| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Make Nova use common rootwrap code from oslo-incubator.
Implements bp nova-common-rootwrap
Change-Id: I3282d65940375589fceb8485829097380d84d946
|
| |
|
|
|
|
|
| |
fix N402 (single line docstrings should end in a period) for
rest of nova files
Change-Id: I57d0d9ab01345dd83e544e476d79d2c2ca68ee51
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add syslogging capabilities to nova-rootwrap, if you set parameter
use_syslog to True. You can specify a facility (syslog_log_facility)
and level (syslog_log_level) to use. Finalizes bp nova-rootwrap-options.
In doing so, it moves rootwrap config parsing to a nova.rootwrap.wrapper
object (and adds unit testing for it). It also improves log messages
content (including the name of the matching filter and the escalation
path used). Incidentally fixes bug 1084766.
Change-Id: Idb8cd9c9febd6263dafab4bc2bff817f00c53dc0
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adds support for a configurable set of trusted directories to search
executables in (exec_dirs), which defaults to system PATH. If your
filter specifies an exec_path that doesn't start with '/', then it
will be searched in exec_dirs. Avoids having to write multiple
filters to care for distro differences. Fixes bug 1079723.
Also returns a specific error rather than try to run absent executables.
Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nova-dhcpbridge's FLAGFILE environment variable is one of the few
remaining references we have to "flags".
Switching to use a new environment variable is easy, but we need
to take care that when you upgrade the code the compute and network
services might not be restarted immediately.
If this happens, the services may launch a new dnsmasq (so rootwrap
needs to continue to support FLAGFILE) or an existing dnsmasq might run
the lease script (so the script needs to support FLAGFILE).
Change-Id: Ieb55daa2507abb8327c7f5a2ef2f682740f31a5d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Explictly use env to setup needed environment variables for dnsmasq when
starting to avoid problems with subprocess mis-interpreting the first
command line argument as the executable name.
Also update DnsmasqFilter to accept any command that starts with env
followed by a set of args that include an equals sign, as long as the
next arg is the dnsmasq command.
fixes bug #1073253
Change-Id: I8ac08ba2d2309934a67ed2cb28049ed5d3277d63
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move rootwrap filters definition from being defined within Nova
code to being defined in configuration files to facilitate pluging-in
new rootwrap commands.
Transition notes:
* nova-rootwrap now requires an additional (first) parameter pointing
to the root-owned rootwrap.conf file, sudoers needs to be updated
to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *")
* Packagers should ship {compute,network,volume}.filters inside a
directory listed in rootwrap.conf rather than shipping
nova/rootwrap/{compute,network,volume}.py
* Filter definitions now only support strings. The KillFilter (which was
using arrays as parameters) was modified and the tests updated.
Implements bp nova-rootwrap-pluggable-filters
Corresponding devstack change needs to land first, so that tests pass:
https://review.openstack.org/8842
Change-Id: I2350154cd8057bd57926ed542de035626f7de37d
|
| |
|
|
|
|
| |
Fixes bug 1013147 (for SLES)
Change-Id: Ib362c913b809f7601a9a4faedede89b22794dfb7
|
| |
|
|
|
|
|
|
|
| |
Fixes bug #1013770
1. Reorder imports by full module path
2. Insert two blank lines after the last import
Change-Id: I294ac3ab528f17a72811392d1732158e9487f3bf
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ability to use LVM volumes for VM disks.
Implements LVM disks support for libvirt driver.
VM disks will be stored on LVM volumes in volume group
specified by `libvirt_images_volume_group` option.
Another option `libvirt_local_images_type` specify which storage
type will be used. Supported values are `raw`, `lvm`, `qcow2`,
`default`. If `libvirt_local_images_type` = `default`, usual
logic with `use_cow_images` flag is used.
Boolean option `libvirt_sparse_logical_volumes` controls which type
of logical volumes will be created (sparsed with virtualsize or
usual logical volumes with full space allocation). Default value
for this option is `False`.
Commit introduce three classes: `Raw`, `Qcow2` and `Lvm`. They contain
image creation logic, that was stored in
`LibvirtConnection._cache_image` and `libvirt_info` methods,
that produce right `LibvirtGuestConfigDisk` configurations for
libvirt. `Backend` class choose which image type to use.
Change-Id: I0d01cb7d2fd67de2565b8d45d34f7846ad4112c2
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The initial code for this fixed used rstrip incorrectly.
This implementation uses endswith and rindex instead
and should read a bit more easily.
Also added a unit test to test that 'deleted' exe's are
filtered correctly.
Fixes LP Bug #967931.
Change-Id: I1783a8e2d59edd35734673b23e295f5a0b80b988
|
| |
|
|
| |
Change-Id: I03c569252f896330cc6396267e00b626e9232fb7
|
| |
|
|
|
|
| |
* fixes bug 969959
Change-Id: I8baca18c57ed1311a2f3aeb93ad92e34be380c50
|
| |
|
|
|
|
|
|
|
| |
Updates KillFilter so that it handles the case where the executable
linked to by /proc/PID/exe is updated or deleted.
Fixes LP Bug #967931.
Change-Id: I368a01383bf62b64b7579d573b8b84640dec03ae
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove core vsa code (api, manager, drivers)
* Remove nova-vsa executable
* Remove OpenStack Compute API v2 vsa extension
* Remove vsa scheduler
* Remove vsa db api methods
* Remove Zadara volume driver
* Do not migrate out any existing data
* Fixes bug 954490
Change-Id: Idab3d60796d5edbc23ef9f0887fcc1af558c6215
|
| |
|
|
|
|
|
| |
Openstack => OpenStack
for nova/*py
Change-Id: Ibcfae4776422a515a109e59510fc84f8b63c00b9
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* snapshot is only supposed to snapshot the root drive, whereas
libvirt snapshots snapshot the memory and all attached disks
* removes silly qemu_img flag
* fixes bug 946830
Change-Id: I6afc9dbaa855f06864cd5a37f89ad63555e35d23
|
| |/
|
|
| |
Change-Id: I8df1851acebf62f633e8422a2549a8d0227b307d
|
| |
|
|
|
|
|
|
|
|
| |
Rootwrap will return "not authorized" for a command
that is defined in the rootwrap filters but not
installed on the system. Therefore return the first
matching filter for such a command so that sudo will
try to execute it and return a more appropriate error.
Change-Id: I77eeff229e73d55083a735af7a9029469132c800
|
| |
|
|
|
|
|
|
|
| |
Drivers have been reviewed earlier by Quantum reviewers and are being
moved here on their request.
Also incorporating Soren,Dan, pp-draigbrady and Vish's suggestions.
Change-Id: If04807c473542e2f0259faa6d243c3e6e9539f64
|
| |
|
|
|
|
|
|
|
| |
Add missing rootwrap filters for 'ovs-ofctl', 'cp' and 'mkfs'.
Do not run 'rm' as root since it's unnecessary.
Add documentation to try to prevent future misses.
Fixes bug 943293.
Change-Id: Ia680048a28a75f661a136d8447ff0aaf195649ba
|
| |
|
|
|
|
|
| |
* Fixes bug 926412
* Includes failing test
Change-Id: Ie0105ff777575d6dd794ce5b5e08545fb54ecf8b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some volumes need to know the name of the initiator that will be
connecting to the iscsi volume. This adds a call down to the hypervisor
driver to get the ip and the initiator name for the vm before calling
initialize connection. This connection is passed down to the volume
driver so that it can be used to authenticate when the hypervisor
tries to connect to the volume.
* Adds initiator initialize_connection
* Makes a call to driver to get initiator name and ip address
* Gets initiator from openiscsi for libvirt
* Gets initiator from config for xenapi
* Add tests for the driver calls
* Fixes bug 924461
Change-Id: I5b6a2dd84560c7f7b447571e0abf0993e5512ca0
|
| |
|
|
|
|
|
|
| |
* Adds a rootwrap filter to limit readable files
* Adds a utils method to read a file as root
* adds tests to verify the additions work
Change-Id: Ic1ffb6f72f9b73795d5f39fac719842e6bdf16dd
|
| |
|
|
| |
Change-Id: Ia70a3acf9f8ca6b8c552f208767a92f321b912a5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The match() method in the KillFilter is a bit buggy. Since most/many
run through this logic in their way to being matched, it creates subtle
issues elsewhere, specifically during linux_net bridge creation. This
fixes two issues.
1. userargs gets elements directly popped off of it. If the KillFilter
does not match the command its checking, the later filter that does is missing
one argument.
2. Type error on pid when checking /proc, this was causing issues on instance
tear down / kill -HUP'ing dnsmasq.
Fixes bug 921784
Change-Id: I058ff2276e3154e8c1f6cc7077fa485db60e5827
|
| |
|
|
|
|
|
|
| |
Use a specific KillFilter to restrict kill commands run as root.
This implementation checks the signals and the executables
actually affected, using procfs. Fixes bug 918226.
Change-Id: I6f220d741423c4b8e0e792b647760b3ef521b9b2
|
| |
|
|
|
|
|
| |
Fix environment passing in DnsmasqFilter so that dnsmasq can
be run as root through nova-rootwrap. Fixes bug 919275.
Change-Id: I2e78d92b9af4ddea9c0f1c5ddbe2d55fb672310e
|
| |
|
|
|
|
|
| |
Imports cleanup (to follow HACKING conventions) and rename
of a test function for naming consistency.
Change-Id: I57742ecb35e078cf72e4edb42dfe79ea40348997
|
| |
|
|
|
| |
Change-Id: I675c768a0d6ad3d289a888b44e52a8f9789f4a7e
Signed-off-by: Chuck Short <chuck.short@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://libguestfs.org/ provides both utilities and libraries
to manipulate image files containing various operating systems.
It supports various image file formats and so will expand
the formats and guest types supported by openstack.
It does have extra overhead in that it starts a VM to
access the image. This has both advantages and disadvantages.
Also qemu-nbd is not supported on some systems like RHEL 6.
* nova/virt/disk/api.py (img_handlers): Add guestfs to the default
list of access methods to try, to act as a fallback.
* nova/virt/disk/guestfs.py: A new plugin class to provide support
for libguestfs mounting.
Note we use the guestmount utility, as a non root user,
so the user will need the ability to use fusermount, which
is often provided by being a member of the 'fuser' group.
In future we might use the guestfs python module to give
greater granularity of control over the image.
Change-Id: I2e22c9d149fff7a73cd8cebaa280d68d3fb9096c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than providing two mutually exlusive image
access methods (loop and qemu-nbd), try each in turn.
This is to prepare for a follow up patch which will
add libguestfs as a method to try.
* nova/virt/mount.py: A new Mount class to abstract the
devce allocation, partition mapping and file sys mounting,
for each access type.
* nova/virt/disk/loop.py: A specialization of the base Mount class
to provide loop back mounting support.
* nova/virt/disk/nbd.py: A specialization of the base Mount class
to provide qemu-nbd mounting support.
* nova/virt/disk/api.py: A new file containing the nova.virt.disk
module interface.
(img_handlers): A new list of access methods to try,
with the order being honored.
(_DiskImage): An internal helper class that uses the plugin classes
above, to provide the operations available on a disk image file.
When mounting, iterate over each access method until one succeeds.
If a hint is provided about a CoW format image, the list of
methods to try will be reduced accordingly.
Note expected errors are no longer raised as exceptions during mounting.
Instead, on failure to mount an image, errors are collated and raised.
Interveining errors are logged in debug mode for successful mounts.
* nova/virt/libvirt/connection.py: Adjust the function parameter
names to be more general, rather than referencing specific
implementations like 'nbd' and 'tune2fs'.
Simplify the destroy_container() by storing and passing
back a reference to the _DiskImage object, which has the
necessary state to unmount.
* nova/utils.py (trycmd): A helper function to both deal with,
commands that issue ignorable warnings to stderr,
and commands that EXIT_SUCCESS while issuing errors to stderr.
nova/virt/xenapi/vm_utils.py: Adjust for the moved virt.disk package
Change-Id: If3a4b1c8f4e2f2e7300a21071340dcc839cb36d7
|
|
|
Alternative to using a sudoers file to limit which commands can be run as
root in Nova. This one makes use of command filters defined in Nova code
itself, which can be customized to deeply inspect command arguments before
allowing a command to be executed.
This change puts the infrastructure in place, together with command filters
that replicate the level of filtering provided by a sudoers file (no deep
argument inspection yet). An example of an advanced filter (RegExpFilter) is
also provided. This new root wrapper is not active by default (root_helper
still defaults to "sudo"). Implements blueprint nova-rootwrap.
Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425
|
