Remove unused privsep/rootwrap
Tacker does not have any functionality which require executing commands by root. Change-Id: I51691767425fef0e7902d830d48a8143dcf8640a
This commit is contained in:
Takashi Kajinami
@@ -67,15 +67,6 @@ TACKER_PROTOCOL=${TACKER_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
TACKER_ADMIN_USERNAME=${TACKER_ADMIN_USERNAME:-tacker}
|
||||
# Default auth strategy
|
||||
TACKER_AUTH_STRATEGY=${TACKER_AUTH_STRATEGY:-keystone}
|
||||
TACKER_USE_ROOTWRAP=${TACKER_USE_ROOTWRAP:-True}
|
||||
|
||||
TACKER_RR_CONF_FILE=$TACKER_CONF_DIR/rootwrap.conf
|
||||
if [[ "$TACKER_USE_ROOTWRAP" == "False" ]]; then
|
||||
TACKER_RR_COMMAND="sudo"
|
||||
else
|
||||
TACKER_ROOTWRAP=$(get_rootwrap_location tacker)
|
||||
TACKER_RR_COMMAND="sudo $TACKER_ROOTWRAP $TACKER_RR_CONF_FILE"
|
||||
fi
|
||||
|
||||
TACKER_NOVA_URL=${TACKER_NOVA_URL:-http://127.0.0.1:8774/v2}
|
||||
TACKER_NOVA_CA_CERTIFICATES_FILE=${TACKER_NOVA_CA_CERTIFICATES_FILE:-}
|
||||
@@ -272,48 +263,11 @@ function configure_tacker {
|
||||
if [[ "${USE_BARBICAN}" == "True" ]]; then
|
||||
iniset $TACKER_CONF vim_keys use_barbican True
|
||||
fi
|
||||
_tacker_setup_rootwrap
|
||||
}
|
||||
|
||||
# Utility Functions
|
||||
#------------------
|
||||
|
||||
# _tacker_deploy_rootwrap_filters() - deploy rootwrap filters to $TACKER_CONF_ROOTWRAP_D (owned by root).
|
||||
function _tacker_deploy_rootwrap_filters {
|
||||
local srcdir=$1
|
||||
sudo install -d -o root -m 755 $TACKER_CONF_ROOTWRAP_D
|
||||
sudo install -o root -m 644 $srcdir/etc/tacker/rootwrap.d/* $TACKER_CONF_ROOTWRAP_D/
|
||||
}
|
||||
|
||||
# _tacker_setup_rootwrap() - configure Tacker's rootwrap
|
||||
function _tacker_setup_rootwrap {
|
||||
if [[ "$TACKER_USE_ROOTWRAP" == "False" ]]; then
|
||||
return
|
||||
fi
|
||||
# Wipe any existing ``rootwrap.d`` files first
|
||||
TACKER_CONF_ROOTWRAP_D=$TACKER_CONF_DIR/rootwrap.d
|
||||
if [[ -d $TACKER_CONF_ROOTWRAP_D ]]; then
|
||||
sudo rm -rf $TACKER_CONF_ROOTWRAP_D
|
||||
fi
|
||||
|
||||
_tacker_deploy_rootwrap_filters $TACKER_DIR
|
||||
|
||||
sudo install -o root -g root -m 644 $TACKER_DIR/etc/tacker/rootwrap.conf $TACKER_RR_CONF_FILE
|
||||
sudo sed -e "s:^filters_path=.*$:filters_path=$TACKER_CONF_ROOTWRAP_D:" -i $TACKER_RR_CONF_FILE
|
||||
# Specify ``rootwrap.conf`` as first parameter to tacker-rootwrap
|
||||
ROOTWRAP_SUDOER_CMD="$TACKER_ROOTWRAP $TACKER_RR_CONF_FILE *"
|
||||
|
||||
# Set up the rootwrap sudoers for tacker
|
||||
TEMPFILE=`mktemp`
|
||||
echo "$STACK_USER ALL=(root) NOPASSWD: $ROOTWRAP_SUDOER_CMD" >$TEMPFILE
|
||||
chmod 0440 $TEMPFILE
|
||||
sudo chown root:root $TEMPFILE
|
||||
sudo mv $TEMPFILE /etc/sudoers.d/tacker-rootwrap
|
||||
|
||||
# Update the root_helper
|
||||
iniset $TACKER_CONF agent root_helper "$TACKER_RR_COMMAND"
|
||||
}
|
||||
|
||||
# Configures keystone integration for tacker service and agents
|
||||
function _tacker_setup_keystone {
|
||||
local conf_file=$1
|
||||
@@ -525,4 +479,4 @@ EOF
|
||||
grep coredns | tr -s '\n' ' ')
|
||||
kubectl delete -f $flannel_path
|
||||
kubectl apply -f $flannel_path
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
# Configuration for tacker-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/tacker/rootwrap.d,/usr/share/tacker/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
|
||||
[xenapi]
|
||||
# XenAPI configuration is only required by the L2 agent if it is to
|
||||
# target a XenServer/XCP compute host's dom0.
|
||||
xenapi_connection_url=<None>
|
||||
xenapi_connection_username=root
|
||||
xenapi_connection_password=<None>
|
||||
@@ -1,14 +0,0 @@
|
||||
# tacker-rootwrap command filters for nodes on which tacker is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, tacker.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
|
||||
# This definition is for test purpose. It's used in
|
||||
# 'tacker.tests.unit.test_rootwrap_exec.RootwrapTestExec.test_rootwrap'
|
||||
pwd: CommandFilter, pwd, root
|
||||
@@ -28,9 +28,7 @@ oslo.log>=3.36.0 # Apache-2.0
|
||||
oslo.messaging>=14.2.0 # Apache-2.0
|
||||
oslo.middleware>=3.31.0 # Apache-2.0
|
||||
oslo.policy>=4.5.0 # Apache-2.0
|
||||
oslo.privsep>=2.4.0 # Apache-2.0
|
||||
oslo.reports>=1.18.0 # Apache-2.0
|
||||
oslo.rootwrap>=5.8.0 # Apache-2.0
|
||||
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
|
||||
oslo.service>=2.5.0 # Apache-2.0
|
||||
oslo.upgradecheck>=1.3.0 # Apache-2.0
|
||||
|
||||
@@ -26,10 +26,7 @@ packages =
|
||||
data_files =
|
||||
etc/tacker =
|
||||
etc/tacker/api-paste.ini
|
||||
etc/tacker/rootwrap.conf
|
||||
etc/tacker/prometheus-plugin.yaml
|
||||
etc/rootwrap.d =
|
||||
etc/tacker/rootwrap.d/tacker.filters
|
||||
etc/init.d = etc/init.d/tacker-server
|
||||
etc/systemd/system =
|
||||
etc/systemd/system/tacker.service
|
||||
@@ -44,7 +41,6 @@ console_scripts =
|
||||
tacker-db-manage = tacker.db.migration.cli:main
|
||||
tacker-server = tacker.cmd.eventlet.tacker_server:main
|
||||
tacker-conductor = tacker.cmd.eventlet.conductor:main
|
||||
tacker-rootwrap = oslo_rootwrap.cmd:main
|
||||
tacker-status = tacker.cmd.status:main
|
||||
tacker.service_plugins =
|
||||
dummy = tacker.tests.unit.dummy_plugin:DummyServicePlugin
|
||||
|
||||
@@ -1,31 +0,0 @@
|
||||
# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
"""Setup privsep decorator."""
|
||||
|
||||
from oslo_privsep import capabilities as caps
|
||||
from oslo_privsep import priv_context
|
||||
|
||||
default = priv_context.PrivContext(
|
||||
__name__,
|
||||
cfg_section='privsep',
|
||||
pypath=__name__ + '.default',
|
||||
capabilities=[caps.CAP_SYS_ADMIN,
|
||||
caps.CAP_NET_ADMIN,
|
||||
caps.CAP_DAC_OVERRIDE,
|
||||
caps.CAP_DAC_READ_SEARCH,
|
||||
caps.CAP_SYS_PTRACE],
|
||||
)
|
||||
@@ -1,33 +0,0 @@
|
||||
# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
"""Basic Linux commands intented to be used in unittests"""
|
||||
|
||||
from oslo_concurrency import processutils
|
||||
|
||||
import tacker.privileged
|
||||
|
||||
|
||||
@tacker.privileged.default.entrypoint
|
||||
def pwd():
|
||||
pwd = processutils.execute('pwd')
|
||||
return pwd
|
||||
|
||||
|
||||
@tacker.privileged.default.entrypoint
|
||||
def ls():
|
||||
ls = processutils.execute('ls')
|
||||
return ls
|
||||
@@ -1,88 +0,0 @@
|
||||
# Copyright (c) 2012 OpenStack Foundation
|
||||
# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import getpass
|
||||
import os
|
||||
from oslo_log import log as logging
|
||||
import unittest
|
||||
|
||||
from tacker.agent.linux import utils
|
||||
import tacker.privileged.linux_cmd
|
||||
from tacker.tests import base
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
# Use env 'PWD' to check if tests are run on zuul because we cannot run the
|
||||
# tests require root privileges. Skip them on zuul, but still run on
|
||||
# localhost to test privsep features.
|
||||
_PWD = os.environ['PWD']
|
||||
_PWD_ZUUL = "/home/zuul/src/opendev.org/openstack/tacker"
|
||||
|
||||
|
||||
class PrivsepTest(base.BaseTestCase):
|
||||
"""Simple unit test to test the basic privsep mechanism
|
||||
|
||||
Essentially hello-world. Just run a command as root and check that
|
||||
it actually *did* run as root.
|
||||
"""
|
||||
|
||||
def setUp(self):
|
||||
super(PrivsepTest, self).setUp()
|
||||
|
||||
@unittest.skipIf(_PWD == _PWD_ZUUL or getpass.getuser() != 'stack',
|
||||
"Failed on zuul or non-devstack env for root privilege")
|
||||
def test_privsep_ls(self):
|
||||
"""Run ls with root privilege
|
||||
|
||||
This ls command is expected to be run on `/`.
|
||||
"""
|
||||
|
||||
ls = tacker.privileged.linux_cmd.ls()
|
||||
# The result is a series of dirs on '/' and separated with '\n' like
|
||||
# as 'bin\nboot\ndev\netc\n...'.
|
||||
res = ls[0].split('\n')
|
||||
|
||||
# 'boot' dir must be under '/'.
|
||||
self.assertIn('boot', res)
|
||||
|
||||
@unittest.skipIf(_PWD == _PWD_ZUUL or getpass.getuser() != 'stack',
|
||||
"Failed on zuul or non-devstack env for root privilege")
|
||||
def test_privsep_pwd(self):
|
||||
"""Run pwd with root privilege
|
||||
|
||||
This ls command is expected to be run on `/`.
|
||||
"""
|
||||
res = tacker.privileged.linux_cmd.pwd()[0]
|
||||
self.assertEqual('/\n', res)
|
||||
|
||||
@unittest.skipIf(_PWD == _PWD_ZUUL or getpass.getuser() != 'stack',
|
||||
"Failed on zuul or non-devstack env for root privilege")
|
||||
def test_rootwrap(self):
|
||||
"""Confirm a command can be run with tacker-rootwrap
|
||||
|
||||
pwd is used as a harmless command in this test and defined in
|
||||
'/etc/tacker/rootwrap.d/tacker.filters' as a CommandFilter.
|
||||
"""
|
||||
|
||||
root_helper = ["sudo", "tacker-rootwrap",
|
||||
"/etc/tacker/rootwrap.conf"]
|
||||
cmd = "pwd"
|
||||
|
||||
actual = utils.execute(root_helper + [cmd])
|
||||
expected = utils.execute([cmd])
|
||||
|
||||
self.assertEqual(expected, actual)
|
||||
Reference in New Issue
Block a user