Browse Source

Add rootwrap filter for systemctl control of dnsmasq

The dnsmasq pxe filter takes start/stop commands for the
dnsmasq service as options. Restarting the systemd service
requries root access.

This change adds a rootwrap filter to allow systemctl
control of the dnsmasq service.

NOTE: The systemd service name is the one used in the RDO
distribution. Additional filters may be needed for other
distributions.

Story: 2002818
Task: 24754
Change-Id: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6
Harald Jensås 8 months ago
parent
commit
8c5d7de693

+ 11
- 0
releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml View File

@@ -0,0 +1,11 @@
1
+---
2
+fixes:
3
+  - |
4
+    A new rootwrap filter is now included to allow control of the systemd
5
+    dnsmasq service used by ironic-inspector. This fixes a permission issue
6
+    when systemctl commands are used as ``dnsmasq_start_command`` and
7
+    ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
8
+    See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
9
+
10
+    .. Note:: The filter uses the systemd service name used by the RDO
11
+              distrubution (``openstack-ironic-inspector-dnsmasq.service``).

+ 0
- 6
rootwrap.d/ironic-inspector-firewall.filters View File

@@ -1,6 +0,0 @@
1
-# ironic-inspector-rootwrap command filters for firewall manipulation
2
-# This file should be owned by (and only-writeable by) the root user
3
-
4
-[Filters]
5
-# ironic_inspector/firewall.py
6
-iptables: CommandFilter, iptables, root

+ 10
- 0
rootwrap.d/ironic-inspector.filters View File

@@ -0,0 +1,10 @@
1
+# This file should be owned by (and only-writeable by) the root user
2
+
3
+[Filters]
4
+# ironic-inspector-rootwrap command filters for firewall manipulation
5
+# ironic_inspector/firewall.py
6
+iptables: CommandFilter, iptables, root
7
+
8
+# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
9
+# ironic_inspector/pxe_filter/dnsmasq.py
10
+systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service

Loading…
Cancel
Save