diff options
| author | Thierry Carrez <thierry@openstack.org> | 2012-11-16 15:50:01 +0100 |
|---|---|---|
| committer | Thierry Carrez <thierry@openstack.org> | 2012-12-03 15:12:06 +0100 |
| commit | 12e264d58f052f192f3408f5cd8637809eff085b (patch) | |
| tree | 8e121921f75e1a00e67845761a681a653feeb6c1 /etc/nova/rootwrap.d | |
| parent | 651637ad5475153ef3f2bc15ff0037aebec414c3 (diff) | |
| download | nova-12e264d58f052f192f3408f5cd8637809eff085b.tar.gz nova-12e264d58f052f192f3408f5cd8637809eff085b.tar.xz nova-12e264d58f052f192f3408f5cd8637809eff085b.zip | |
Configurable exec_dirs to find rootwrap commands
Adds support for a configurable set of trusted directories to search
executables in (exec_dirs), which defaults to system PATH. If your
filter specifies an exec_path that doesn't start with '/', then it
will be searched in exec_dirs. Avoids having to write multiple
filters to care for distro differences. Fixes bug 1079723.
Also returns a specific error rather than try to run absent executables.
Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9
Diffstat (limited to 'etc/nova/rootwrap.d')
| -rw-r--r-- | etc/nova/rootwrap.d/api-metadata.filters | 12 | ||||
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 30 | ||||
| -rw-r--r-- | etc/nova/rootwrap.d/network.filters | 18 |
3 files changed, 20 insertions, 40 deletions
diff --git a/etc/nova/rootwrap.d/api-metadata.filters b/etc/nova/rootwrap.d/api-metadata.filters index ef454cbff..1aa6f83e6 100644 --- a/etc/nova/rootwrap.d/api-metadata.filters +++ b/etc/nova/rootwrap.d/api-metadata.filters @@ -5,13 +5,9 @@ [Filters] # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, /sbin/iptables-save, root -iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root -ip6tables-save: CommandFilter, /sbin/ip6tables-save, root -ip6tables-save_usr: CommandFilter, /usr/sbin/ip6tables-save, root +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, /sbin/iptables-restore, root -iptables-restore_usr: CommandFilter, /usr/sbin/iptables-restore, root -ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root -ip6tables-restore_usr: CommandFilter, /usr/sbin/ip6tables-restore, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 62fbcff67..cb7ad7487 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -72,8 +72,7 @@ ip: CommandFilter, /sbin/ip, root # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev -tunctl: CommandFilter, /bin/tunctl, root -tunctl_usr: CommandFilter, /usr/sbin/tunctl, root +tunctl: CommandFilter, tunctl, root # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... @@ -87,13 +86,11 @@ ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root dd: CommandFilter, /bin/dd, root # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... -iscsiadm: CommandFilter, /sbin/iscsiadm, root -iscsiadm_usr: CommandFilter, /usr/bin/iscsiadm, root +iscsiadm: CommandFilter, iscsiadm, root # nova/virt/xenapi/vm_utils.py: parted, --script, ... # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. -parted: CommandFilter, /sbin/parted, root -parted_usr: CommandFilter, /usr/sbin/parted, root +parted: CommandFilter, parted, root # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s fdisk: CommandFilter, /sbin/fdisk, root @@ -105,21 +102,16 @@ e2fsck: CommandFilter, /sbin/e2fsck, root resize2fs: CommandFilter, /sbin/resize2fs, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, /sbin/iptables-save, root -iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root -ip6tables-save: CommandFilter, /sbin/ip6tables-save, root -ip6tables-save_usr: CommandFilter, /usr/sbin/ip6tables-save, root +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, /sbin/iptables-restore, root -iptables-restore_usr: CommandFilter, /usr/sbin/iptables-restore, root -ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root -ip6tables-restore_usr: CommandFilter, /usr/sbin/ip6tables-restore, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, /usr/bin/arping, root -arping_sbin: CommandFilter, /sbin/arping, root +arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address dhcp_release: CommandFilter, /usr/bin/dhcp_release, root @@ -142,8 +134,7 @@ radvd: CommandFilter, /usr/sbin/radvd, root # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, /sbin/brctl, root -brctl_usr: CommandFilter, /usr/sbin/brctl, root +brctl: CommandFilter, brctl, root # nova/virt/libvirt/utils.py: 'mkswap' # nova/virt/xenapi/vm_utils.py: 'mkswap' @@ -156,8 +147,7 @@ mkfs: CommandFilter, /sbin/mkfs, root qemu-img: CommandFilter, /usr/bin/qemu-img, root # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' -readlink: CommandFilter, /bin/readlink, root -readlink_usr: CommandFilter, /usr/bin/readlink, root +readlink: CommandFilter, readlink, root # nova/virt/disk/api.py: 'touch', target touch: CommandFilter, /usr/bin/touch, root diff --git a/etc/nova/rootwrap.d/network.filters b/etc/nova/rootwrap.d/network.filters index 133475500..c58bc77e7 100644 --- a/etc/nova/rootwrap.d/network.filters +++ b/etc/nova/rootwrap.d/network.filters @@ -40,21 +40,16 @@ ebtables: CommandFilter, /sbin/ebtables, root ebtables_usr: CommandFilter, /usr/sbin/ebtables, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, /sbin/iptables-save, root -iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root -ip6tables-save: CommandFilter, /sbin/ip6tables-save, root -ip6tables-save_usr: CommandFilter, /usr/sbin/ip6tables-save, root +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, /sbin/iptables-restore, root -iptables-restore_usr: CommandFilter, /usr/sbin/iptables-restore, root -ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root -ip6tables-restore_usr: CommandFilter, /usr/sbin/ip6tables-restore, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, /usr/bin/arping, root -arping_sbin: CommandFilter, /sbin/arping, root +arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address dhcp_release: CommandFilter, /usr/bin/dhcp_release, root @@ -77,8 +72,7 @@ radvd: CommandFilter, /usr/sbin/radvd, root # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, /sbin/brctl, root -brctl_usr: CommandFilter, /usr/sbin/brctl, root +brctl: CommandFilter, brctl, root # nova/network/linux_net.py: 'sysctl', .... sysctl: CommandFilter, /sbin/sysctl, root |