fa2e975e7d
The form for rootwrap.d files is to include a comment before the filter with the filename (and preferably) the command the filter matches. This change ensures that these file comments refer to a valid file in the tree. They can be checked with something like: for i in `awk '/^#.*py *:/ {print $2}' etc/nova/rootwrap.d/compute.filters \ | sort -u` ; do ls ${i/:} done * I13c701c390784fa1f7809705741abb46e40973be renamed .../libvirt/connection.py to .../libvirt/drver.py * I400db60fcc29c2d5e2d3b9dabc055649138468eb switched to os-brick and removed nova/storage/linuxscsi.py * I5fc2425d2c25076ea87686b2e41be35f66ebb923 moved .../libvirt/volume.py into .../libvirt/volume/ * Update one comment to make the awk script above work. * Add comments as 'chown' and 'tee' are used in nova/virt/libvirt/ Change-Id: I3d89830e4770a7cf88389fac5a2a684554a29bc5
260 lines
10 KiB
XML
260 lines
10 KiB
XML
# nova-rootwrap command filters for compute nodes
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
# nova/virt/disk/mount/api.py: 'kpartx', '-a', device
|
|
# nova/virt/disk/mount/api.py: 'kpartx', '-d', device
|
|
kpartx: CommandFilter, kpartx, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
|
|
# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
|
|
tune2fs: CommandFilter, tune2fs, root
|
|
|
|
# nova/virt/disk/mount/api.py: 'mount', mapped_device
|
|
# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
|
|
# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
|
|
# nova/virt/configdrive.py: 'mount', device, mountdir
|
|
mount: CommandFilter, mount, root
|
|
|
|
# nova/virt/disk/mount/api.py: 'umount', mapped_device
|
|
# nova/virt/disk/api.py: 'umount' target
|
|
# nova/virt/xenapi/vm_utils.py: 'umount', dev_path
|
|
# nova/virt/configdrive.py: 'umount', mountdir
|
|
umount: CommandFilter, umount, root
|
|
|
|
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
|
|
# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
|
|
qemu-nbd: CommandFilter, qemu-nbd, root
|
|
|
|
# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
|
|
# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
|
|
losetup: CommandFilter, losetup, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
|
|
blkid: CommandFilter, blkid, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
|
|
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
|
|
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
|
|
# nova/virt/libvirt/guest.py: 'tee',
|
|
# nova/virt/libvirt/vif.py: utils.execute('tee',
|
|
tee: CommandFilter, tee, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
|
|
mkdir: CommandFilter, mkdir, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'chown'
|
|
# nova/virt/libvirt/utils.py: def chown(): execute('chown', owner, path,
|
|
# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log
|
|
# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log
|
|
# nova/virt/libvirt/driver.py: 'chown', 'root', basepath('disk')
|
|
chown: CommandFilter, chown, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'chmod'
|
|
chmod: CommandFilter, chmod, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
|
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
|
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
|
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
|
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
|
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
|
ip: CommandFilter, ip, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
|
|
# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
|
|
tunctl: CommandFilter, tunctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
|
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
|
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
|
|
# nova/network/linux_net.py: 'ivs-ctl', ....
|
|
ivs-ctl: CommandFilter, ivs-ctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
|
|
vrouter-port-control: CommandFilter, vrouter-port-control, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'ebrctl', ...
|
|
ebrctl: CommandFilter, ebrctl, root
|
|
|
|
# nova/virt/libvirt/vif.py: 'mm-ctl', ...
|
|
mm-ctl: CommandFilter, mm-ctl, root
|
|
|
|
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
|
|
# nova/virt/libvirt/driver.py: 'dd', if=%s % virsh_output, ...
|
|
dd: CommandFilter, dd, root
|
|
|
|
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
|
|
iscsiadm: CommandFilter, iscsiadm, root
|
|
|
|
# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
|
|
# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
|
|
aoe-revalidate: CommandFilter, aoe-revalidate, root
|
|
aoe-discover: CommandFilter, aoe-discover, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: parted, --script, ...
|
|
# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
|
|
parted: CommandFilter, parted, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
|
|
pygrub: CommandFilter, pygrub, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
|
|
fdisk: CommandFilter, fdisk, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
|
|
# nova/virt/disk/api.py: e2fsck, -f, -p, image
|
|
e2fsck: CommandFilter, e2fsck, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
|
|
# nova/virt/disk/api.py: resize2fs, image
|
|
resize2fs: CommandFilter, resize2fs, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
|
iptables-save: CommandFilter, iptables-save, root
|
|
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
|
|
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
|
iptables-restore: CommandFilter, iptables-restore, root
|
|
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
|
|
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
|
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
|
arping: CommandFilter, arping, root
|
|
|
|
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
|
dhcp_release: CommandFilter, dhcp_release, root
|
|
|
|
# nova/network/linux_net.py: 'kill', '-9', pid
|
|
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
|
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
|
|
|
# nova/network/linux_net.py: 'kill', pid
|
|
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
|
|
|
# nova/network/linux_net.py: dnsmasq call
|
|
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
|
|
|
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
|
radvd: CommandFilter, radvd, root
|
|
|
|
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
|
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
|
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
|
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
|
brctl: CommandFilter, brctl, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'mkswap'
|
|
# nova/virt/xenapi/vm_utils.py: 'mkswap'
|
|
mkswap: CommandFilter, mkswap, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'nova-idmapshift'
|
|
nova-idmapshift: CommandFilter, nova-idmapshift, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py: 'mkfs'
|
|
# nova/utils.py: 'mkfs', fs, path, label
|
|
mkfs: CommandFilter, mkfs, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'qemu-img'
|
|
qemu-img: CommandFilter, qemu-img, root
|
|
|
|
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
|
|
readlink: CommandFilter, readlink, root
|
|
|
|
# nova/virt/disk/api.py:
|
|
mkfs.ext3: CommandFilter, mkfs.ext3, root
|
|
mkfs.ext4: CommandFilter, mkfs.ext4, root
|
|
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
|
|
|
|
# nova/virt/libvirt/driver.py:
|
|
lvremove: CommandFilter, lvremove, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
lvcreate: CommandFilter, lvcreate, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
lvs: CommandFilter, lvs, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
vgs: CommandFilter, vgs, root
|
|
|
|
# nova/utils.py: read_file_as_root: 'cat', file_path
|
|
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
|
|
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
|
|
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
|
|
|
|
# os-brick needed commands
|
|
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
|
|
multipath: CommandFilter, multipath, root
|
|
# multipathd show status
|
|
multipathd: CommandFilter, multipathd, root
|
|
systool: CommandFilter, systool, root
|
|
vgc-cluster: CommandFilter, vgc-cluster, root
|
|
# os_brick/initiator/connector.py
|
|
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
|
|
|
|
# TODO(smcginnis) Temporary fix.
|
|
# Need to pull in os-brick os-brick.filters file instead and clean
|
|
# out stale brick values from this file.
|
|
scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
|
# os_brick.privileged.default oslo.privsep context
|
|
# This line ties the superuser privs with the config files, context name,
|
|
# and (implicitly) the actual python code invoked.
|
|
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
|
|
|
# nova/virt/libvirt/storage/dmcrypt.py:
|
|
cryptsetup: CommandFilter, cryptsetup, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py:
|
|
xenstore-read: CommandFilter, xenstore-read, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
rbd: CommandFilter, rbd, root
|
|
|
|
# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
|
|
shred: CommandFilter, shred, root
|
|
|
|
# nova/virt/libvirt/volume/volume.py: 'cp', '/dev/stdin', delete_control..
|
|
cp: CommandFilter, cp, root
|
|
|
|
# nova/virt/xenapi/vm_utils.py:
|
|
sync: CommandFilter, sync, root
|
|
|
|
# nova/virt/libvirt/imagebackend.py:
|
|
ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
|
|
prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
ploop: RegExpFilter, ploop, root, ploop, init, -s, .*, -f, .*, -t, .*, .*
|
|
|
|
# nova/virt/libvirt/utils.py: 'xend', 'status'
|
|
xend: CommandFilter, xend, root
|
|
|
|
# nova/virt/libvirt/utils.py:
|
|
touch: CommandFilter, touch, root
|
|
|
|
# nova/virt/libvirt/volume/vzstorage.py
|
|
pstorage-mount: CommandFilter, pstorage-mount, root
|