From 0facd1f89edfd88188662e0cac274a136a424c3d Mon Sep 17 00:00:00 2001 From: Matt Riedemann Date: Wed, 1 Jul 2015 12:09:49 -0700 Subject: [PATCH] rootwrap: update ln --symbolic filter for FS and FC type volume drivers Cinder change I03f8cae05cc117e14f7482115de685fc9f3fa54a sets the 'encrypted' key for all cinder volume drivers connection_info. When run through the encrypted volume tests in Tempest, this hits the encryption providers in Nova that fail for certain types of volume drivers, like file system and fibre channel, due to the rootwrap filter not matching. This change updates the symbolic link rootwrap filter so it works with file system and fibre channel type volume backends rather than just iSCSI. The /dev/mapper/ prefix is always set in the encryptor modules, so that can remain as before. The symbolic link path is a complete wildcard, however, because the file system volume backends all have a configurable option for the mount path prefix, which defaults to $state_path/mnt but may not be that value. An example call for NFS: ln --symbolic --force \ /dev/mapper/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc \ /opt/stack/data/nova/mnt/21dd48babac42ae884d1192b8697a041/\ volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc An example call for fibre channel: ln --symbolic --force \ /dev/mapper/pci-0000:06:00.0-fc-0x5006016508603f9f-lun-151 \ /dev/disk/by-path/pci-0000:06:00.0-fc-0x5006016508603f9f-lun-151 This change also updates the sg_info and sgscan entries to reference the correct module since those are not called from nova.virt.libvirt.volume anymore. Closes-Bug: #1470142 Related-Bug: #1440227 Change-Id: I181b594a3119f7ad74c595fc7059d521079b1d74 --- etc/nova/rootwrap.d/compute.filters | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 81bf6ced765f..37d1c2d503b0 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -209,10 +209,15 @@ multipath: CommandFilter, multipath, root # nova/virt/libvirt/utils.py: systool: CommandFilter, systool, root -# nova/virt/libvirt/volume.py: +# nova/storage/linuxscsi.py: sginfo -r sginfo: CommandFilter, sginfo, root + +# nova/storage/linuxscsi.py: sg_scan device sg_scan: CommandFilter, sg_scan, root -ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.* + +# nova/volume/encryptors/cryptsetup.py: +# nova/volume/encryptors/luks.py: +ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/.*, .* # nova/volume/encryptors.py: # nova/virt/libvirt/dmcrypt.py: