diff options
author | Pádraig Brady <pbrady@redhat.com> | 2012-06-27 10:29:57 +0100 |
---|---|---|
committer | Pádraig Brady <pbrady@redhat.com> | 2012-07-20 16:55:27 +0100 |
commit | 7bac53f97e7c2025e492de7e9c9f5d2451aceee3 (patch) | |
tree | 6426d9f57b37b2e9e575bd2034772d4667f62d58 | |
parent | 740d39e8e5dc097a66a1e9a8c278918da4997b03 (diff) | |
download | nova-7bac53f97e7c2025e492de7e9c9f5d2451aceee3.tar.gz nova-7bac53f97e7c2025e492de7e9c9f5d2451aceee3.tar.xz nova-7bac53f97e7c2025e492de7e9c9f5d2451aceee3.zip |
set correct SELinux context for injected ssh keys
Instruct guests to ensure at boot, that the correct
SELinux context is set for /root/.ssh/.
This will cater for keys injected by nova from hosts
without SELinux (enabled) or using libguestfs which
currently doesn't support setting extended attributes.
Suggested-by: David Naori <dnaori@redhat.com>
Change-Id: Ibf3869e3ee477e91623e0c030838c1ec8a6128a6
-rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 4 | ||||
-rw-r--r-- | nova/virt/disk/api.py | 33 |
2 files changed, 37 insertions, 0 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index fffeff85a..9aa19a11a 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -166,6 +166,10 @@ mkfs: CommandFilter, /sbin/mkfs, root # nova/virt/libvirt/utils.py: 'qemu-img' qemu-img: CommandFilter, /usr/bin/qemu-img, root +# nova/virt/disk/api.py: 'readlink', '-e' +readlink: CommandFilter, /bin/readlink, root +readlink_usr: CommandFilter, /usr/bin/readlink, root + # nova/virt/disk/api.py: 'touch', target touch: CommandFilter, /usr/bin/touch, root diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py index cf3b2f894..998b44350 100644 --- a/nova/virt/disk/api.py +++ b/nova/virt/disk/api.py @@ -336,6 +336,37 @@ def _inject_metadata_into_fs(metadata, fs): _inject_file_into_fs(fs, 'meta.js', jsonutils.dumps(metadata)) +def _setup_selinux_for_keys(fs): + """Get selinux guests to ensure correct context on injected keys.""" + + se_cfg = _join_and_check_path_within_fs(fs, 'etc', 'selinux') + se_cfg, _err = utils.trycmd('readlink', '-e', se_cfg, run_as_root=True) + if not se_cfg: + return + + rclocal = _join_and_check_path_within_fs(fs, 'etc', 'rc.local') + + # Support systemd based systems + rc_d = _join_and_check_path_within_fs(fs, 'etc', 'rc.d') + rclocal_e, _err = utils.trycmd('readlink', '-e', rclocal, run_as_root=True) + rc_d_e, _err = utils.trycmd('readlink', '-e', rc_d, run_as_root=True) + if not rclocal_e and rc_d_e: + rclocal = os.path.join(rc_d, 'rc.local') + + # Note some systems end rc.local with "exit 0" + # and so to append there you'd need something like: + # utils.execute('sed', '-i', '${/^exit 0$/d}' rclocal, run_as_root=True) + restorecon = [ + '#!/bin/sh\n', + '# Added by Nova to ensure injected ssh keys have the right context\n', + 'restorecon -RF /root/.ssh/ 2>/dev/null || :\n', + ] + + rclocal_rel = os.path.relpath(rclocal, fs) + _inject_file_into_fs(fs, rclocal_rel, ''.join(restorecon), append=True) + utils.execute('chmod', 'a+x', rclocal, run_as_root=True) + + def _inject_key_into_fs(key, fs): """Add the given public ssh key to root's authorized_keys. @@ -359,6 +390,8 @@ def _inject_key_into_fs(key, fs): _inject_file_into_fs(fs, keyfile, key_data, append=True) + _setup_selinux_for_keys(fs) + def _inject_net_into_fs(net, fs): """Inject /etc/network/interfaces into the filesystem rooted at fs. |