diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/nova/nova.conf.sample | 470 | ||||
| -rw-r--r-- | etc/nova/policy.json | 5 | ||||
| -rw-r--r-- | etc/nova/rootwrap.d/baremetal-compute-ipmi.filters | 2 | ||||
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 80 | ||||
| -rw-r--r-- | etc/nova/rootwrap.d/network.filters | 16 |
5 files changed, 354 insertions, 219 deletions
diff --git a/etc/nova/nova.conf.sample b/etc/nova/nova.conf.sample index 2ba888a86..7524a7e5e 100644 --- a/etc/nova/nova.conf.sample +++ b/etc/nova/nova.conf.sample @@ -52,15 +52,6 @@ # -# Options defined in nova.manager -# - -# Some periodic tasks can be run in a separate process. Should -# we run them here? (boolean value) -#run_external_periodic_tasks=true - - -# # Options defined in nova.netconf # @@ -82,6 +73,13 @@ # # If set, send compute.instance.update notifications on +# instance state changes. Valid values are None for no +# notifications, "vm_state" for notifications on VM state +# changes, or "vm_and_task_state" for notifications on VM and +# task state changes. (string value) +#notify_on_state_change=<None> + +# If set, send compute.instance.update notifications on # instance state changes. Valid values are False for no # notifications, True for notifications on any instance # changes. (boolean value) @@ -91,13 +89,6 @@ # the API service. (boolean value) #notify_api_faults=false -# If set, send compute.instance.update notifications on -# instance state changes. Valid values are None for no -# notifications, "vm_state" for notifications on VM state -# changes, or "vm_and_task_state" for notifications on VM and -# task state changes. (string value) -#notify_on_state_change=<None> - # # Options defined in nova.paths @@ -143,6 +134,10 @@ # number of floating ips allowed per project (integer value) #quota_floating_ips=10 +# number of fixed ips allowed per project (this should be at +# least the number of instances allowed) (integer value) +#quota_fixed_ips=-1 + # number of metadata items allowed per instance (integer # value) #quota_metadata_items=128 @@ -276,9 +271,6 @@ # Length of generated instance admin passwords (integer value) #password_length=12 -# Whether to disable inter-process locks (boolean value) -#disable_process_locking=false - # time period to generate instance usages for. Time period # must be hour, day, month or year (string value) #instance_usage_audit_period=month @@ -541,19 +533,73 @@ # -# Options defined in nova.common.memorycache +# Options defined in nova.cmd.clear_rabbit_queues # -# Memcached servers or None for in process cache. (list value) -#memcached_servers=<None> +# Queues to delete (multi valued) +#queues= + +# delete nova exchange too. (boolean value) +#delete_exchange=false # -# Options defined in nova.compute +# Options defined in nova.cmd.novnc +# + +# Record sessions to FILE.[session_number] (boolean value) +#record=false + +# Become a daemon (background process) (boolean value) +#daemon=false + +# Disallow non-encrypted connections (boolean value) +#ssl_only=false + +# Source is ipv6 (boolean value) +#source_is_ipv6=false + +# SSL certificate file (string value) +#cert=self.pem + +# SSL key file (if separate from cert) (string value) +#key=<None> + +# Run webserver on same port. Serve files from DIR. (string +# value) +#web=/usr/share/spice-html5 + + +# +# Options defined in nova.cmd.novncproxy +# + +# Host on which to listen for incoming requests (string value) +#novncproxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#novncproxy_port=6080 + + +# +# Options defined in nova.cmd.spicehtml5proxy # -# The full class name of the compute API class to use (string +# Host on which to listen for incoming requests (string value) +#spicehtml5proxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer # value) +#spicehtml5proxy_port=6082 + + +# +# Options defined in nova.compute +# + +# The full class name of the compute API class to use +# (deprecated) (string value) #compute_api_class=nova.compute.api.API @@ -565,6 +611,10 @@ # when testing in single-host environments. (boolean value) #allow_resize_to_same_host=false +# Allow migrate machine to the same host. Useful when testing +# in single-host environments. (boolean value) +#allow_migrate_to_same_host=false + # availability zone to use when user doesn't specify one # (string value) #default_schedule_zone=<None> @@ -588,7 +638,7 @@ # -# Options defined in nova.compute.instance_types +# Options defined in nova.compute.flavors # # default instance type to use, testing only (string value) @@ -630,6 +680,10 @@ # interval to pull bandwidth usage info (integer value) #bandwidth_poll_interval=600 +# interval to sync power states between the database and the +# hypervisor (integer value) +#sync_power_state_interval=600 + # Number of seconds between instance info_cache self healing # updates (integer value) #heal_instance_info_cache_interval=60 @@ -1046,6 +1100,10 @@ # be on the bottom. (string value) #iptables_bottom_regex= +# The table that iptables to jump to when a packet is to be +# dropped. (string value) +#iptables_drop_action=DROP + # # Options defined in nova.network.manager @@ -1083,7 +1141,9 @@ # Number of addresses in each private subnet (integer value) #network_size=256 -# Fixed IP address block (string value) +# DEPRECATED - Fixed IP address block.If set to an empty +# string, the subnet range(s) will be automatically determined +# and configured. (string value) #fixed_range=10.0.0.0/8 # Fixed IPv6 address block (string value) @@ -1210,50 +1270,6 @@ # The full class name of the security API class (string value) #security_group_api=nova -# -# Options defined in bin.nova-clear-rabbit-queues -# - -# Queues to delete (multi valued) -#queues= - -# delete nova exchange too. (boolean value) -#delete_exchange=false - - -# -# Options defined in bin.nova-novncproxy -# - -# Record sessions to FILE.[session_number] (boolean value) -#record=false - -# Become a daemon (background process) (boolean value) -#daemon=false - -# Disallow non-encrypted connections (boolean value) -#ssl_only=false - -# Source is ipv6 (boolean value) -#source_is_ipv6=false - -# SSL certificate file (string value) -#cert=self.pem - -# SSL key file (if separate from cert) (string value) -#key=<None> - -# Run webserver on same port. Serve files from DIR. (string -# value) -#web=/usr/share/novnc - -# Host on which to listen for incoming requests (string value) -#novncproxy_host=0.0.0.0 - -# Port on which to listen for incoming requests (integer -# value) -#novncproxy_port=6080 - # # Options defined in nova.objectstore.s3server @@ -1287,7 +1303,7 @@ # The SQLAlchemy connection string used to connect to the # database (string value) -#sql_connection=sqlite:////nova/openstack/common/db/$sqlite_db +#sql_connection=sqlite:////common/db/$sqlite_db # the filename to use with sqlite (string value) #sqlite_db=nova.sqlite @@ -1363,13 +1379,9 @@ # Log output to standard error (boolean value) #use_stderr=true -# Default file mode used when creating log files (string -# value) -#logfile_mode=0644 - # format string to use for log messages with context (string # value) -#logging_context_format_string=%(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s +#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s # format string to use for log messages without context # (string value) @@ -1408,20 +1420,22 @@ #log_config=<None> # A logging.Formatter log message format string which may use -# any of the available logging.LogRecord attributes. Default: -# %(default)s (string value) -#log_format=%(asctime)s %(levelname)8s [%(name)s] %(message)s +# any of the available logging.LogRecord attributes. This +# option is deprecated. Please use +# logging_context_format_string and +# logging_default_format_string instead. (string value) +#log_format=<None> # Format string for %%(asctime)s in log records. Default: # %(default)s (string value) #log_date_format=%Y-%m-%d %H:%M:%S -# (Optional) Name of log file to output to. If not set, -# logging will go to stdout. (string value) +# (Optional) Name of log file to output to. If no default is +# set, logging will go to stdout. (string value) #log_file=<None> -# (Optional) The directory to keep log files in (will be -# prepended to --log-file) (string value) +# (Optional) The base directory used for relative --log-file +# paths (string value) #log_dir=<None> # Use syslog for logging. (boolean value) @@ -1432,6 +1446,14 @@ # +# Options defined in nova.openstack.common.memorycache +# + +# Memcached servers or None for in process cache. (list value) +#memcached_servers=<None> + + +# # Options defined in nova.openstack.common.notifier.api # @@ -1457,6 +1479,15 @@ # +# Options defined in nova.openstack.common.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should +# we run them here? (boolean value) +#run_external_periodic_tasks=true + + +# # Options defined in nova.openstack.common.rpc # @@ -1569,7 +1600,7 @@ # Qpid broker hostname (string value) #qpid_hostname=localhost -# Qpid broker port (string value) +# Qpid broker port (integer value) #qpid_port=5672 # Qpid HA cluster host:port pairs (list value) @@ -1624,7 +1655,7 @@ # Name of this node. Must be a valid hostname, FQDN, or IP # address. Must match "host" option, if running Nova. (string # value) -#rpc_zmq_host=sorcha +#rpc_zmq_host=nova # @@ -1634,6 +1665,12 @@ # Matchmaker ring file (JSON) (string value) #matchmaker_ringfile=/etc/nova/matchmaker_ring.json +# Heartbeat frequency (integer value) +#matchmaker_heartbeat_freq=300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl=600 + # # Options defined in nova.scheduler.driver @@ -1743,17 +1780,6 @@ # -# Options defined in nova.scheduler.multi -# - -# Driver to use for scheduling compute calls (string value) -#compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler - -# Default driver to use for scheduling calls (string value) -#default_scheduler_driver=nova.scheduler.chance.ChanceScheduler - - -# # Options defined in nova.scheduler.rpcapi # @@ -1771,24 +1797,6 @@ # -# Options defined in nova.scheduler.weights.least_cost -# - -# Which cost functions the LeastCostScheduler should use (list -# value) -#least_cost_functions=<None> - -# How much weight to give the noop cost function (floating -# point value) -#noop_cost_fn_weight=1.0 - -# How much weight to give the fill-first cost function. A -# negative value will reverse behavior: e.g. spread-first -# (floating point value) -#compute_fill_first_cost_fn_weight=<None> - - -# # Options defined in nova.scheduler.weights.ram # @@ -1856,7 +1864,8 @@ # Driver to use for controlling virtualization. Options # include: libvirt.LibvirtDriver, xenapi.XenAPIDriver, # fake.FakeDriver, baremetal.BareMetalDriver, -# vmwareapi.VMWareESXDriver (string value) +# vmwareapi.VMwareESXDriver, vmwareapi.VMwareVCDriver (string +# value) #compute_driver=<None> # The default format an ephemeral_volume will be formatted @@ -1886,52 +1895,6 @@ # -# Options defined in nova.virt.hyperv.vif -# - -# External virtual switch Name, if not provided, the first -# external virtual switch is used (string value) -#vswitch_name=<None> - - -# -# Options defined in nova.virt.hyperv.vmops -# - -# Required for live migration among hosts with different CPU -# features (boolean value) -#limit_cpu_features=false - -# Sets the admin password in the config drive image (boolean -# value) -#config_drive_inject_password=false - -# qemu-img is used to convert between different image types -# (string value) -#qemu_img_cmd=qemu-img.exe - -# Attaches the Config Drive image as a cdrom drive instead of -# a disk drive (boolean value) -#config_drive_cdrom=false - - -# -# Options defined in nova.virt.hyperv.volumeops -# - -# The number of times we retry on attaching volume (integer -# value) -#hyperv_attaching_volume_retry_count=10 - -# The seconds to wait between an volume attachment attempt -# (integer value) -#hyperv_wait_between_attach_retry=5 - -# Force volumeutils v1 (boolean value) -#force_volumeutils_v1=false - - -# # Options defined in nova.virt.images # @@ -2040,6 +2003,10 @@ # ["file=directsync","block=none"] (list value) #disk_cachemodes= +# Which pcpus can be used by vcpus of instance e.g: +# "4-12,^8,15" (string value) +#vcpu_pin_set=<None> + # # Options defined in nova.virt.libvirt.imagebackend @@ -2252,7 +2219,8 @@ # # Optional VIM Service WSDL Location e.g -# http://<server>/vimService.wsdl +# http://<server>/vimService.wsdl. Optional over-ride to +# default location for bug work-arounds (string value) #vmwareapi_wsdl_loc=<None> @@ -2278,11 +2246,18 @@ # (string value) #xenapi_agent_path=usr/sbin/xe-update-networking -# Disable XenAPI agent. Reduces the amount of time it takes -# nova to detect that a VM has started, when that VM does not -# have the agent installed (boolean value) +# Disables the use of the XenAPI agent in any image regardless +# of what image properties are present. (boolean value) #xenapi_disable_agent=false +# Determines if the xenapi agent should be used when the image +# used does not contain a hint to declare if the agent is +# present or not. The hint is a glance property +# "xenapi_use_agent" that has the value "true" or "false". +# Note that waiting for the agent when it is not present will +# significantly increase server boot times. (boolean value) +#xenapi_use_agent_default=false + # # Options defined in nova.virt.xenapi.driver @@ -2513,8 +2488,8 @@ # region name of this node (string value) #os_region_name=<None> -# Allow for a ca certificates file to be specified for cinder -# client requests (string value) +# Location of ca certicates file to use for cinder client +# requests. (string value) #cinder_ca_certificates_file=<None> # Number of cinderclient retries on failed http calls (integer @@ -2530,7 +2505,7 @@ #cinder_cross_az_attach=true -[HYPERV] +[hyperv] # # Options defined in nova.virt.hyperv.pathutils @@ -2544,6 +2519,71 @@ #instances_path_share= +# +# Options defined in nova.virt.hyperv.vif +# + +# External virtual switch Name, if not provided, the first +# external virtual switch is used (string value) +#vswitch_name=<None> + + +# +# Options defined in nova.virt.hyperv.vmops +# + +# Required for live migration among hosts with different CPU +# features (boolean value) +#limit_cpu_features=false + +# Sets the admin password in the config drive image (boolean +# value) +#config_drive_inject_password=false + +# qemu-img is used to convert between different image types +# (string value) +#qemu_img_cmd=qemu-img.exe + +# Attaches the Config Drive image as a cdrom drive instead of +# a disk drive (boolean value) +#config_drive_cdrom=false + + +# +# Options defined in nova.virt.hyperv.volumeops +# + +# The number of times to retry to attach a volume (integer +# value) +#volume_attach_retry_count=10 + +# Interval between volume attachment attempts, in seconds +# (integer value) +#volume_attach_retry_interval=5 + +# Force volumeutils v1 (boolean value) +#force_volumeutils_v1=false + + +[osapi_v3] + +# +# Options defined in nova.api.openstack +# + +# Whether the V3 API is enabled or not (boolean value) +#enabled=false + +# A list of v3 API extensions to never load. Specify the +# extension aliases here. (list value) +#extensions_blacklist= + +# If the list is not empty then a v3 API extension will only +# be loaded if it exists in this list. Specify the extension +# aliases here. (list value) +#extensions_whitelist= + + [conductor] # @@ -2613,6 +2653,13 @@ # value) #call_timeout=60 +# Percentage of cell capacity to hold in reserve. Affects both +# memory and disk utilization (floating point value) +#reserve_percent=10.0 + +# Type of cell: api or compute (string value) +#cell_type=<None> + # # Options defined in nova.cells.rpc_driver @@ -2628,6 +2675,16 @@ # Options defined in nova.cells.scheduler # +# Filter classes the cells scheduler should use. An entry of +# "nova.cells.filters.all_filters"maps to all cells filters +# included with nova. (list value) +#scheduler_filter_classes=nova.cells.filters.all_filters + +# Weigher classes the cells scheduler should use. An entry of +# "nova.cells.weights.all_weighers"maps to all cell weighers +# included with nova. (list value) +#scheduler_weight_classes=nova.cells.weights.all_weighers + # How many retries when no cells are available. (integer # value) #scheduler_retries=10 @@ -2646,6 +2703,33 @@ #db_check_interval=60 +# +# Options defined in nova.cells.weights.mute_child +# + +# Multiplier used to weigh mute children. (The value should +# be negative.) (floating point value) +#mute_weight_multiplier=-10.0 + +# Weight value assigned to mute children. (The value should +# be positive.) (floating point value) +#mute_weight_value=1000.0 + +# Number of seconds after which a lack of capability and +# capacity updates signals the child cell is to be treated as +# a mute. (integer value) +#mute_child_interval=300 + + +# +# Options defined in nova.cells.weights.ram_by_instance_type +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=10.0 + + [zookeeper] # @@ -2767,15 +2851,42 @@ # +# Options defined in nova.virt.baremetal.tilera_pdu +# + +# ip address of tilera pdu (string value) +#tile_pdu_ip=10.0.100.1 + +# management script for tilera pdu (string value) +#tile_pdu_mgr=/tftpboot/pdu_mgr + +# power status of tilera PDU is OFF (integer value) +#tile_pdu_off=2 + +# power status of tilera PDU is ON (integer value) +#tile_pdu_on=1 + +# power status of tilera PDU (integer value) +#tile_pdu_status=9 + +# wait time in seconds until check the result after tilera +# power operations (integer value) +#tile_power_wait=9 + + +# # Options defined in nova.virt.baremetal.virtual_power_driver # # ip or name to virtual power host (string value) #virtual_power_ssh_host= +# Port to use for ssh to virtual power host (integer value) +#virtual_power_ssh_port=22 + # base command to use for virtual power(vbox,virsh) (string # value) -#virtual_power_type=vbox +#virtual_power_type=virsh # user to execute virtual power commands as (string value) #virtual_power_host_user= @@ -2783,6 +2894,9 @@ # password for virtual power host_user (string value) #virtual_power_host_pass= +# ssh key for virtual power host_user (string value) +#virtual_power_host_key=<None> + # # Options defined in nova.virt.baremetal.volume_driver @@ -2808,6 +2922,22 @@ #topics=notifications +[matchmaker_redis] + +# +# Options defined in nova.openstack.common.rpc.matchmaker_redis +# + +# Host to locate redis (string value) +#host=127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port=6379 + +# Password for Redis server. (optional) (string value) +#password=<None> + + [trusted_computing] # @@ -2872,4 +3002,4 @@ #keymap=en-us -# Total option count: 584 +# Total option count: 609 diff --git a/etc/nova/policy.json b/etc/nova/policy.json index d4f2aaad9..a9a584237 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -3,6 +3,7 @@ "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", + "cells_scheduler_filter:TargetCellFilter": "is_admin:True", "compute:create": "", "compute:create:attach_network": "", @@ -49,6 +50,7 @@ "compute_extension:extended_ips_mac": "", "compute_extension:extended_vif_net": "", "compute_extension:fixed_ips": "rule:admin_api", + "compute_extension:v3:os-fixed-ips": "rule:admin_api", "compute_extension:flavor_access": "", "compute_extension:flavor_disabled": "", "compute_extension:flavor_rxtx": "", @@ -74,18 +76,21 @@ "compute_extension:instance_actions:events": "rule:admin_api", "compute_extension:instance_usage_audit_log": "rule:admin_api", "compute_extension:keypairs": "", + "compute_extension:v3:os-keypairs": "", "compute_extension:multinic": "", "compute_extension:networks": "rule:admin_api", "compute_extension:networks:view": "", "compute_extension:networks_associate": "rule:admin_api", "compute_extension:quotas:show": "", "compute_extension:quotas:update": "rule:admin_api", + "compute_extension:quotas:delete": "rule:admin_api", "compute_extension:quota_classes": "", "compute_extension:rescue": "", "compute_extension:security_group_default_rules": "rule:admin_api", "compute_extension:security_groups": "", "compute_extension:server_diagnostics": "rule:admin_api", "compute_extension:server_password": "", + "compute_extension:server_usage": "", "compute_extension:services": "rule:admin_api", "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", "compute_extension:simple_tenant_usage:list": "rule:admin_api", diff --git a/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters b/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters index a2858cd11..4132a9996 100644 --- a/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters +++ b/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters @@ -3,7 +3,7 @@ [Filters] # nova/virt/baremetal/ipmi.py: 'ipmitool', .. -ipmitool: CommandFilter, /usr/bin/ipmitool, root +ipmitool: CommandFilter, ipmitool, root # nova/virt/baremetal/ipmi.py: 'kill', '-TERM', str(console_pid) kill_shellinaboxd: KillFilter, root, /usr/local/bin/shellinaboxd, -15, -TERM diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 6d4082940..88fa74d6b 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -4,48 +4,48 @@ [Filters] # nova/virt/disk/mount/api.py: 'kpartx', '-a', device # nova/virt/disk/mount/api.py: 'kpartx', '-d', device -kpartx: CommandFilter, /sbin/kpartx, root +kpartx: CommandFilter, kpartx, root # nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path # nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path -tune2fs: CommandFilter, /sbin/tune2fs, root +tune2fs: CommandFilter, tune2fs, root # nova/virt/disk/mount/api.py: 'mount', mapped_device # nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target # nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. # nova/virt/configdrive.py: 'mount', device, mountdir # nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... -mount: CommandFilter, /bin/mount, root +mount: CommandFilter, mount, root # nova/virt/disk/mount/api.py: 'umount', mapped_device # nova/virt/disk/api.py: 'umount' target # nova/virt/xenapi/vm_utils.py: 'umount', dev_path # nova/virt/configdrive.py: 'umount', mountdir -umount: CommandFilter, /bin/umount, root +umount: CommandFilter, umount, root # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device -qemu-nbd: CommandFilter, /usr/bin/qemu-nbd, root +qemu-nbd: CommandFilter, qemu-nbd, root # nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device -losetup: CommandFilter, /sbin/losetup, root +losetup: CommandFilter, losetup, root # nova/virt/disk/vfs/localfs.py: 'tee', canonpath -tee: CommandFilter, /usr/bin/tee, root +tee: CommandFilter, tee, root # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath -mkdir: CommandFilter, /bin/mkdir, root +mkdir: CommandFilter, mkdir, root # nova/virt/disk/vfs/localfs.py: 'chown' # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') # nova/utils.py: 'chown', owner_uid, path -chown: CommandFilter, /bin/chown, root +chown: CommandFilter, chown, root # nova/virt/disk/vfs/localfs.py: 'chmod' -chmod: CommandFilter, /bin/chmod, root +chmod: CommandFilter, chmod, root # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' @@ -69,7 +69,7 @@ chmod: CommandFilter, /bin/chmod, root # nova/network/linux_net.py: 'ip', 'route', 'add', .. # nova/network/linux_net.py: 'ip', 'route', 'del', . # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, /sbin/ip, root +ip: CommandFilter, ip, root # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev @@ -78,39 +78,39 @@ tunctl: CommandFilter, tunctl, root # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... # nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root +ovs-vsctl: CommandFilter, ovs-vsctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root +ovs-ofctl: CommandFilter, ovs-ofctl, root # nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... -dd: CommandFilter, /bin/dd, root +dd: CommandFilter, dd, root # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... iscsiadm: CommandFilter, iscsiadm, root # nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev # nova/virt/libvirt/volume.py: 'aoe-discover' -aoe-revalidate: CommandFilter, /usr/sbin/aoe-revalidate, root -aoe-discover: CommandFilter, /usr/sbin/aoe-discover, root +aoe-revalidate: CommandFilter, aoe-revalidate, root +aoe-discover: CommandFilter, aoe-discover, root # nova/virt/xenapi/vm_utils.py: parted, --script, ... # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. parted: CommandFilter, parted, root # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path -pygrub: CommandFilter, /usr/bin/pygrub, root +pygrub: CommandFilter, pygrub, root # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s -fdisk: CommandFilter, /sbin/fdisk, root +fdisk: CommandFilter, fdisk, root # nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path # nova/virt/disk/api.py: e2fsck, -f, -p, image -e2fsck: CommandFilter, /sbin/e2fsck, root +e2fsck: CommandFilter, e2fsck, root # nova/virt/xenapi/vm_utils.py: resize2fs, partition_path # nova/virt/disk/api.py: resize2fs, image -resize2fs: CommandFilter, /sbin/resize2fs, root +resize2fs: CommandFilter, resize2fs, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, iptables-save, root @@ -125,7 +125,7 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, /usr/bin/dhcp_release, root +dhcp_release: CommandFilter, dhcp_release, root # nova/network/linux_net.py: 'kill', '-9', pid # nova/network/linux_net.py: 'kill', '-HUP', pid @@ -139,7 +139,7 @@ dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root dnsmasq_deprecated: DeprecatedDnsmasqFilter, /usr/sbin/dnsmasq, root # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, /usr/sbin/radvd, root +radvd: CommandFilter, radvd, root # nova/network/linux_net.py: 'brctl', 'addbr', bridge # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 @@ -149,41 +149,41 @@ brctl: CommandFilter, brctl, root # nova/virt/libvirt/utils.py: 'mkswap' # nova/virt/xenapi/vm_utils.py: 'mkswap' -mkswap: CommandFilter, /sbin/mkswap, root +mkswap: CommandFilter, mkswap, root # nova/virt/xenapi/vm_utils.py: 'mkfs' -mkfs: CommandFilter, /sbin/mkfs, root +mkfs: CommandFilter, mkfs, root # nova/virt/libvirt/utils.py: 'qemu-img' -qemu-img: CommandFilter, /usr/bin/qemu-img, root +qemu-img: CommandFilter, qemu-img, root # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' readlink: CommandFilter, readlink, root # nova/virt/disk/api.py: 'touch', target -touch: CommandFilter, /usr/bin/touch, root +touch: CommandFilter, touch, root # nova/virt/disk/api.py: -mkfs.ext3: CommandFilter, /sbin/mkfs.ext3, root -mkfs.ntfs: CommandFilter, /sbin/mkfs.ntfs, root +mkfs.ext3: CommandFilter, mkfs.ext3, root +mkfs.ntfs: CommandFilter, mkfs.ntfs, root # nova/virt/libvirt/connection.py: read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi # nova/virt/libvirt/connection.py: -lvremove: CommandFilter, /sbin/lvremove, root +lvremove: CommandFilter, lvremove, root # nova/virt/libvirt/utils.py: -lvcreate: CommandFilter, /sbin/lvcreate, root +lvcreate: CommandFilter, lvcreate, root # nova/virt/libvirt/utils.py: -lvs: CommandFilter, /sbin/lvs, root +lvs: CommandFilter, lvs, root # nova/virt/libvirt/utils.py: -vgs: CommandFilter, /sbin/vgs, root +vgs: CommandFilter, vgs, root # nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... -tgtadm: CommandFilter, /usr/sbin/tgtadm, root +tgtadm: CommandFilter, tgtadm, root # nova/utils.py:read_file_as_root: 'cat', file_path # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) @@ -191,17 +191,17 @@ read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localf read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow # nova/virt/libvirt/volume.py: 'multipath' '-R' -multipath: CommandFilter, /sbin/multipath, root +multipath: CommandFilter, multipath, root # nova/virt/libvirt/utils.py: -systool: CommandFilter, /usr/bin/systool, root +systool: CommandFilter, systool, root # nova/virt/libvirt/volume.py: -sginfo: CommandFilter, /usr/bin/sginfo, root -sg_scan: CommandFilter, /usr/bin/sg_scan, root +sginfo: CommandFilter, sginfo, root +sg_scan: CommandFilter, sg_scan, root # nova/virt/xenapi/vm_utils.py: -xenstore-read: CommandFilter, /usr/bin/xenstore-read, root +xenstore-read: CommandFilter, xenstore-read, root -# nova/virt/baremetal/tilera.py: '/usr/sbin/rpc.mountd' -rpc.mountd: CommandFilter, /usr/sbin/rpc.mountd, root +# nova/virt/baremetal/tilera.py: 'rpc.mountd' +rpc.mountd: CommandFilter, rpc.mountd, root diff --git a/etc/nova/rootwrap.d/network.filters b/etc/nova/rootwrap.d/network.filters index f29bd16d2..02138cff4 100644 --- a/etc/nova/rootwrap.d/network.filters +++ b/etc/nova/rootwrap.d/network.filters @@ -24,20 +24,20 @@ # nova/network/linux_net.py: 'ip', 'route', 'add', .. # nova/network/linux_net.py: 'ip', 'route', 'del', . # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, /sbin/ip, root +ip: CommandFilter, ip, root # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... # nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root +ovs-vsctl: CommandFilter, ovs-vsctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root +ovs-ofctl: CommandFilter, ovs-ofctl, root # nova/network/linux_net.py: 'ebtables', '-D' ... # nova/network/linux_net.py: 'ebtables', '-I' ... -ebtables: CommandFilter, /sbin/ebtables, root -ebtables_usr: CommandFilter, /usr/sbin/ebtables, root +ebtables: CommandFilter, ebtables, root +ebtables_usr: CommandFilter, ebtables, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, iptables-save, root @@ -52,7 +52,7 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, /usr/bin/dhcp_release, root +dhcp_release: CommandFilter, dhcp_release, root # nova/network/linux_net.py: 'kill', '-9', pid # nova/network/linux_net.py: 'kill', '-HUP', pid @@ -66,7 +66,7 @@ dnsmasq: DnsmasqFilter, /usr/sbin/dnsmasq, root dnsmasq_deprecated: DeprecatedDnsmasqFilter, /usr/sbin/dnsmasq, root # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, /usr/sbin/radvd, root +radvd: CommandFilter, radvd, root # nova/network/linux_net.py: 'brctl', 'addbr', bridge # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 @@ -75,7 +75,7 @@ radvd: CommandFilter, /usr/sbin/radvd, root brctl: CommandFilter, brctl, root # nova/network/linux_net.py: 'sysctl', .... -sysctl: CommandFilter, /sbin/sysctl, root +sysctl: CommandFilter, sysctl, root # nova/network/linux_net.py: 'conntrack' conntrack: CommandFilter, conntrack, root |