Add rootwrap filter for systemctl control of dnsmasq

The dnsmasq pxe filter takes start/stop commands for the
dnsmasq service as options. Restarting the systemd service
requries root access.

This change adds a rootwrap filter to allow systemctl
control of the dnsmasq service.

NOTE: The systemd service name is the one used in the RDO
distribution. Additional filters may be needed for other
distributions.

Story: 2002818
Task: 24754
Change-Id: Ie961ec4d3b6b65a462e2d2493f5b9240c2bfa7a6

releasenotes/notes/dnsmask-pxe-filter-rootwrap-systemctl-099964ad39d38b4c.yaml

@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    A new rootwrap filter is now included to allow control of the systemd
+    dnsmasq service used by ironic-inspector. This fixes a permission issue
+    when systemctl commands are used as ``dnsmasq_start_command`` and
+    ``dnsmasq_stop_command`` in the configuration for the dnsmasq pxe filter.
+    See bug `2002818 <https://storyboard.openstack.org/#!/story/2002818>`_.
+
+    .. Note:: The filter uses the systemd service name used by the RDO
+              distrubution (``openstack-ironic-inspector-dnsmasq.service``).

rootwrap.d/ironic-inspector-firewall.filters

@@ -1,6 +0,0 @@
-# ironic-inspector-rootwrap command filters for firewall manipulation
-# This file should be owned by (and only-writeable by) the root user
-
-[Filters]
-# ironic_inspector/firewall.py
-iptables: CommandFilter, iptables, root

rootwrap.d/ironic-inspector.filters

@@ -0,0 +1,10 @@
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# ironic-inspector-rootwrap command filters for firewall manipulation
+# ironic_inspector/firewall.py
+iptables: CommandFilter, iptables, root
+
+# ironic-inspector-rootwrap command filters for systemctl manipulation of the dnsmasq service
+# ironic_inspector/pxe_filter/dnsmasq.py
+systemctl: RegExpFilter, /bin/systemctl, root, systemctl, .*, openstack-ironic-inspector-dnsmasq.service