From a8d959490785b1f01340add5ee1537b1eaa15dca Mon Sep 17 00:00:00 2001 From: Aaron Rosen Date: Thu, 13 Dec 2012 10:53:07 -0800 Subject: [PATCH] dhcp.filters needs ovs_vsctl permission The dhcp agent calls ovs_vsctl so it will fail if using rootwrap and these aren't specified. The reason why this was working using rootwrap before is because there are other filters in etc/quantum/rootwrap.d that specifiy ovs_vsctl which allows the agent to make those calls. Fixes bug 1090072 Change-Id: I509c191c97e7187361a09788e841ebb5a9f934c7 --- etc/quantum/rootwrap.d/dhcp.filters | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/quantum/rootwrap.d/dhcp.filters b/etc/quantum/rootwrap.d/dhcp.filters index 66fce34bb..9ad22e9de 100644 --- a/etc/quantum/rootwrap.d/dhcp.filters +++ b/etc/quantum/rootwrap.d/dhcp.filters @@ -20,6 +20,10 @@ kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP # dhcp-agent uses cat cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline +ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root +ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root +ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root +ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root # ip_lib ip: IpFilter, /sbin/ip, root