Move rootwrap filters definition to config files

Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d
author: Thierry Carrez <thierry@openstack.org> 2012-06-06 14:23:24 +0200
committer: Thierry Carrez <thierry@openstack.org> 2012-06-22 15:35:23 +0200
commit: 93d3c77caff67e2c406a9b17c31de88e90700e13 (patch)
tree: d1bf05bf7dff72673a9ff76358d9d6b582fea598 /etc/nova/rootwrap.d
parent: 3252371afca71f57c171569676d5de70439d5384 (diff)
download: nova-93d3c77caff67e2c406a9b17c31de88e90700e13.tar.gz
nova-93d3c77caff67e2c406a9b17c31de88e90700e13.tar.xz
nova-93d3c77caff67e2c406a9b17c31de88e90700e13.zip
3 files changed, 297 insertions, 0 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters
new file mode 100644
index 000000000..c2e760f0e
--- /dev/null
+++ b/etc/nova/rootwrap.d/compute.filters
@@ -0,0 +1,187 @@
+# nova-rootwrap command filters for compute nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/disk/mount.py: 'kpartx', '-a', device
+# nova/virt/disk/mount.py: 'kpartx', '-d', device
+kpartx: CommandFilter, /sbin/kpartx, root
+
+# nova/virt/disk/mount.py: 'tune2fs', '-c', 0, '-i', 0, mapped_device
+# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
+# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
+tune2fs: CommandFilter, /sbin/tune2fs, root
+
+# nova/virt/disk/mount.py: 'mount', mapped_device, mount_dir
+# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
+mount: CommandFilter, /bin/mount, root
+
+# nova/virt/disk/mount.py: 'umount', mapped_device
+# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
+umount: CommandFilter, /bin/umount, root
+
+# nova/virt/disk/nbd.py: 'qemu-nbd', '-c', device, image
+# nova/virt/disk/nbd.py: 'qemu-nbd', '-d', device
+qemu-nbd: CommandFilter, /usr/bin/qemu-nbd, root
+
+# nova/virt/disk/loop.py: 'losetup', '--find', '--show', image
+# nova/virt/disk/loop.py: 'losetup', '--detach', device
+losetup: CommandFilter, /sbin/losetup, root
+
+# nova/virt/disk/guestfs.py: 'guestmount', '--rw', '-a', image, '-i'
+# nova/virt/disk/guestfs.py: 'guestmount', '--rw', '-a', image, '-m' dev
+guestmount: CommandFilter, /usr/bin/guestmount, root
+
+# nova/virt/disk/guestfs.py: 'fusermount', 'u', mount_dir
+fusermount: CommandFilter, /bin/fusermount, root
+fusermount_usr: CommandFilter, /usr/bin/fusermount, root
+
+# nova/virt/disk/api.py: 'tee', metadata_path
+# nova/virt/disk/api.py: 'tee', '-a', keyfile
+# nova/virt/disk/api.py: 'tee', netfile
+tee: CommandFilter, /usr/bin/tee, root
+
+# nova/virt/disk/api.py: 'mkdir', '-p', sshdir
+# nova/virt/disk/api.py: 'mkdir', '-p', netdir
+mkdir: CommandFilter, /bin/mkdir, root
+
+# nova/virt/disk/api.py: 'chown', 'root', sshdir
+# nova/virt/disk/api.py: 'chown', 'root:root', netdir
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+# nova/utils.py: 'chown', owner_uid, path
+chown: CommandFilter, /bin/chown, root
+
+# nova/virt/disk/api.py: 'chmod', '700', sshdir
+# nova/virt/disk/api.py: 'chmod', 755, netdir
+chmod: CommandFilter, /bin/chmod, root
+
+# nova/virt/disk/api.py: 'cp', os.path.join(fs...
+cp: CommandFilter, /bin/cp, root
+
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+ip: CommandFilter, /sbin/ip, root
+
+# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
+# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
+tunctl: CommandFilter, /bin/tunctl, root
+tunctl_usr: CommandFilter, /usr/sbin/tunctl, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root
+
+# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+dd: CommandFilter, /bin/dd, root
+
+# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
+iscsiadm: CommandFilter, /sbin/iscsiadm, root
+
+# nova/virt/xenapi/vm_utils.py: parted, --script, ...
+# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
+parted: CommandFilter, /sbin/parted, root
+parted_usr: CommandFilter, /usr/sbin/parted, root
+
+# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
+fdisk: CommandFilter, /sbin/fdisk, root
+
+# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
+e2fsck: CommandFilter, /sbin/e2fsck, root
+
+# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
+resize2fs: CommandFilter, /sbin/resize2fs, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, /sbin/iptables-save, root
+iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root
+ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
+ip6tables-save_usr: CommandFilter, /usr/sbin/ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, /sbin/iptables-restore, root
+iptables-restore_usr: CommandFilter, /usr/sbin/iptables-restore, root
+ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
+ip6tables-restore_usr: CommandFilter, /usr/sbin/ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, /usr/bin/arping, root
+arping_sbin: CommandFilter, /sbin/arping, root
+
+# nova/network/linux_net.py: 'route', '-n'
+# nova/network/linux_net.py: 'route', 'del', 'default', 'gw'
+# nova/network/linux_net.py: 'route', 'add', 'default', 'gw'
+# nova/network/linux_net.py: 'route', '-n'
+# nova/network/linux_net.py: 'route', 'del', 'default', 'gw', old_gw, ..
+# nova/network/linux_net.py: 'route', 'add', 'default', 'gw', old_gateway
+route: CommandFilter, /sbin/route, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, /usr/bin/dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, /usr/sbin/radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, /sbin/brctl, root
+brctl_usr: CommandFilter, /usr/sbin/brctl, root
+
+# nova/virt/libvirt/utils.py: 'mkswap'
+# nova/virt/xenapi/vm_utils.py: 'mkswap'
+mkswap: CommandFilter, /sbin/mkswap, root
+
+# nova/virt/xenapi/vm_utils.py: 'mkfs'
+mkfs: CommandFilter, /sbin/mkfs, root
+
+# nova/virt/libvirt/utils.py: 'qemu-img'
+qemu-img: CommandFilter, /usr/bin/qemu-img, root
+
+# nova/virt/disk/api.py: 'touch', target
+touch: CommandFilter, /usr/bin/touch, root
+
+# nova/virt/libvirt/connection.py:
+read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+
+# nova/virt/libvirt/connection.py:
+lvremove: CommandFilter, /sbin/lvremove, root
+
+# nova/virt/libvirt/utils.py:
+lvcreate: CommandFilter, /sbin/lvcreate, root
+
+# nova/virt/libvirt/utils.py:
+vgs: CommandFilter, /sbin/vgs, root
diff --git a/etc/nova/rootwrap.d/network.filters b/etc/nova/rootwrap.d/network.filters
new file mode 100644
index 000000000..c85ab9a33
--- /dev/null
+++ b/etc/nova/rootwrap.d/network.filters
@@ -0,0 +1,83 @@
+# nova-rootwrap command filters for network nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+ip: CommandFilter, /sbin/ip, root
+
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+# nova/network/linux_net.py: 'ovs-vsctl', ....
+ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root
+
+# nova/network/linux_net.py: 'ovs-ofctl', ....
+ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root
+
+# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+iptables-save: CommandFilter, /sbin/iptables-save, root
+iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root
+ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
+ip6tables-save_usr: CommandFilter, /usr/sbin/ip6tables-save, root
+
+# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+iptables-restore: CommandFilter, /sbin/iptables-restore, root
+iptables-restore_usr: CommandFilter, /usr/sbin/iptables-restore, root
+ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
+ip6tables-restore_usr: CommandFilter, /usr/sbin/ip6tables-restore, root
+
+# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+arping: CommandFilter, /usr/bin/arping, root
+arping_sbin: CommandFilter, /sbin/arping, root
+
+# nova/network/linux_net.py: 'route', '-n'
+# nova/network/linux_net.py: 'route', 'del', 'default', 'gw'
+# nova/network/linux_net.py: 'route', 'add', 'default', 'gw'
+# nova/network/linux_net.py: 'route', '-n'
+# nova/network/linux_net.py: 'route', 'del', 'default', 'gw', old_gw, ..
+# nova/network/linux_net.py: 'route', 'add', 'default', 'gw', old_gateway
+route: CommandFilter, /sbin/route, root
+
+# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+dhcp_release: CommandFilter, /usr/bin/dhcp_release, root
+
+# nova/network/linux_net.py: 'kill', '-9', pid
+# nova/network/linux_net.py: 'kill', '-HUP', pid
+kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+# nova/network/linux_net.py: 'kill', pid
+kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+# nova/network/linux_net.py: dnsmasq call
+dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root
+
+# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+radvd: CommandFilter, /usr/sbin/radvd, root
+
+# nova/network/linux_net.py: 'brctl', 'addbr', bridge
+# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+brctl: CommandFilter, /sbin/brctl, root
+brctl_usr: CommandFilter, /usr/sbin/brctl, root
+
+# nova/network/linux_net.py: 'sysctl', ....
+sysctl: CommandFilter, /sbin/sysctl, root
diff --git a/etc/nova/rootwrap.d/volume.filters b/etc/nova/rootwrap.d/volume.filters
new file mode 100644
index 000000000..94a621b98
--- /dev/null
+++ b/etc/nova/rootwrap.d/volume.filters
@@ -0,0 +1,27 @@
+# nova-rootwrap command filters for volume nodes
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# nova/volume/iscsi.py: iscsi_helper '--op' ...
+ietadm: CommandFilter, /usr/sbin/ietadm, root
+tgtadm: CommandFilter, /usr/sbin/tgtadm, root
+
+# nova/volume/driver.py: 'vgs', '--noheadings', '-o', 'name'
+vgs: CommandFilter, /sbin/vgs, root
+
+# nova/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
+# nova/volume/driver.py: 'lvcreate', '-L', ...
+lvcreate: CommandFilter, /sbin/lvcreate, root
+
+# nova/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
+dd: CommandFilter, /bin/dd, root
+
+# nova/volume/driver.py: 'lvremove', '-f', %s/%s % ...
+lvremove: CommandFilter, /sbin/lvremove, root
+
+# nova/volume/driver.py: 'lvdisplay', '--noheading', '-C', '-o', 'Attr',..
+lvdisplay: CommandFilter, /sbin/lvdisplay, root
+
+# nova/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
+# nova/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
+iscsiadm: CommandFilter, /sbin/iscsiadm, root
author	Thierry Carrez <thierry@openstack.org>	2012-06-06 14:23:24 +0200
committer	Thierry Carrez <thierry@openstack.org>	2012-06-22 15:35:23 +0200
commit	93d3c77caff67e2c406a9b17c31de88e90700e13 (patch)
tree	d1bf05bf7dff72673a9ff76358d9d6b582fea598 /etc/nova/rootwrap.d
parent	3252371afca71f57c171569676d5de70439d5384 (diff)
download	nova-93d3c77caff67e2c406a9b17c31de88e90700e13.tar.gz nova-93d3c77caff67e2c406a9b17c31de88e90700e13.tar.xz nova-93d3c77caff67e2c406a9b17c31de88e90700e13.zip