80bea7a386
Currently metadata proxy cannot run with nobody user/group as metadata proxy requires to connect to metadata_proxy_socket when queried. This change allows to run metadata proxy with nobody user/group by allowing to choose the metadata_proxy_socket mode with the new option metadata_proxy_socket_mode (4 choices) in order to adapt socket permissions to metadata proxy user/group. This change refactors also where options are defined to enable metadata_proxy_user/group options in the metadata agent. In practice: * if metadata_proxy_user is agent effective user or root, then: * metadata proxy is allowed to use rootwrap (unsecure) * set metadata_proxy_socket_mode = user (0o644) * else if metadata_proxy_group is agent effective group, then: * metadata proxy is not allowed to use rootwrap (secure) * set metadata_proxy_socket_mode = group (0o664) * set metadata_proxy_log_watch = false * else: * metadata proxy has lowest permissions (securest) but metadata proxy socket can be opened by everyone * set metadata_proxy_socket_mode = all (0o666) * set metadata_proxy_log_watch = false An alternative is to set metadata_proxy_socket_mode = deduce, in such case metadata agent uses previous rules to choose the correct mode. DocImpact Closes-Bug: #1427228 Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d |
||
---|---|---|
.. | ||
init.d | ||
neutron | ||
api-paste.ini | ||
dhcp_agent.ini | ||
l3_agent.ini | ||
metadata_agent.ini | ||
metering_agent.ini | ||
neutron.conf | ||
policy.json | ||
rootwrap.conf |