Astara oslo.rootwrap
Use oslo.rootwrap to replace the default root_helper sudo. Add network filer for ip, ovs-vsctl, ovs-ofctl command. Change-Id: I13d42b32b6589069a73d33eb67eed117cd519a5b Implements: blueprint astara-rootwrap
This commit is contained in:
parent
7a69eb0f7e
commit
087132fac6
@ -62,9 +62,9 @@ OPTS = [
|
||||
CONF.register_opts(OPTS)
|
||||
|
||||
|
||||
# NOTE(adam_g): These need a better home
|
||||
AGENT_OPTIONS = [
|
||||
cfg.StrOpt('root_helper', default='sudo'),
|
||||
cfg.StrOpt('root_helper',
|
||||
default='sudo astara-rootwrap /etc/astara/rootwrap.conf'),
|
||||
]
|
||||
CONF.register_group(cfg.OptGroup(name='AGENT'))
|
||||
CONF.register_opts(AGENT_OPTIONS, 'AGENT')
|
||||
|
@ -75,7 +75,10 @@ class FakePort:
|
||||
class TestBase(unittest.TestCase):
|
||||
def setUp(self):
|
||||
root_helper_opt = [
|
||||
cfg.StrOpt('root_helper', default='sudo'),
|
||||
cfg.StrOpt(
|
||||
'root_helper',
|
||||
default='sudo astara-rootwrap /etc/astara/rootwrap.conf'
|
||||
),
|
||||
]
|
||||
self.conf = cfg.CONF
|
||||
self.conf.register_opts(root_helper_opt)
|
||||
@ -114,7 +117,7 @@ class TestABCDriver(TestBase):
|
||||
ns = '12345678-1234-5678-90ab-ba0987654321'
|
||||
bc.init_l3('tap0', ['192.168.1.2/24'], namespace=ns)
|
||||
self.ip_dev.assert_has_calls(
|
||||
[mock.call('tap0', 'sudo', namespace=ns),
|
||||
[mock.call('tap0', self.conf.root_helper, namespace=ns),
|
||||
mock.call().addr.list(scope='global', filters=['permanent']),
|
||||
mock.call().addr.add(4, '192.168.1.2/24', '192.168.1.255'),
|
||||
mock.call().addr.delete(4, '172.16.77.240/24')])
|
||||
@ -158,9 +161,9 @@ class TestOVSInterfaceDriver(TestBase):
|
||||
'aa:bb:cc:dd:ee:ff',
|
||||
bridge=bridge,
|
||||
namespace=namespace)
|
||||
execute.assert_called_once_with(vsctl_cmd, 'sudo')
|
||||
execute.assert_called_once_with(vsctl_cmd, self.conf.root_helper)
|
||||
|
||||
expected = [mock.call('sudo'),
|
||||
expected = [mock.call(self.conf.root_helper),
|
||||
mock.call().device('tap0'),
|
||||
mock.call().device().link.set_address('aa:bb:cc:dd:ee:ff')]
|
||||
expected.extend(additional_expectation)
|
||||
@ -183,7 +186,7 @@ class TestOVSInterfaceDriver(TestBase):
|
||||
with mock.patch('astara.common.linux.ovs_lib.OVSBridge') as ovs_br:
|
||||
ovs = interface.OVSInterfaceDriver(self.conf)
|
||||
ovs.unplug('tap0')
|
||||
ovs_br.assert_has_calls([mock.call(bridge, 'sudo'),
|
||||
ovs_br.assert_has_calls([mock.call(bridge, self.conf.root_helper),
|
||||
mock.call().delete_port('tap0')])
|
||||
|
||||
|
||||
@ -216,7 +219,8 @@ class TestBridgeInterfaceDriver(TestBase):
|
||||
'aa:bb:cc:dd:ee:ff',
|
||||
namespace=namespace)
|
||||
|
||||
ip_calls = [mock.call('sudo'), mock.call().add_veth('tap0', 'ns-0')]
|
||||
ip_calls = [mock.call(self.conf.root_helper),
|
||||
mock.call().add_veth('tap0', 'ns-0')]
|
||||
if namespace:
|
||||
ip_calls.extend([
|
||||
mock.call().ensure_namespace('01234567-1234-1234-99'),
|
||||
@ -246,7 +250,9 @@ class TestBridgeInterfaceDriver(TestBase):
|
||||
with mock.patch('astara.common.linux.interface.LOG') as log:
|
||||
br = interface.BridgeInterfaceDriver(self.conf)
|
||||
br.unplug('tap0')
|
||||
[mock.call(), mock.call('tap0', 'sudo'), mock.call().link.delete()]
|
||||
[mock.call(),
|
||||
mock.call('tap0', self.conf.root_helper),
|
||||
mock.call().link.delete()]
|
||||
self.assertEqual(log.exception.call_count, 1)
|
||||
|
||||
def test_unplug(self):
|
||||
@ -256,5 +262,6 @@ class TestBridgeInterfaceDriver(TestBase):
|
||||
br.unplug('tap0')
|
||||
self.assertEqual(log.call_count, 1)
|
||||
|
||||
self.ip_dev.assert_has_calls([mock.call('tap0', 'sudo', None),
|
||||
mock.call().link.delete()])
|
||||
self.ip_dev.assert_has_calls([
|
||||
mock.call('tap0', self.conf.root_helper, None),
|
||||
mock.call().link.delete()])
|
||||
|
@ -63,6 +63,13 @@ function configure_astara() {
|
||||
sudo mkdir -p $ASTARA_CACHE_DIR
|
||||
sudo chown $STACK_USER $ASTARA_CACHE_DIR
|
||||
|
||||
if [[ ! -d $ASTARA_CONF_DIR/rootwrap.d ]]; then
|
||||
sudo mkdir -p $ASTARA_CONF_DIR/rootwrap.d
|
||||
fi
|
||||
|
||||
sudo cp $ASTARA_DIR/etc/rootwrap.conf $ASTARA_CONF_DIR
|
||||
sudo cp $ASTARA_DIR/etc/rootwrap.d/* $ASTARA_CONF_DIR/rootwrap.d/
|
||||
|
||||
cp $ASTARA_DIR/etc/orchestrator.ini $ASTARA_CONF
|
||||
iniset $ASTARA_CONF DEFAULT verbose True
|
||||
configure_auth_token_middleware $ASTARA_CONF $Q_ADMIN_USERNAME $ASTARA_CACHE_DIR
|
||||
|
@ -56,7 +56,7 @@ control_exchange = quantum
|
||||
neutron_port_security_extension_enabled = True
|
||||
|
||||
[AGENT]
|
||||
root_helper=sudo
|
||||
root_helper=sudo astara-rootwrap /etc/astara/rootwrap.conf
|
||||
|
||||
# If running multiple astara instances, configure use of an external
|
||||
# cluster coordinator here. For more information on supported coordination
|
||||
|
27
etc/rootwrap.conf
Normal file
27
etc/rootwrap.conf
Normal file
@ -0,0 +1,27 @@
|
||||
# Configuration for astara-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/astara/rootwrap.d
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
18
etc/rootwrap.d/network.filters
Normal file
18
etc/rootwrap.d/network.filters
Normal file
@ -0,0 +1,18 @@
|
||||
# astara-rootwrap command filters for astara
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
# astara/common/linux/ip_lib.py: 'ip', 'link', ..
|
||||
# astara/common/linux/ip_lib.py: 'ip', 'addr', ..
|
||||
# astara/common/linux/ip_lib.py: 'ip', 'route', ..
|
||||
ip: IpFilter, ip, root
|
||||
|
||||
# astara/common/linux/ip_lib.py: 'ip', 'netns', 'exec', 'namespace', 'ip', ..
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# astara/common/linux/interface.py: 'ovs-vsctl'..
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# astara/common/linux/ovs_lib.py: 'ovs-ofctl'..
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
|
5
releasenotes/notes/astara-rootwrap-59731966fb3a0117.yaml
Normal file
5
releasenotes/notes/astara-rootwrap-59731966fb3a0117.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- >
|
||||
`Blueprint astara-rootwrap <https://blueprints.launchpad.net/astara/+spec/astara-rootwrap>`_ \-
|
||||
We replace shelling out directly to sudo with the oslo.rootwrap library.
|
@ -14,6 +14,7 @@ oslo.log>=1.14.0 # Apache-2.0
|
||||
oslo.messaging!=2.8.0,!=3.1.0,>2.6.1 # Apache-2.0
|
||||
oslo.serialization>=1.10.0 # Apache-2.0
|
||||
oslo.utils>=3.2.0 # Apache-2.0
|
||||
oslo.rootwrap>=2.0.0 # Apache-2.0
|
||||
WebOb>=1.2.3
|
||||
python-novaclient!=2.33.0,>=2.29.0
|
||||
cliff>=1.15.0 # Apache-2.0
|
||||
|
Loading…
Reference in New Issue
Block a user