: nova-etc - mountPath: /etc/nova/rootwrap.d/api-metadata.filters - subPath: api-metadata.filters - readOnly: true - - name: nova-etc - mountPath: /etc/nova/rootwrap.d/compute.filters - subPath: compute.filters - readOnly: true - - name: nova-etc - mountPath: /etc/nova/rootwrap.d/network.filters - subPath: network.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} - name: pod-shared mountPath: /tmp/pod-shared readOnly: true diff --git a/nova/templates/etc/_rootwrap.conf.tpl b/nova/templates/etc/_rootwrap.conf.tpl deleted file mode 100644 index 74168c8198..0000000000 --- a/nova/templates/etc/_rootwrap.conf.tpl +++ /dev/null @@ -1,27 +0,0 @@ -# Configuration for nova-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/nova/templates/etc/rootwrap.d/_api-metadata.filters.tpl b/nova/templates/etc/rootwrap.d/_api-metadata.filters.tpl deleted file mode 100644 index 1aa6f83e68..0000000000 --- a/nova/templates/etc/rootwrap.d/_api-metadata.filters.tpl +++ /dev/null @@ -1,13 +0,0 @@ -# nova-rootwrap command filters for api-metadata nodes -# This is needed on nova-api hosts running with "metadata" in enabled_apis -# or when running nova-api-metadata -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/nova/templates/etc/rootwrap.d/_compute.filters.tpl b/nova/templates/etc/rootwrap.d/_compute.filters.tpl deleted file mode 100644 index 07f18eab3b..0000000000 --- a/nova/templates/etc/rootwrap.d/_compute.filters.tpl +++ /dev/null @@ -1,259 +0,0 @@ -# nova-rootwrap command filters for compute nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/virt/disk/mount/api.py: 'kpartx', '-a', device -# nova/virt/disk/mount/api.py: 'kpartx', '-d', device -kpartx: CommandFilter, kpartx, root - -# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path -# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path -tune2fs: CommandFilter, tune2fs, root - -# nova/virt/disk/mount/api.py: 'mount', mapped_device -# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target -# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. -# nova/virt/configdrive.py: 'mount', device, mountdir -# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... -mount: CommandFilter, mount, root - -# nova/virt/disk/mount/api.py: 'umount', mapped_device -# nova/virt/disk/api.py: 'umount' target -# nova/virt/xenapi/vm_utils.py: 'umount', dev_path -# nova/virt/configdrive.py: 'umount', mountdir -umount: CommandFilter, umount, root - -# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image -# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device -qemu-nbd: CommandFilter, qemu-nbd, root - -# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image -# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device -losetup: CommandFilter, losetup, root - -# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device -blkid: CommandFilter, blkid, root - -# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path -# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device -blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* - -# nova/virt/disk/vfs/localfs.py: 'tee', canonpath -tee: CommandFilter, tee, root - -# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath -mkdir: CommandFilter, mkdir, root - -# nova/virt/disk/vfs/localfs.py: 'chown' -# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log -# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log -# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') -chown: CommandFilter, chown, root - -# nova/virt/disk/vfs/localfs.py: 'chmod' -chmod: CommandFilter, chmod, root - -# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev -# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. -# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. -# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. -# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) -# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] -# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge -# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. -# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. -# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' -# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' -# nova/network/linux_net.py: 'ip', 'route', 'add', .. -# nova/network/linux_net.py: 'ip', 'route', 'del', . -# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, ip, root - -# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev -# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev -tunctl: CommandFilter, tunctl, root - -# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... -# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... -# nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# nova/virt/libvirt/vif.py: 'vrouter-port-control', ... -vrouter-port-control: CommandFilter, vrouter-port-control, root - -# nova/virt/libvirt/vif.py: 'ebrctl', ... -ebrctl: CommandFilter, ebrctl, root - -# nova/virt/libvirt/vif.py: 'mm-ctl', ... -mm-ctl: CommandFilter, mm-ctl, root - -# nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, ovs-ofctl, root - -# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... -dd: CommandFilter, dd, root - -# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... -iscsiadm: CommandFilter, iscsiadm, root - -# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev -# nova/virt/libvirt/volume/aoe.py: 'aoe-discover' -aoe-revalidate: CommandFilter, aoe-revalidate, root -aoe-discover: CommandFilter, aoe-discover, root - -# nova/virt/xenapi/vm_utils.py: parted, --script, ... -# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. -parted: CommandFilter, parted, root - -# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path -pygrub: CommandFilter, pygrub, root - -# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s -fdisk: CommandFilter, fdisk, root - -# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path -# nova/virt/disk/api.py: e2fsck, -f, -p, image -e2fsck: CommandFilter, e2fsck, root - -# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path -# nova/virt/disk/api.py: resize2fs, image -resize2fs: CommandFilter, resize2fs, root - -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... -# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, arping, root - -# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, dhcp_release, root - -# nova/network/linux_net.py: 'kill', '-9', pid -# nova/network/linux_net.py: 'kill', '-HUP', pid -kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -# nova/network/linux_net.py: 'kill', pid -kill_radvd: KillFilter, root, /usr/sbin/radvd - -# nova/network/linux_net.py: dnsmasq call -dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, radvd, root - -# nova/network/linux_net.py: 'brctl', 'addbr', bridge -# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 -# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' -# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, brctl, root - -# nova/virt/libvirt/utils.py: 'mkswap' -# nova/virt/xenapi/vm_utils.py: 'mkswap' -mkswap: CommandFilter, mkswap, root - -# nova/virt/libvirt/utils.py: 'nova-idmapshift' -nova-idmapshift: CommandFilter, nova-idmapshift, root - -# nova/virt/xenapi/vm_utils.py: 'mkfs' -# nova/utils.py: 'mkfs', fs, path, label -mkfs: CommandFilter, mkfs, root - -# nova/virt/libvirt/utils.py: 'qemu-img' -qemu-img: CommandFilter, qemu-img, root - -# nova/virt/disk/vfs/localfs.py: 'readlink', '-e' -readlink: CommandFilter, readlink, root - -# nova/virt/disk/api.py: -mkfs.ext3: CommandFilter, mkfs.ext3, root -mkfs.ext4: CommandFilter, mkfs.ext4, root -mkfs.ntfs: CommandFilter, mkfs.ntfs, root - -# nova/virt/libvirt/connection.py: -lvremove: CommandFilter, lvremove, root - -# nova/virt/libvirt/utils.py: -lvcreate: CommandFilter, lvcreate, root - -# nova/virt/libvirt/utils.py: -lvs: CommandFilter, lvs, root - -# nova/virt/libvirt/utils.py: -vgs: CommandFilter, vgs, root - -# nova/utils.py:read_file_as_root: 'cat', file_path -# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) -read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd -read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow - -# os-brick needed commands -read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi -multipath: CommandFilter, multipath, root -# multipathd show status -multipathd: CommandFilter, multipathd, root -systool: CommandFilter, systool, root -vgc-cluster: CommandFilter, vgc-cluster, root -# os_brick/initiator/connector.py -drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid - -# TODO(smcginnis) Temporary fix. -# Need to pull in os-brick os-brick.filters file instead and clean -# out stale brick values from this file. -scsi_id: CommandFilter, /lib/udev/scsi_id, root -# os_brick.privileged.default oslo.privsep context -# This line ties the superuser privs with the config files, context name, -# and (implicitly) the actual python code invoked. -privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* - -# nova/storage/linuxscsi.py: sg_scan device -sg_scan: CommandFilter, sg_scan, root - -# nova/volume/encryptors/cryptsetup.py: -# nova/volume/encryptors/luks.py: -ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+ - -# nova/volume/encryptors.py: -# nova/virt/libvirt/dmcrypt.py: -cryptsetup: CommandFilter, cryptsetup, root - -# nova/virt/xenapi/vm_utils.py: -xenstore-read: CommandFilter, xenstore-read, root - -# nova/virt/libvirt/utils.py: -rbd: CommandFilter, rbd, root - -# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path -shred: CommandFilter, shred, root - -# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control.. -cp: CommandFilter, cp, root - -# nova/virt/xenapi/vm_utils.py: -sync: CommandFilter, sync, root - -# nova/virt/libvirt/imagebackend.py: -ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .* -prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .* - -# nova/virt/libvirt/utils.py: 'xend', 'status' -xend: CommandFilter, xend, root - -# nova/virt/libvirt/utils.py: -touch: CommandFilter, touch, root - -# nova/virt/libvirt/volume/vzstorage.py -pstorage-mount: CommandFilter, pstorage-mount, root diff --git a/nova/templates/etc/rootwrap.d/_network.filters.tpl b/nova/templates/etc/rootwrap.d/_network.filters.tpl deleted file mode 100644 index 52b7130ea8..0000000000 --- a/nova/templates/etc/rootwrap.d/_network.filters.tpl +++ /dev/null @@ -1,91 +0,0 @@ -# nova-rootwrap command filters for network nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev -# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. -# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. -# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. -# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) -# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] -# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge -# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. -# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. -# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' -# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' -# nova/network/linux_net.py: 'ip', 'route', 'add', .. -# nova/network/linux_net.py: 'ip', 'route', 'del', . -# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, ip, root - -# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... -# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... -# nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, ovs-ofctl, root - -# nova/virt/libvirt/vif.py: 'ivs-ctl', ... -# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ... -# nova/network/linux_net.py: 'ivs-ctl', .... -ivs-ctl: CommandFilter, ivs-ctl, root - -# nova/virt/libvirt/vif.py: 'ifc_ctl', ... -ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root - -# nova/network/linux_net.py: 'ebtables', '-D' ... -# nova/network/linux_net.py: 'ebtables', '-I' ... -ebtables: CommandFilter, ebtables, root -ebtables_usr: CommandFilter, ebtables, root - -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... -# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, arping, root - -# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, dhcp_release, root - -# nova/network/linux_net.py: 'kill', '-9', pid -# nova/network/linux_net.py: 'kill', '-HUP', pid -kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -# nova/network/linux_net.py: 'kill', pid -kill_radvd: KillFilter, root, /usr/sbin/radvd - -# nova/network/linux_net.py: dnsmasq call -dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, radvd, root - -# nova/network/linux_net.py: 'brctl', 'addbr', bridge -# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 -# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' -# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, brctl, root - -# nova/network/linux_net.py: 'sysctl', .... -sysctl: CommandFilter, sysctl, root - -# nova/network/linux_net.py: 'conntrack' -conntrack: CommandFilter, conntrack, root - -# nova/network/linux_net.py: 'fp-vdev' -fp-vdev: CommandFilter, fp-vdev, root diff --git a/nova/values.yaml b/nova/values.yaml index 2f39184509..23b2c6185a 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1022,22 +1022,413 @@ conf: Defaults !requiretty Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf * - rootwrap: - override: - append: + rootwrap: | + # Configuration for nova-rootwrap + # This file should be owned by (and only-writeable by) the root user + + [DEFAULT] + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap + + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin + + # Enable logging to syslog + # Default value is False + use_syslog=False + + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility=syslog + + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level=ERROR wsgi_placement: override: append: rootwrap_filters: api_metadata: - override: - append: + pods: + - metadata + content: | + # nova-rootwrap command filters for api-metadata nodes + # This is needed on nova-api hosts running with "metadata" in enabled_apis + # or when running nova-api-metadata + # This file should be owned by (and only-writeable by) the root user + + [Filters] + # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... + iptables-save: CommandFilter, iptables-save, root + ip6tables-save: CommandFilter, ip6tables-save, root + + # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) + iptables-restore: CommandFilter, iptables-restore, root + ip6tables-restore: CommandFilter, ip6tables-restore, root compute: - override: - append: + pods: + - compute + content: | + # nova-rootwrap command filters for compute nodes + # This file should be owned by (and only-writeable by) the root user + + [Filters] + # nova/virt/disk/mount/api.py: 'kpartx', '-a', device + # nova/virt/disk/mount/api.py: 'kpartx', '-d', device + kpartx: CommandFilter, kpartx, root + + # nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path + # nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path + tune2fs: CommandFilter, tune2fs, root + + # nova/virt/disk/mount/api.py: 'mount', mapped_device + # nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target + # nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. + # nova/virt/configdrive.py: 'mount', device, mountdir + # nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... + mount: CommandFilter, mount, root + + # nova/virt/disk/mount/api.py: 'umount', mapped_device + # nova/virt/disk/api.py: 'umount' target + # nova/virt/xenapi/vm_utils.py: 'umount', dev_path + # nova/virt/configdrive.py: 'umount', mountdir + umount: CommandFilter, umount, root + + # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image + # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device + qemu-nbd: CommandFilter, qemu-nbd, root + + # nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image + # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device + losetup: CommandFilter, losetup, root + + # nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device + blkid: CommandFilter, blkid, root + + # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path + # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device + blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* + + # nova/virt/disk/vfs/localfs.py: 'tee', canonpath + tee: CommandFilter, tee, root + + # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath + mkdir: CommandFilter, mkdir, root + + # nova/virt/disk/vfs/localfs.py: 'chown' + # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log + # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log + # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') + chown: CommandFilter, chown, root + + # nova/virt/disk/vfs/localfs.py: 'chmod' + chmod: CommandFilter, chmod, root + + # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' + # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' + # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev + # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. + # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. + # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. + # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. + # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) + # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] + # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge + # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. + # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. + # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... + # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. + # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' + # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' + # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. + # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. + # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' + # nova/network/linux_net.py: 'ip', 'route', 'add', .. + # nova/network/linux_net.py: 'ip', 'route', 'del', . + # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev + ip: CommandFilter, ip, root + + # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev + # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev + tunctl: CommandFilter, tunctl, root + + # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... + # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... + # nova/network/linux_net.py: 'ovs-vsctl', .... + ovs-vsctl: CommandFilter, ovs-vsctl, root + + # nova/virt/libvirt/vif.py: 'vrouter-port-control', ... + vrouter-port-control: CommandFilter, vrouter-port-control, root + + # nova/virt/libvirt/vif.py: 'ebrctl', ... + ebrctl: CommandFilter, ebrctl, root + + # nova/virt/libvirt/vif.py: 'mm-ctl', ... + mm-ctl: CommandFilter, mm-ctl, root + + # nova/network/linux_net.py: 'ovs-ofctl', .... + ovs-ofctl: CommandFilter, ovs-ofctl, root + + # nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... + dd: CommandFilter, dd, root + + # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... + iscsiadm: CommandFilter, iscsiadm, root + + # nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev + # nova/virt/libvirt/volume/aoe.py: 'aoe-discover' + aoe-revalidate: CommandFilter, aoe-revalidate, root + aoe-discover: CommandFilter, aoe-discover, root + + # nova/virt/xenapi/vm_utils.py: parted, --script, ... + # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. + parted: CommandFilter, parted, root + + # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path + pygrub: CommandFilter, pygrub, root + + # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s + fdisk: CommandFilter, fdisk, root + + # nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path + # nova/virt/disk/api.py: e2fsck, -f, -p, image + e2fsck: CommandFilter, e2fsck, root + + # nova/virt/xenapi/vm_utils.py: resize2fs, partition_path + # nova/virt/disk/api.py: resize2fs, image + resize2fs: CommandFilter, resize2fs, root + + # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... + iptables-save: CommandFilter, iptables-save, root + ip6tables-save: CommandFilter, ip6tables-save, root + + # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) + iptables-restore: CommandFilter, iptables-restore, root + ip6tables-restore: CommandFilter, ip6tables-restore, root + + # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... + # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. + arping: CommandFilter, arping, root + + # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address + dhcp_release: CommandFilter, dhcp_release, root + + # nova/network/linux_net.py: 'kill', '-9', pid + # nova/network/linux_net.py: 'kill', '-HUP', pid + kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + + # nova/network/linux_net.py: 'kill', pid + kill_radvd: KillFilter, root, /usr/sbin/radvd + + # nova/network/linux_net.py: dnsmasq call + dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq + + # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. + radvd: CommandFilter, radvd, root + + # nova/network/linux_net.py: 'brctl', 'addbr', bridge + # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 + # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' + # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface + brctl: CommandFilter, brctl, root + + # nova/virt/libvirt/utils.py: 'mkswap' + # nova/virt/xenapi/vm_utils.py: 'mkswap' + mkswap: CommandFilter, mkswap, root + + # nova/virt/libvirt/utils.py: 'nova-idmapshift' + nova-idmapshift: CommandFilter, nova-idmapshift, root + + # nova/virt/xenapi/vm_utils.py: 'mkfs' + # nova/utils.py: 'mkfs', fs, path, label + mkfs: CommandFilter, mkfs, root + + # nova/virt/libvirt/utils.py: 'qemu-img' + qemu-img: CommandFilter, qemu-img, root + + # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' + readlink: CommandFilter, readlink, root + + # nova/virt/disk/api.py: + mkfs.ext3: CommandFilter, mkfs.ext3, root + mkfs.ext4: CommandFilter, mkfs.ext4, root + mkfs.ntfs: CommandFilter, mkfs.ntfs, root + + # nova/virt/libvirt/connection.py: + lvremove: CommandFilter, lvremove, root + + # nova/virt/libvirt/utils.py: + lvcreate: CommandFilter, lvcreate, root + + # nova/virt/libvirt/utils.py: + lvs: CommandFilter, lvs, root + + # nova/virt/libvirt/utils.py: + vgs: CommandFilter, vgs, root + + # nova/utils.py:read_file_as_root: 'cat', file_path + # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) + read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd + read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow + + # os-brick needed commands + read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi + multipath: CommandFilter, multipath, root + # multipathd show status + multipathd: CommandFilter, multipathd, root + systool: CommandFilter, systool, root + vgc-cluster: CommandFilter, vgc-cluster, root + # os_brick/initiator/connector.py + drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid + + # TODO(smcginnis) Temporary fix. + # Need to pull in os-brick os-brick.filters file instead and clean + # out stale brick values from this file. + scsi_id: CommandFilter, /lib/udev/scsi_id, root + # os_brick.privileged.default oslo.privsep context + # This line ties the superuser privs with the config files, context name, + # and (implicitly) the actual python code invoked. + privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* + + # nova/storage/linuxscsi.py: sg_scan device + sg_scan: CommandFilter, sg_scan, root + + # nova/volume/encryptors/cryptsetup.py: + # nova/volume/encryptors/luks.py: + ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+ + + # nova/volume/encryptors.py: + # nova/virt/libvirt/dmcrypt.py: + cryptsetup: CommandFilter, cryptsetup, root + + # nova/virt/xenapi/vm_utils.py: + xenstore-read: CommandFilter, xenstore-read, root + + # nova/virt/libvirt/utils.py: + rbd: CommandFilter, rbd, root + + # nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path + shred: CommandFilter, shred, root + + # nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control.. + cp: CommandFilter, cp, root + + # nova/virt/xenapi/vm_utils.py: + sync: CommandFilter, sync, root + + # nova/virt/libvirt/imagebackend.py: + ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .* + prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .* + + # nova/virt/libvirt/utils.py: 'xend', 'status' + xend: CommandFilter, xend, root + + # nova/virt/libvirt/utils.py: + touch: CommandFilter, touch, root + + # nova/virt/libvirt/volume/vzstorage.py + pstorage-mount: CommandFilter, pstorage-mount, root network: - override: - append: + pods: + - compute + content: | + # nova-rootwrap command filters for network nodes + # This file should be owned by (and only-writeable by) the root user + + [Filters] + # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' + # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' + # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev + # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. + # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. + # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. + # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. + # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) + # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] + # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge + # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. + # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. + # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... + # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. + # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' + # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' + # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. + # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. + # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' + # nova/network/linux_net.py: 'ip', 'route', 'add', .. + # nova/network/linux_net.py: 'ip', 'route', 'del', . + # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev + ip: CommandFilter, ip, root + + # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... + # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... + # nova/network/linux_net.py: 'ovs-vsctl', .... + ovs-vsctl: CommandFilter, ovs-vsctl, root + + # nova/network/linux_net.py: 'ovs-ofctl', .... + ovs-ofctl: CommandFilter, ovs-ofctl, root + + # nova/virt/libvirt/vif.py: 'ivs-ctl', ... + # nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ... + # nova/network/linux_net.py: 'ivs-ctl', .... + ivs-ctl: CommandFilter, ivs-ctl, root + + # nova/virt/libvirt/vif.py: 'ifc_ctl', ... + ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root + + # nova/network/linux_net.py: 'ebtables', '-D' ... + # nova/network/linux_net.py: 'ebtables', '-I' ... + ebtables: CommandFilter, ebtables, root + ebtables_usr: CommandFilter, ebtables, root + + # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... + iptables-save: CommandFilter, iptables-save, root + ip6tables-save: CommandFilter, ip6tables-save, root + + # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) + iptables-restore: CommandFilter, iptables-restore, root + ip6tables-restore: CommandFilter, ip6tables-restore, root + + # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... + # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. + arping: CommandFilter, arping, root + + # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address + dhcp_release: CommandFilter, dhcp_release, root + + # nova/network/linux_net.py: 'kill', '-9', pid + # nova/network/linux_net.py: 'kill', '-HUP', pid + kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + + # nova/network/linux_net.py: 'kill', pid + kill_radvd: KillFilter, root, /usr/sbin/radvd + + # nova/network/linux_net.py: dnsmasq call + dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq + + # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. + radvd: CommandFilter, radvd, root + + # nova/network/linux_net.py: 'brctl', 'addbr', bridge + # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 + # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' + # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface + brctl: CommandFilter, brctl, root + + # nova/network/linux_net.py: 'sysctl', .... + sysctl: CommandFilter, sysctl, root + + # nova/network/linux_net.py: 'conntrack' + conntrack: CommandFilter, conntrack, root + + # nova/network/linux_net.py: 'fp-vdev' + fp-vdev: CommandFilter, fp-vdev, root nova_ironic: DEFAULT: scheduler_host_manager: ironic_host_manager