Cinder: Move all config to be directly values driven.

This PS moves all the config files to be directly values driven, both simplifying over-ride and allowing configs to be targeted to pods in future work. Change-Id: I286af7434aab6de941f9700a7fbf70c6dd0ee4cb
2018-03-27 14:24:07 -04:00 · 2018-03-27 14:24:07 -04:00 · 6219bba2c7
commit 6219bba2c7
parent ceca6ad96c
6 changed files with 275 additions and 285 deletions
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@ -110,9 +110,12 @@ data:
  policy.json: |
 {{ toJson .Values.conf.policy | indent 4 }}
  cinder_sudoers: |
-{{- tuple .Values.conf.cinder_sudoers "etc/_cinder_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ $envAll.Values.conf.cinder_sudoers | indent 4 }}
  rootwrap.conf: |
-{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
-  volume.filters: |
-{{- tuple .Values.conf.rootwrap_filters.volume "etc/rootwrap.d/_volume.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{ $envAll.Values.conf.rootwrap | indent 4 }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-"  $key }}
+  {{ printf "%s.filters" $filePrefix }}: |
+{{ $value.content | indent 4 }}
+{{- end }}
 {{- end }}
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@ -137,10 +137,16 @@ spec:
              mountPath: /etc/cinder/rootwrap.conf
              subPath: rootwrap.conf
              readOnly: true
+            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+            {{- if ( has "volume" $value.pods ) }}
+            {{- $filePrefix := replace "_" "-"  $key }}
+            {{- $rootwrapFile := printf "/etc/cinder/rootwrap.d/%s.filters" $filePrefix }}
            - name: cinder-etc
-              mountPath: /etc/cinder/rootwrap.d/volume.filters
-              subPath: volume.filters
+              mountPath: {{ $rootwrapFile }}
+              subPath: {{ base $rootwrapFile }}
              readOnly: true
+            {{- end }}
+            {{- end }}
 {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: cinder-bin
--- a/cinder/templates/etc/_cinder_sudoers.tpl
+++ b/cinder/templates/etc/_cinder_sudoers.tpl
@ -1,20 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-# This sudoers file supports rootwrap for both Kolla and LOCI Images.
-Defaults !requiretty
-Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
-cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
--- a/cinder/templates/etc/_rootwrap.conf.tpl
+++ b/cinder/templates/etc/_rootwrap.conf.tpl
@ -1,27 +0,0 @@
-# Configuration for cinder-rootwrap
-# This file should be owned by (and only-writeable by) the root user
-
-[DEFAULT]
-# List of directories to load filter definitions from (separated by ',').
-# These directories MUST all be only writeable by root !
-filters_path=/etc/cinder/rootwrap.d
-
-# List of directories to search executables in, in case filters do not
-# explicitely specify a full path (separated by ',')
-# If not specified, defaults to system PATH environment variable.
-# These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
-
-# Enable logging to syslog
-# Default value is False
-use_syslog=False
-
-# Which syslog facility to use.
-# Valid values include auth, authpriv, syslog, local0, local1...
-# Default value is 'syslog'
-syslog_log_facility=syslog
-
-# Which messages to log.
-# INFO means log all usage
-# ERROR means only log unsuccessful attempts
-syslog_log_level=ERROR
--- a/cinder/templates/etc/rootwrap.d/_volume.filters.tpl
+++ b/cinder/templates/etc/rootwrap.d/_volume.filters.tpl
@ -1,224 +0,0 @@
-# cinder-rootwrap command filters for volume nodes
-# This file should be owned by (and only-writeable by) the root user
-
-[Filters]
-# cinder/volume/iscsi.py: iscsi_helper '--op' ...
-ietadm: CommandFilter, ietadm, root
-tgtadm: CommandFilter, tgtadm, root
-iscsictl: CommandFilter, iscsictl, root
-tgt-admin: CommandFilter, tgt-admin, root
-cinder-rtstool: CommandFilter, cinder-rtstool, root
-scstadmin: CommandFilter, scstadmin, root
-
-# LVM related show commands
-pvs: EnvFilter, env, root, LC_ALL=C, pvs
-vgs: EnvFilter, env, root, LC_ALL=C, vgs
-lvs: EnvFilter, env, root, LC_ALL=C, lvs
-lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
-
-# -LVM related show commands with suppress fd warnings
-pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
-vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
-lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
-lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
-
-
-# -LVM related show commands conf var
-pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs
-vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
-lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
-lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
-
-# -LVM conf var with suppress fd_warnings
-pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
-vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
-lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
-lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
-
-# os-brick library commands
-# os_brick.privileged.run_as_root oslo.privsep context
-# This line ties the superuser privs with the config files, context name,
-# and (implicitly) the actual python code invoked.
-privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
-# The following and any cinder/brick/* entries should all be obsoleted
-# by privsep, and may be removed once the os-brick version requirement
-# is updated appropriately.
-scsi_id: CommandFilter, /lib/udev/scsi_id, root
-drbdadm: CommandFilter, drbdadm, root
-
-# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
-vgcreate: CommandFilter, vgcreate, root
-
-# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
-# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
-lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
-lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
-lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate
-lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate
-
-# cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
-dd: CommandFilter, dd, root
-
-# cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ...
-lvremove: CommandFilter, lvremove, root
-
-# cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
-lvrename: CommandFilter, lvrename, root
-
-# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
-# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
-lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
-lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
-lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
-lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
-
-# cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
-lvchange: CommandFilter, lvchange, root
-
-# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
-lvconvert: CommandFilter, lvconvert, root
-
-# cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
-# cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
-iscsiadm: CommandFilter, iscsiadm, root
-
-# cinder/volume/utils.py: utils.temporary_chown(path, 0)
-chown: CommandFilter, chown, root
-
-# cinder/volume/utils.py: copy_volume(..., ionice='...')
-ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]
-ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]
-
-# cinder/volume/utils.py: setup_blkio_cgroup()
-cgcreate: CommandFilter, cgcreate, root
-cgset: CommandFilter, cgset, root
-cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+
-
-# cinder/volume/driver.py
-dmsetup: CommandFilter, dmsetup, root
-ln: CommandFilter, ln, root
-
-# cinder/image/image_utils.py
-qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img
-qemu-img_convert: CommandFilter, qemu-img, root
-
-udevadm: CommandFilter, udevadm, root
-
-# cinder/volume/driver.py: utils.read_file_as_root()
-cat: CommandFilter, cat, root
-
-# cinder/volume/nfs.py
-stat: CommandFilter, stat, root
-mount: CommandFilter, mount, root
-df: CommandFilter, df, root
-du: CommandFilter, du, root
-truncate: CommandFilter, truncate, root
-chmod: CommandFilter, chmod, root
-rm: CommandFilter, rm, root
-
-# cinder/volume/drivers/remotefs.py
-mkdir: CommandFilter, mkdir, root
-
-# cinder/volume/drivers/netapp/nfs.py:
-netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+
-
-# cinder/volume/drivers/glusterfs.py
-chgrp: CommandFilter, chgrp, root
-umount: CommandFilter, umount, root
-fallocate: CommandFilter, fallocate, root
-
-# cinder/volumes/drivers/hds/hds.py:
-hus-cmd: CommandFilter, hus-cmd, root
-hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root
-
-# cinder/volumes/drivers/hds/hnas_backend.py
-ssc: CommandFilter, ssc, root
-
-# cinder/brick/initiator/connector.py:
-ls: CommandFilter, ls, root
-tee: CommandFilter, tee, root
-multipath: CommandFilter, multipath, root
-multipathd: CommandFilter, multipathd, root
-systool: CommandFilter, systool, root
-
-# cinder/volume/drivers/block_device.py
-blockdev: CommandFilter, blockdev, root
-
-# cinder/volume/drivers/ibm/gpfs.py
-# cinder/volume/drivers/tintri.py
-mv: CommandFilter, mv, root
-
-# cinder/volume/drivers/ibm/gpfs.py
-cp: CommandFilter, cp, root
-mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
-mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
-mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
-mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root
-mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root
-mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root
-mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root
-mkfs: CommandFilter, mkfs, root
-mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
-mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
-mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
-mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
-mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
-mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
-
-# cinder/volume/drivers/ibm/gpfs.py
-# cinder/volume/drivers/ibm/ibmnas.py
-find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit
-
-# cinder/brick/initiator/connector.py:
-aoe-revalidate: CommandFilter, aoe-revalidate, root
-aoe-discover: CommandFilter, aoe-discover, root
-aoe-flush: CommandFilter, aoe-flush, root
-
-# cinder/brick/initiator/linuxscsi.py:
-sg_scan: CommandFilter, sg_scan, root
-
-#cinder/backup/services/tsm.py
-dsmc:CommandFilter,/usr/bin/dsmc,root
-
-# cinder/volume/drivers/hitachi/hbsd_horcm.py
-raidqry: CommandFilter, raidqry, root
-raidcom: CommandFilter, raidcom, root
-pairsplit: CommandFilter, pairsplit, root
-paircreate: CommandFilter, paircreate, root
-pairdisplay: CommandFilter, pairdisplay, root
-pairevtwait: CommandFilter, pairevtwait, root
-horcmstart.sh: CommandFilter, horcmstart.sh, root
-horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root
-horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr
-
-# cinder/volume/drivers/hitachi/hbsd_snm2.py
-auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman
-auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref
-auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef
-aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1
-auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn
-auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap
-autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap
-aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol
-auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd
-auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel
-auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize
-auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser
-autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef
-autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt
-autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini
-auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi
-audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool
-aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal
-aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon
-
-# cinder/volume/drivers/hgst.py
-vgc-cluster: CommandFilter, vgc-cluster, root
-
-# cinder/volume/drivers/vzstorage.py
-pstorage-mount: CommandFilter, pstorage-mount, root
-pstorage: CommandFilter, pstorage, root
-ploop: CommandFilter, ploop, root
-
-# initiator/connector.py:
-drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -424,16 +424,268 @@ conf:
    clusters:get: rule:admin_api
    clusters:get_all: rule:admin_api
    clusters:update: rule:admin_api
-  cinder_sudoers:
-    override:
-    append:
-  rootwrap:
-    override:
-    append:
+  cinder_sudoers: |
+    # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+    Defaults !requiretty
+    Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+    cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
+  rootwrap: |
+    # Configuration for cinder-rootwrap
+    # This file should be owned by (and only-writeable by) the root user
+
+    [DEFAULT]
+    # List of directories to load filter definitions from (separated by ',').
+    # These directories MUST all be only writeable by root !
+    filters_path=/etc/cinder/rootwrap.d
+
+    # List of directories to search executables in, in case filters do not
+    # explicitely specify a full path (separated by ',')
+    # If not specified, defaults to system PATH environment variable.
+    # These directories MUST all be only writeable by root !
+    exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+    # Enable logging to syslog
+    # Default value is False
+    use_syslog=False
+
+    # Which syslog facility to use.
+    # Valid values include auth, authpriv, syslog, local0, local1...
+    # Default value is 'syslog'
+    syslog_log_facility=syslog
+
+    # Which messages to log.
+    # INFO means log all usage
+    # ERROR means only log unsuccessful attempts
+    syslog_log_level=ERROR
  rootwrap_filters:
    volume:
-      override:
-      append:
+      pods:
+        - volume
+      content: |
+        # cinder-rootwrap command filters for volume nodes
+        # This file should be owned by (and only-writeable by) the root user
+
+        [Filters]
+        # cinder/volume/iscsi.py: iscsi_helper '--op' ...
+        ietadm: CommandFilter, ietadm, root
+        tgtadm: CommandFilter, tgtadm, root
+        iscsictl: CommandFilter, iscsictl, root
+        tgt-admin: CommandFilter, tgt-admin, root
+        cinder-rtstool: CommandFilter, cinder-rtstool, root
+        scstadmin: CommandFilter, scstadmin, root
+
+        # LVM related show commands
+        pvs: EnvFilter, env, root, LC_ALL=C, pvs
+        vgs: EnvFilter, env, root, LC_ALL=C, vgs
+        lvs: EnvFilter, env, root, LC_ALL=C, lvs
+        lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
+
+        # -LVM related show commands with suppress fd warnings
+        pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
+        vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
+        lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
+        lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
+
+
+        # -LVM related show commands conf var
+        pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs
+        vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
+        lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
+        lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
+
+        # -LVM conf var with suppress fd_warnings
+        pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
+        vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
+        lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
+        lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
+
+        # os-brick library commands
+        # os_brick.privileged.run_as_root oslo.privsep context
+        # This line ties the superuser privs with the config files, context name,
+        # and (implicitly) the actual python code invoked.
+        privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+        # The following and any cinder/brick/* entries should all be obsoleted
+        # by privsep, and may be removed once the os-brick version requirement
+        # is updated appropriately.
+        scsi_id: CommandFilter, /lib/udev/scsi_id, root
+        drbdadm: CommandFilter, drbdadm, root
+
+        # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
+        vgcreate: CommandFilter, vgcreate, root
+
+        # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
+        # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
+        lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
+        lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
+        lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate
+        lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate
+
+        # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
+        dd: CommandFilter, dd, root
+
+        # cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ...
+        lvremove: CommandFilter, lvremove, root
+
+        # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
+        lvrename: CommandFilter, lvrename, root
+
+        # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
+        # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
+        lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
+        lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
+        lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
+        lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
+
+        # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
+        lvchange: CommandFilter, lvchange, root
+
+        # cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
+        lvconvert: CommandFilter, lvconvert, root
+
+        # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
+        # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
+        iscsiadm: CommandFilter, iscsiadm, root
+
+        # cinder/volume/utils.py: utils.temporary_chown(path, 0)
+        chown: CommandFilter, chown, root
+
+        # cinder/volume/utils.py: copy_volume(..., ionice='...')
+        ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]
+        ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]
+
+        # cinder/volume/utils.py: setup_blkio_cgroup()
+        cgcreate: CommandFilter, cgcreate, root
+        cgset: CommandFilter, cgset, root
+        cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+
+
+        # cinder/volume/driver.py
+        dmsetup: CommandFilter, dmsetup, root
+        ln: CommandFilter, ln, root
+
+        # cinder/image/image_utils.py
+        qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img
+        qemu-img_convert: CommandFilter, qemu-img, root
+
+        udevadm: CommandFilter, udevadm, root
+
+        # cinder/volume/driver.py: utils.read_file_as_root()
+        cat: CommandFilter, cat, root
+
+        # cinder/volume/nfs.py
+        stat: CommandFilter, stat, root
+        mount: CommandFilter, mount, root
+        df: CommandFilter, df, root
+        du: CommandFilter, du, root
+        truncate: CommandFilter, truncate, root
+        chmod: CommandFilter, chmod, root
+        rm: CommandFilter, rm, root
+
+        # cinder/volume/drivers/remotefs.py
+        mkdir: CommandFilter, mkdir, root
+
+        # cinder/volume/drivers/netapp/nfs.py:
+        netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+
+
+        # cinder/volume/drivers/glusterfs.py
+        chgrp: CommandFilter, chgrp, root
+        umount: CommandFilter, umount, root
+        fallocate: CommandFilter, fallocate, root
+
+        # cinder/volumes/drivers/hds/hds.py:
+        hus-cmd: CommandFilter, hus-cmd, root
+        hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root
+
+        # cinder/volumes/drivers/hds/hnas_backend.py
+        ssc: CommandFilter, ssc, root
+
+        # cinder/brick/initiator/connector.py:
+        ls: CommandFilter, ls, root
+        tee: CommandFilter, tee, root
+        multipath: CommandFilter, multipath, root
+        multipathd: CommandFilter, multipathd, root
+        systool: CommandFilter, systool, root
+
+        # cinder/volume/drivers/block_device.py
+        blockdev: CommandFilter, blockdev, root
+
+        # cinder/volume/drivers/ibm/gpfs.py
+        # cinder/volume/drivers/tintri.py
+        mv: CommandFilter, mv, root
+
+        # cinder/volume/drivers/ibm/gpfs.py
+        cp: CommandFilter, cp, root
+        mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
+        mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
+        mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
+        mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root
+        mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root
+        mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root
+        mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root
+        mkfs: CommandFilter, mkfs, root
+        mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
+        mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
+        mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
+        mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
+        mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
+        mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
+
+        # cinder/volume/drivers/ibm/gpfs.py
+        # cinder/volume/drivers/ibm/ibmnas.py
+        find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit
+
+        # cinder/brick/initiator/connector.py:
+        aoe-revalidate: CommandFilter, aoe-revalidate, root
+        aoe-discover: CommandFilter, aoe-discover, root
+        aoe-flush: CommandFilter, aoe-flush, root
+
+        # cinder/brick/initiator/linuxscsi.py:
+        sg_scan: CommandFilter, sg_scan, root
+
+        #cinder/backup/services/tsm.py
+        dsmc:CommandFilter,/usr/bin/dsmc,root
+
+        # cinder/volume/drivers/hitachi/hbsd_horcm.py
+        raidqry: CommandFilter, raidqry, root
+        raidcom: CommandFilter, raidcom, root
+        pairsplit: CommandFilter, pairsplit, root
+        paircreate: CommandFilter, paircreate, root
+        pairdisplay: CommandFilter, pairdisplay, root
+        pairevtwait: CommandFilter, pairevtwait, root
+        horcmstart.sh: CommandFilter, horcmstart.sh, root
+        horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root
+        horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr
+
+        # cinder/volume/drivers/hitachi/hbsd_snm2.py
+        auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman
+        auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref
+        auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef
+        aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1
+        auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn
+        auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap
+        autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap
+        aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol
+        auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd
+        auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel
+        auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize
+        auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser
+        autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef
+        autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt
+        autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini
+        auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi
+        audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool
+        aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal
+        aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon
+
+        # cinder/volume/drivers/hgst.py
+        vgc-cluster: CommandFilter, vgc-cluster, root
+
+        # cinder/volume/drivers/vzstorage.py
+        pstorage-mount: CommandFilter, pstorage-mount, root
+        pstorage: CommandFilter, pstorage, root
+        ploop: CommandFilter, ploop, root
+
+        # initiator/connector.py:
+        drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
  ceph:
    override:
    append: