From 8c5d7de6938dc44c807cfa4bbd01cbecc12e797c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harald=20Jens=C3=A5s?= Date: Fri, 17 Aug 2018 18:08:39 +0200 Subject: [PATCH] Add rootwrap filter for systemctl control of dnsmasq The dnsmasq pxe filter takes start/stop commands for the dnsmasq service as options. Restarting the systemd service requries root access. This change adds a rootwrap filter to allow systemctl control of the dnsmasq service. NOTE: The systemd service name is the one used in the RDO distribution. Additional filters may be needed for other distributions. Story: 2002818 Task: 24754 Change-Id: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6 --- ...xe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml | 11 +++++++++++ rootwrap.d/ironic-inspector-firewall.filters | 6 ------ rootwrap.d/ironic-inspector.filters | 10 ++++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml delete mode 100644 rootwrap.d/ironic-inspector-firewall.filters create mode 100644 rootwrap.d/ironic-inspector.filters diff --git a/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml new file mode 100644 index 000000000..49a393ac2 --- /dev/null +++ b/releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml @@ -0,0 +1,11 @@ +--- +fixes: + - | + A new rootwrap filter is now included to allow control of the systemd + dnsmasq service used by ironic-inspector. This fixes a permission issue + when systemctl commands are used as ``dnsmasq_start_command`` and + ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter. + See bug `2002818 `_. + + .. Note:: The filter uses the systemd service name used by the RDO + distrubution (``openstack-ironic-inspector-dnsmasq.service``). diff --git a/rootwrap.d/ironic-inspector-firewall.filters b/rootwrap.d/ironic-inspector-firewall.filters deleted file mode 100644 index 893454f1a..000000000 --- a/rootwrap.d/ironic-inspector-firewall.filters +++ /dev/null @@ -1,6 +0,0 @@ -# ironic-inspector-rootwrap command filters for firewall manipulation -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# ironic_inspector/firewall.py -iptables: CommandFilter, iptables, root diff --git a/rootwrap.d/ironic-inspector.filters b/rootwrap.d/ironic-inspector.filters new file mode 100644 index 000000000..352dd843a --- /dev/null +++ b/rootwrap.d/ironic-inspector.filters @@ -0,0 +1,10 @@ +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# ironic-inspector-rootwrap command filters for firewall manipulation +# ironic_inspector/firewall.py +iptables: CommandFilter, iptables, root + +# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service +# ironic_inspector/pxe_filter/dnsmasq.py +systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service