diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index dcee0c11261f..014ac19de436 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -198,8 +198,6 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root # and (implicitly) the actual python code invoked. privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* -privsep-rootwrap-dacnet_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dacnet_admin_pctxt, --privsep_sock_path, /tmp/.* - privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.* # nova/virt/libvirt/storage/dmcrypt.py: diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py index c0e138a69223..ddb59817103d 100644 --- a/nova/privsep/__init__.py +++ b/nova/privsep/__init__.py @@ -18,18 +18,6 @@ from oslo_privsep import capabilities from oslo_privsep import priv_context -# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes -dacnet_admin_pctxt = priv_context.PrivContext( - 'nova', - cfg_section='nova_dacnet_admin', - pypath=__name__ + '.dacnet_admin_pctxt', - capabilities=[capabilities.CAP_CHOWN, - capabilities.CAP_DAC_OVERRIDE, - capabilities.CAP_DAC_READ_SEARCH, - capabilities.CAP_FOWNER, - capabilities.CAP_NET_ADMIN], -) - sys_admin_pctxt = priv_context.PrivContext( 'nova', cfg_section='nova_sys_admin', diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index 4f7f313c61b7..a65eb2611df2 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -56,14 +56,14 @@ def _last_bytes_inner(file_like_object, num): return (file_like_object.read(), remaining) -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def enable_hairpin(interface): """Enable hairpin mode for a libvirt guest.""" with open('/sys/class/net/%s/brport/hairpin_mode' % interface, 'w') as f: f.write('1') -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def disable_multicast_snooping(interface): """Disable multicast snooping for a bridge.""" with open('/sys/class/net/%s/bridge/multicast_snooping' % interface, @@ -71,7 +71,7 @@ def disable_multicast_snooping(interface): f.write('0') -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def disable_ipv6(interface): """Disable ipv6 for a bridge.""" with open('/proc/sys/net/ipv6/conf/%s/disable_ipv' % interface, 'w') as f: diff --git a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml index 5e935774f074..ff9655157f4a 100644 --- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml +++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml @@ -3,9 +3,6 @@ upgrade: - | A sys-admin privsep daemon has been added and needs to be included in your rootwrap configuration. - - | - A dacnet-admin privsep daemon has been added and needs to be included in - your rootwrap configuration. - | The following commands are no longer required to be listed in your rootwrap configuration: cat; chown; readlink; tee; touch. \ No newline at end of file