From 3717040f47c9c572570ae5554a8ee1a9ac0bc600 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 24 Aug 2017 16:50:55 -0500 Subject: [PATCH] Security: Container user and rootwrap for cinder This PS adds user control for the service user and rootwrap for the Cinder chart. Change-Id: Ic4153f91edf57be54ecea29abaa8c8663b3c3a36 --- cinder/templates/configmap-etc.yaml | 8 +- cinder/templates/deployment-api.yaml | 2 + cinder/templates/deployment-backup.yaml | 26 +- cinder/templates/deployment-scheduler.yaml | 2 + cinder/templates/deployment-volume.yaml | 24 ++ cinder/templates/etc/_cinder_sudoers.tpl | 20 ++ cinder/templates/etc/_rootwrap.conf.tpl | 2 +- .../etc/rootwrap.d/_volume.filters.tpl | 224 ++++++++++++++++++ cinder/values.yaml | 10 + 9 files changed, 314 insertions(+), 4 deletions(-) create mode 100644 cinder/templates/etc/_cinder_sudoers.tpl create mode 100644 cinder/templates/etc/rootwrap.d/_volume.filters.tpl diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index e91cbcad3e..08a1b03d13 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -90,10 +90,14 @@ data: {{- if .Values.conf.backends.append -}} {{ .Values.conf.backends.append | indent 4 }} {{- end }} - rootwrap.conf: |+ -{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} api-paste.ini: |+ {{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ {{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + cinder_sudoers: |+ +{{- tuple .Values.conf.neutron_sudoers "etc/_cinder_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + rootwrap.conf: |+ +{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + volume.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.volume "etc/rootwrap.d/_volume.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- end }} diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index b2166e6fda..44d3bb5585 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-api.sh - start diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 94d41b4d65..45d124d759 100644 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -45,6 +45,8 @@ spec: - name: ceph-keyring-placement image: {{ .Values.images.backup }} imagePullPolicy: {{ .Values.images.pull_policy }} + securityContext: + runAsUser: 0 command: - /tmp/ceph-keyring.sh volumeMounts: @@ -53,6 +55,7 @@ spec: - name: cinder-bin mountPath: /tmp/ceph-keyring.sh subPath: ceph-keyring.sh + readOnly: true - name: ceph-keyring mountPath: /tmp/client-keyring subPath: key @@ -63,6 +66,8 @@ spec: image: {{ .Values.images.backup }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-backup.sh volumeMounts: @@ -85,7 +90,26 @@ spec: mountPath: /tmp/client-keyring subPath: key readOnly: true - {{- end -}} + {{- end }} + - name: cinder-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_cinder_sudoers + subPath: cinder_sudoers + readOnly: true + - name: cinder-etc + mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers + subPath: cinder_sudoers + readOnly: true + - name: cinder-etc + mountPath: /etc/cinder/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: cinder-etc + mountPath: /etc/cinder/rootwrap.d/volume.filters + subPath: volume.filters + readOnly: true {{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }} volumes: - name: cinder-etc diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 126d316207..e887125cd4 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -46,6 +46,8 @@ spec: image: {{ .Values.images.scheduler }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-scheduler.sh volumeMounts: diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 94f35b2d50..2935f48882 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -45,6 +45,8 @@ spec: - name: ceph-keyring-placement image: {{ .Values.images.volume }} imagePullPolicy: {{ .Values.images.pull_policy }} + securityContext: + runAsUser: 0 command: - /tmp/ceph-keyring.sh volumeMounts: @@ -53,6 +55,7 @@ spec: - name: cinder-bin mountPath: /tmp/ceph-keyring.sh subPath: ceph-keyring.sh + readOnly: true - name: ceph-keyring mountPath: /tmp/client-keyring subPath: key @@ -63,6 +66,8 @@ spec: image: {{ .Values.images.volume }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-volume.sh volumeMounts: @@ -90,6 +95,25 @@ spec: subPath: key readOnly: true {{- end }} + - name: cinder-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_cinder_sudoers + subPath: cinder_sudoers + readOnly: true + - name: cinder-etc + mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers + subPath: cinder_sudoers + readOnly: true + - name: cinder-etc + mountPath: /etc/cinder/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: cinder-etc + mountPath: /etc/cinder/rootwrap.d/volume.filters + subPath: volume.filters + readOnly: true {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} volumes: - name: cinder-bin diff --git a/cinder/templates/etc/_cinder_sudoers.tpl b/cinder/templates/etc/_cinder_sudoers.tpl new file mode 100644 index 0000000000..2b822ab2d2 --- /dev/null +++ b/cinder/templates/etc/_cinder_sudoers.tpl @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This sudoers file supports rootwrap for both Kolla and LOCI Images. +Defaults !requiretty +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" +cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf * diff --git a/cinder/templates/etc/_rootwrap.conf.tpl b/cinder/templates/etc/_rootwrap.conf.tpl index 4986c9e39f..2d88d689e4 100644 --- a/cinder/templates/etc/_rootwrap.conf.tpl +++ b/cinder/templates/etc/_rootwrap.conf.tpl @@ -10,7 +10,7 @@ filters_path=/etc/cinder/rootwrap.d # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin # Enable logging to syslog # Default value is False diff --git a/cinder/templates/etc/rootwrap.d/_volume.filters.tpl b/cinder/templates/etc/rootwrap.d/_volume.filters.tpl new file mode 100644 index 0000000000..f7810c46f7 --- /dev/null +++ b/cinder/templates/etc/rootwrap.d/_volume.filters.tpl @@ -0,0 +1,224 @@ +# cinder-rootwrap command filters for volume nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# cinder/volume/iscsi.py: iscsi_helper '--op' ... +ietadm: CommandFilter, ietadm, root +tgtadm: CommandFilter, tgtadm, root +iscsictl: CommandFilter, iscsictl, root +tgt-admin: CommandFilter, tgt-admin, root +cinder-rtstool: CommandFilter, cinder-rtstool, root +scstadmin: CommandFilter, scstadmin, root + +# LVM related show commands +pvs: EnvFilter, env, root, LC_ALL=C, pvs +vgs: EnvFilter, env, root, LC_ALL=C, vgs +lvs: EnvFilter, env, root, LC_ALL=C, lvs +lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay + +# -LVM related show commands with suppress fd warnings +pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs +vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs +lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs +lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay + + +# -LVM related show commands conf var +pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs +vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs +lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs +lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay + +# -LVM conf var with suppress fd_warnings +pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs +vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs +lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs +lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay + +# os-brick library commands +# os_brick.privileged.run_as_root oslo.privsep context +# This line ties the superuser privs with the config files, context name, +# and (implicitly) the actual python code invoked. +privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* +# The following and any cinder/brick/* entries should all be obsoleted +# by privsep, and may be removed once the os-brick version requirement +# is updated appropriately. +scsi_id: CommandFilter, /lib/udev/scsi_id, root +drbdadm: CommandFilter, drbdadm, root + +# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list +vgcreate: CommandFilter, vgcreate, root + +# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. +# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ... +lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate +lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate +lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate +lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate + +# cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,... +dd: CommandFilter, dd, root + +# cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ... +lvremove: CommandFilter, lvremove, root + +# cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'... +lvrename: CommandFilter, lvrename, root + +# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... +# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... +lvextend: EnvFilter, env, root, LC_ALL=C, lvextend +lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend +lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend +lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend + +# cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' +lvchange: CommandFilter, lvchange, root + +# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name +lvconvert: CommandFilter, lvconvert, root + +# cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',... +# cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ... +iscsiadm: CommandFilter, iscsiadm, root + +# cinder/volume/utils.py: utils.temporary_chown(path, 0) +chown: CommandFilter, chown, root + +# cinder/volume/utils.py: copy_volume(..., ionice='...') +ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7] +ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3] + +# cinder/volume/utils.py: setup_blkio_cgroup() +cgcreate: CommandFilter, cgcreate, root +cgset: CommandFilter, cgset, root +cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+ + +# cinder/volume/driver.py +dmsetup: CommandFilter, dmsetup, root +ln: CommandFilter, ln, root + +# cinder/image/image_utils.py +qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img +qemu-img_convert: CommandFilter, qemu-img, root + +udevadm: CommandFilter, udevadm, root + +# cinder/volume/driver.py: utils.read_file_as_root() +cat: CommandFilter, cat, root + +# cinder/volume/nfs.py +stat: CommandFilter, stat, root +mount: CommandFilter, mount, root +df: CommandFilter, df, root +du: CommandFilter, du, root +truncate: CommandFilter, truncate, root +chmod: CommandFilter, chmod, root +rm: CommandFilter, rm, root + +# cinder/volume/drivers/remotefs.py +mkdir: CommandFilter, mkdir, root + +# cinder/volume/drivers/netapp/nfs.py: +netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+ + +# cinder/volume/drivers/glusterfs.py +chgrp: CommandFilter, chgrp, root +umount: CommandFilter, umount, root +fallocate: CommandFilter, fallocate, root + +# cinder/volumes/drivers/hds/hds.py: +hus-cmd: CommandFilter, hus-cmd, root +hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root + +# cinder/volumes/drivers/hds/hnas_backend.py +ssc: CommandFilter, ssc, root + +# cinder/brick/initiator/connector.py: +ls: CommandFilter, ls, root +tee: CommandFilter, tee, root +multipath: CommandFilter, multipath, root +multipathd: CommandFilter, multipathd, root +systool: CommandFilter, systool, root + +# cinder/volume/drivers/block_device.py +blockdev: CommandFilter, blockdev, root + +# cinder/volume/drivers/ibm/gpfs.py +# cinder/volume/drivers/tintri.py +mv: CommandFilter, mv, root + +# cinder/volume/drivers/ibm/gpfs.py +cp: CommandFilter, cp, root +mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root +mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root +mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root +mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root +mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root +mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root +mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root +mkfs: CommandFilter, mkfs, root +mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root +mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root +mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root +mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root +mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root +mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root + +# cinder/volume/drivers/ibm/gpfs.py +# cinder/volume/drivers/ibm/ibmnas.py +find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit + +# cinder/brick/initiator/connector.py: +aoe-revalidate: CommandFilter, aoe-revalidate, root +aoe-discover: CommandFilter, aoe-discover, root +aoe-flush: CommandFilter, aoe-flush, root + +# cinder/brick/initiator/linuxscsi.py: +sg_scan: CommandFilter, sg_scan, root + +#cinder/backup/services/tsm.py +dsmc:CommandFilter,/usr/bin/dsmc,root + +# cinder/volume/drivers/hitachi/hbsd_horcm.py +raidqry: CommandFilter, raidqry, root +raidcom: CommandFilter, raidcom, root +pairsplit: CommandFilter, pairsplit, root +paircreate: CommandFilter, paircreate, root +pairdisplay: CommandFilter, pairdisplay, root +pairevtwait: CommandFilter, pairevtwait, root +horcmstart.sh: CommandFilter, horcmstart.sh, root +horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root +horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr + +# cinder/volume/drivers/hitachi/hbsd_snm2.py +auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman +auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref +auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef +aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1 +auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn +auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap +autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap +aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol +auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd +auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel +auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize +auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser +autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef +autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt +autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini +auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi +audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool +aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal +aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon + +# cinder/volume/drivers/hgst.py +vgc-cluster: CommandFilter, vgc-cluster, root + +# cinder/volume/drivers/vzstorage.py +pstorage-mount: CommandFilter, pstorage-mount, root +pstorage: CommandFilter, pstorage, root +ploop: CommandFilter, ploop, root + +# initiator/connector.py: +drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid diff --git a/cinder/values.yaml b/cinder/values.yaml index 1d652d51a5..a4fbddf564 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -41,6 +41,9 @@ images: pull_policy: "IfNotPresent" pod: + user: + cinder: + uid: 1000 affinity: anti: type: @@ -179,9 +182,16 @@ conf: policy: override: append: + cinder_sudoers: + override: + append: rootwrap: override: append: + rootwrap_filters: + volume: + override: + append: ceph: override: append: