# neutron-rootwrap command filters for nodes on which neutron is # expected to control network # # This file should be owned by (and only-writeable by) the root user # format seems to be # cmd-name: filter-name, raw-command, user, args [Filters] # arping arping: CommandFilter, arping, root # l3_agent sysctl: CommandFilter, sysctl, root route: CommandFilter, route, root radvd: CommandFilter, radvd, root # haproxy haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP # haproxy kill script filter kill_haproxy_script: CommandFilter, haproxy-kill, root kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP kill_radvd_script: CommandFilter, radvd-kill, root # ip_lib ip: IpFilter, ip, root find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* ip_exec: IpNetnsExecFilter, ip, root # l3_tc_lib l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1 # For ip monitor kill_ip_monitor: KillFilter, root, ip, -9 # ovs_lib (if OVSInterfaceDriver is used) ovs-vsctl: CommandFilter, ovs-vsctl, root # iptables_manager iptables-save: CommandFilter, iptables-save, root iptables-restore: CommandFilter, iptables-restore, root ip6tables-save: CommandFilter, ip6tables-save, root ip6tables-restore: CommandFilter, ip6tables-restore, root # Keepalived keepalived: CommandFilter, keepalived, root kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9 # keepalived kill script filter kill_keepalived_script: CommandFilter, keepalived-kill, root # l3 agent to delete floatingip's conntrack state conntrack: CommandFilter, conntrack, root # keepalived state change monitor keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root # The following filters are used to kill the keepalived state change monitor. # Since the monitor runs as a Python script, the system reports that the # command of the process to be killed is python. # TODO(mlavalle) These kill filters will be updated once we come up with a # mechanism to kill using the name of the script being executed by Python kill_keepalived_monitor_py: KillFilter, root, python, -15, -9 kill_keepalived_monitor_py3: KillFilter, root, python3, -15, -9 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15, -9 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15, -9 kill_keepalived_monitor_py38: KillFilter, root, python3.8, -15, -9 # For e.g. RHEL8 neutron-keepalived-state-change is run by "system python" # which is /usr/libexec/platform-python3.6 so this should be in filters also. # Path /usr/libexec isn't in PATH by default so it has to be given here as # absolute path kill_keepalived_monitor_platform_py: KillFilter, root, /usr/libexec/platform-python, -15, -9 kill_keepalived_monitor_platform_py36: KillFilter, root, /usr/libexec/platform-python3.6, -15, -9 # neutron-keepalived-state-change-monitor kill script filter kill_neutron-keepalived-state-change-monitor_script: CommandFilter, neutron-keepalived-state-change-monitor-kill, root