cinder: Support os-brick privsep filters

Currently os-brick that glance_store depends on uses oslo-privsep
to execute commands with root privileges, so we do not need to
maintain each command for os-brick in the rootwrap filters, but
only need to add the privsep-helper command.

This replaces the filters for os-brick with the privsep helper.

Related changes in Nova:
  # nova: Add os-brick rootwrap filter for privsep
  # nova: Initialise oslo.privsep early in main
Related changes in Cinder:
  # cinder: Add os-brick rootwrap filter for privsep
  # cinder: Initialise oslo.privsep early in main

Change-Id: Idbebaf796eaf89189f64f64167371b81e56b366e
Tomoki Sekiyama 7 years ago
parent df0780bd0e
commit c369ba013f

@ -5,25 +5,8 @@
# cinder store driver
disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
# os-brick
mount: CommandFilter, mount, root
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
tee: CommandFilter, tee, root
mkdir: CommandFilter, mkdir, root
chown: RegExpFilter, chown, root, chown root:root /etc/pstorage/clusters/(?!.*/\.\.).*
ip: CommandFilter, ip, root
dd: CommandFilter, dd, root
iscsiadm: CommandFilter, iscsiadm, root
aoe-revalidate: CommandFilter, aoe-revalidate, root
aoe-discover: CommandFilter, aoe-discover, root
aoe-flush: CommandFilter, aoe-flush, root
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
multipath: CommandFilter, multipath, root
multipathd: CommandFilter, multipathd, root
systool: CommandFilter, systool, root
sg_scan: CommandFilter, sg_scan, root
cp: CommandFilter, cp, root
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
sds_cli: CommandFilter, /usr/local/bin/sds/sds_cli, root
vgc-cluster: CommandFilter, vgc-cluster, root
scsi_id: CommandFilter, /lib/udev/scsi_id, root
# os-brick library commands
# os_brick.privileged.run_as_root oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*