openstack/glance_store
Code Issues Proposed changes

cinder: Support os-brick privsep filters

Browse Source 
Currently os-brick that glance_store depends on uses oslo-privsep
to execute commands with root privileges, so we do not need to
maintain each command for os-brick in the rootwrap filters, but
only need to add the privsep-helper command.

This replaces the filters for os-brick with the privsep helper.

Related changes in Nova:
  I4e333e73ddfd45c045b9d32dac1506fc25858c4d
  # nova: Add os-brick rootwrap filter for privsep
  I3a52f762deb176fe9201b2a0f0da363057f8aaec
  # nova: Initialise oslo.privsep early in main
Related changes in Cinder:
  I3b2e337321875cf4abc0ab9b44fe17cf9327d88b
  # cinder: Add os-brick rootwrap filter for privsep
  Id9652ccf001a707fbd59e277c36817bd6d58e7b3
  # cinder: Initialise oslo.privsep early in main

Change-Id: Idbebaf796eaf89189f64f64167371b81e56b366e
This commit is contained in:
Tomoki Sekiyama 2016-07-01 20:23:06 +09:00
parent df0780bd0e
commit c369ba013f
1 changed files with 5 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
etc/glance/rootwrap.d/glance_cinder_store.filters
View File

@ -5,25 +5,8 @@
# cinder store driver
disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
# os-brick
mount: CommandFilter, mount, root
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
tee: CommandFilter, tee, root
mkdir: CommandFilter, mkdir, root
chown: RegExpFilter, chown, root, chown root:root /etc/pstorage/clusters/(?!.*/\.\.).*
ip: CommandFilter, ip, root
dd: CommandFilter, dd, root
iscsiadm: CommandFilter, iscsiadm, root
aoe-revalidate: CommandFilter, aoe-revalidate, root
aoe-discover: CommandFilter, aoe-discover, root
aoe-flush: CommandFilter, aoe-flush, root
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
multipath: CommandFilter, multipath, root
multipathd: CommandFilter, multipathd, root
systool: CommandFilter, systool, root
sg_scan: CommandFilter, sg_scan, root
cp: CommandFilter, cp, root
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
sds_cli: CommandFilter, /usr/local/bin/sds/sds_cli, root
vgc-cluster: CommandFilter, vgc-cluster, root
scsi_id: CommandFilter, /lib/udev/scsi_id, root
# os-brick library commands
# os_brick.privileged.run_as_root oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*