Remove not needed rootwrap filters
This patch moves all remaining filters to a single file. Since [1], the number of processes executed using rootwrap have been reduced to a small set. [1]https://storyboard.openstack.org/#!/story/2007686 Story: #2007686 Task: #41284 Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6
This commit is contained in:
parent
becb42b92e
commit
be6ee6f397
@ -1,12 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# "sleep" command, only for testing
|
|
||||||
sleep: RegExpFilter, sleep, root, sleep, \d+
|
|
@ -1,21 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# dhcp-agent
|
|
||||||
dnsmasq: CommandFilter, dnsmasq, root
|
|
||||||
|
|
||||||
mm-ctl: CommandFilter, mm-ctl, root
|
|
||||||
|
|
||||||
# haproxy
|
|
||||||
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
|
||||||
|
|
||||||
# ip_lib
|
|
||||||
ip: IpFilter, ip, root
|
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
|
@ -1,16 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# Filters for the dibbler-based reference implementation of the pluggable
|
|
||||||
# Prefix Delegation driver. Other implementations using an alternative agent
|
|
||||||
# should include a similar filter in this folder.
|
|
||||||
|
|
||||||
# prefix_delegation_agent
|
|
||||||
dibbler-client: CommandFilter, dibbler-client, root
|
|
@ -1,12 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
# neutron/agent/linux/iptables_firewall.py
|
|
||||||
# "ipset", "-A", ...
|
|
||||||
ipset: CommandFilter, ipset, root
|
|
@ -1,32 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# l3_agent
|
|
||||||
route: CommandFilter, route, root
|
|
||||||
radvd: CommandFilter, radvd, root
|
|
||||||
|
|
||||||
# haproxy
|
|
||||||
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
|
||||||
|
|
||||||
# ip_lib
|
|
||||||
ip: IpFilter, ip, root
|
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
|
||||||
|
|
||||||
# iptables_manager
|
|
||||||
iptables-save: CommandFilter, iptables-save, root
|
|
||||||
iptables-restore: CommandFilter, iptables-restore, root
|
|
||||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
||||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
||||||
|
|
||||||
# Keepalived
|
|
||||||
keepalived: CommandFilter, keepalived, root
|
|
||||||
|
|
||||||
# keepalived state change monitor
|
|
||||||
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
|
@ -1,13 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# ip_lib
|
|
||||||
ip: IpFilter, ip, root
|
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
|
@ -1,18 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# openvswitch-agent
|
|
||||||
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
|
||||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
||||||
ovsdb-client: CommandFilter, ovsdb-client, root
|
|
||||||
|
|
||||||
# ip_lib
|
|
||||||
ip: IpFilter, ip, root
|
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
|
@ -20,6 +20,7 @@
|
|||||||
# In particular, the oslo.config and python module path must not
|
# In particular, the oslo.config and python module path must not
|
||||||
# be writeable by the unprivileged user.
|
# be writeable by the unprivileged user.
|
||||||
|
|
||||||
|
# PRIVSEP
|
||||||
# oslo.privsep default neutron context
|
# oslo.privsep default neutron context
|
||||||
privsep: PathFilter, privsep-helper, root,
|
privsep: PathFilter, privsep-helper, root,
|
||||||
--config-file, /etc/(?!\.\.).*,
|
--config-file, /etc/(?!\.\.).*,
|
||||||
@ -29,3 +30,28 @@ privsep: PathFilter, privsep-helper, root,
|
|||||||
# NOTE: A second `--config-file` arg can also be added above. Since
|
# NOTE: A second `--config-file` arg can also be added above. Since
|
||||||
# many neutron components are installed like that (eg: by devstack).
|
# many neutron components are installed like that (eg: by devstack).
|
||||||
# Adjust to suit local requirements.
|
# Adjust to suit local requirements.
|
||||||
|
|
||||||
|
# DEBUG
|
||||||
|
sleep: RegExpFilter, sleep, root, sleep, \d+
|
||||||
|
|
||||||
|
# EXECUTE COMMANDS IN A NAMESPACE
|
||||||
|
ip: IpFilter, ip, root
|
||||||
|
ip_exec: IpNetnsExecFilter, ip, root
|
||||||
|
|
||||||
|
# METADATA PROXY
|
||||||
|
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
||||||
|
|
||||||
|
# DHCP
|
||||||
|
dnsmasq: CommandFilter, dnsmasq, root
|
||||||
|
|
||||||
|
# DIBBLER
|
||||||
|
dibbler-client: CommandFilter, dibbler-client, root
|
||||||
|
|
||||||
|
# L3
|
||||||
|
radvd: CommandFilter, radvd, root
|
||||||
|
keepalived: CommandFilter, keepalived, root
|
||||||
|
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
||||||
|
|
||||||
|
# OPEN VSWITCH
|
||||||
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||||
|
ovsdb-client: CommandFilter, ovsdb-client, root
|
Loading…
x
Reference in New Issue
Block a user