openstack/neutron
Code Issues Proposed changes

Remove not needed rootwrap filters

Browse Source 
This patch moves all remaining filters to a single file. Since [1],
the number of processes executed using rootwrap have been reduced to
a small set.

[1]https://storyboard.openstack.org/#!/story/2007686

Story: #2007686
Task: #41284

Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6
This commit is contained in:
Rodolfo Alonso Hernandez 2021-03-30 14:49:26 +00:00
parent becb42b92e
commit be6ee6f397
8 changed files with 26 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
etc/neutron/rootwrap.d/debug.filters
View File

@ -1,12 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# "sleep" command, only for testing
sleep: RegExpFilter, sleep, root, sleep, \d+

21
etc/neutron/rootwrap.d/dhcp.filters
View File

@ -1,21 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
mm-ctl: CommandFilter, mm-ctl, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root

16
etc/neutron/rootwrap.d/dibbler.filters
View File

@ -1,16 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# Filters for the dibbler-based reference implementation of the pluggable
# Prefix Delegation driver. Other implementations using an alternative agent
# should include a similar filter in this folder.
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root

12
etc/neutron/rootwrap.d/ipset-firewall.filters
View File

@ -1,12 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "ipset", "-A", ...
ipset: CommandFilter, ipset, root

32
etc/neutron/rootwrap.d/l3.filters
View File

@ -1,32 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# l3_agent
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root

13
etc/neutron/rootwrap.d/linuxbridge-plugin.filters
View File

@ -1,13 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root

18
etc/neutron/rootwrap.d/openvswitch-plugin.filters
View File

@ -1,18 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch-agent
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
ovsdb-client: CommandFilter, ovsdb-client, root
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root

26
etc/neutron/rootwrap.d/privsep.filters → etc/neutron/rootwrap.d/rootwrap.filters
View File

@ -20,6 +20,7 @@
# In particular, the oslo.config and python module path must not # In particular, the oslo.config and python module path must not
# be writeable by the unprivileged user. # be writeable by the unprivileged user.
# PRIVSEP
# oslo.privsep default neutron context # oslo.privsep default neutron context
privsep: PathFilter, privsep-helper, root, privsep: PathFilter, privsep-helper, root,
--config-file, /etc/(?!\.\.).*, --config-file, /etc/(?!\.\.).*,
@ -29,3 +30,28 @@ privsep: PathFilter, privsep-helper, root,
# NOTE: A second `--config-file` arg can also be added above. Since # NOTE: A second `--config-file` arg can also be added above. Since
# many neutron components are installed like that (eg: by devstack). # many neutron components are installed like that (eg: by devstack).
# Adjust to suit local requirements. # Adjust to suit local requirements.
# DEBUG
sleep: RegExpFilter, sleep, root, sleep, \d+
# EXECUTE COMMANDS IN A NAMESPACE
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# METADATA PROXY
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
# DHCP
dnsmasq: CommandFilter, dnsmasq, root
# DIBBLER
dibbler-client: CommandFilter, dibbler-client, root
# L3
radvd: CommandFilter, radvd, root
keepalived: CommandFilter, keepalived, root
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
# OPEN VSWITCH
ovs-ofctl: CommandFilter, ovs-ofctl, root
ovsdb-client: CommandFilter, ovsdb-client, root