diff --git a/devstack/lib/tacker b/devstack/lib/tacker index abe04a108..591757dba 100644 --- a/devstack/lib/tacker +++ b/devstack/lib/tacker @@ -67,15 +67,6 @@ TACKER_PROTOCOL=${TACKER_PROTOCOL:-$SERVICE_PROTOCOL} TACKER_ADMIN_USERNAME=${TACKER_ADMIN_USERNAME:-tacker} # Default auth strategy TACKER_AUTH_STRATEGY=${TACKER_AUTH_STRATEGY:-keystone} -TACKER_USE_ROOTWRAP=${TACKER_USE_ROOTWRAP:-True} - -TACKER_RR_CONF_FILE=$TACKER_CONF_DIR/rootwrap.conf -if [[ "$TACKER_USE_ROOTWRAP" == "False" ]]; then - TACKER_RR_COMMAND="sudo" -else - TACKER_ROOTWRAP=$(get_rootwrap_location tacker) - TACKER_RR_COMMAND="sudo $TACKER_ROOTWRAP $TACKER_RR_CONF_FILE" -fi TACKER_NOVA_URL=${TACKER_NOVA_URL:-http://127.0.0.1:8774/v2} TACKER_NOVA_CA_CERTIFICATES_FILE=${TACKER_NOVA_CA_CERTIFICATES_FILE:-} @@ -272,48 +263,11 @@ function configure_tacker { if [[ "${USE_BARBICAN}" == "True" ]]; then iniset $TACKER_CONF vim_keys use_barbican True fi - _tacker_setup_rootwrap } # Utility Functions #------------------ -# _tacker_deploy_rootwrap_filters() - deploy rootwrap filters to $TACKER_CONF_ROOTWRAP_D (owned by root). -function _tacker_deploy_rootwrap_filters { - local srcdir=$1 - sudo install -d -o root -m 755 $TACKER_CONF_ROOTWRAP_D - sudo install -o root -m 644 $srcdir/etc/tacker/rootwrap.d/* $TACKER_CONF_ROOTWRAP_D/ -} - -# _tacker_setup_rootwrap() - configure Tacker's rootwrap -function _tacker_setup_rootwrap { - if [[ "$TACKER_USE_ROOTWRAP" == "False" ]]; then - return - fi - # Wipe any existing ``rootwrap.d`` files first - TACKER_CONF_ROOTWRAP_D=$TACKER_CONF_DIR/rootwrap.d - if [[ -d $TACKER_CONF_ROOTWRAP_D ]]; then - sudo rm -rf $TACKER_CONF_ROOTWRAP_D - fi - - _tacker_deploy_rootwrap_filters $TACKER_DIR - - sudo install -o root -g root -m 644 $TACKER_DIR/etc/tacker/rootwrap.conf $TACKER_RR_CONF_FILE - sudo sed -e "s:^filters_path=.*$:filters_path=$TACKER_CONF_ROOTWRAP_D:" -i $TACKER_RR_CONF_FILE - # Specify ``rootwrap.conf`` as first parameter to tacker-rootwrap - ROOTWRAP_SUDOER_CMD="$TACKER_ROOTWRAP $TACKER_RR_CONF_FILE *" - - # Set up the rootwrap sudoers for tacker - TEMPFILE=`mktemp` - echo "$STACK_USER ALL=(root) NOPASSWD: $ROOTWRAP_SUDOER_CMD" >$TEMPFILE - chmod 0440 $TEMPFILE - sudo chown root:root $TEMPFILE - sudo mv $TEMPFILE /etc/sudoers.d/tacker-rootwrap - - # Update the root_helper - iniset $TACKER_CONF agent root_helper "$TACKER_RR_COMMAND" -} - # Configures keystone integration for tacker service and agents function _tacker_setup_keystone { local conf_file=$1 @@ -525,4 +479,4 @@ EOF grep coredns | tr -s '\n' ' ') kubectl delete -f $flannel_path kubectl apply -f $flannel_path -} \ No newline at end of file +} diff --git a/etc/tacker/rootwrap.conf b/etc/tacker/rootwrap.conf deleted file mode 100644 index 9c51bd47a..000000000 --- a/etc/tacker/rootwrap.conf +++ /dev/null @@ -1,34 +0,0 @@ -# Configuration for tacker-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/tacker/rootwrap.d,/usr/share/tacker/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR - -[xenapi] -# XenAPI configuration is only required by the L2 agent if it is to -# target a XenServer/XCP compute host's dom0. -xenapi_connection_url= -xenapi_connection_username=root -xenapi_connection_password= diff --git a/etc/tacker/rootwrap.d/tacker.filters b/etc/tacker/rootwrap.d/tacker.filters deleted file mode 100644 index 4e0a680c5..000000000 --- a/etc/tacker/rootwrap.d/tacker.filters +++ /dev/null @@ -1,14 +0,0 @@ -# tacker-rootwrap command filters for nodes on which tacker is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] -privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, tacker.privileged.default, --privsep_sock_path, /tmp/.* - -# This definition is for test purpose. It's used in -# 'tacker.tests.unit.test_rootwrap_exec.RootwrapTestExec.test_rootwrap' -pwd: CommandFilter, pwd, root diff --git a/requirements.txt b/requirements.txt index cd373d490..7fe4001da 100644 --- a/requirements.txt +++ b/requirements.txt @@ -28,9 +28,7 @@ oslo.log>=3.36.0 # Apache-2.0 oslo.messaging>=14.2.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 oslo.policy>=4.5.0 # Apache-2.0 -oslo.privsep>=2.4.0 # Apache-2.0 oslo.reports>=1.18.0 # Apache-2.0 -oslo.rootwrap>=5.8.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.service>=2.5.0 # Apache-2.0 oslo.upgradecheck>=1.3.0 # Apache-2.0 diff --git a/setup.cfg b/setup.cfg index e0b848c62..e59a922e4 100644 --- a/setup.cfg +++ b/setup.cfg @@ -26,10 +26,7 @@ packages = data_files = etc/tacker = etc/tacker/api-paste.ini - etc/tacker/rootwrap.conf etc/tacker/prometheus-plugin.yaml - etc/rootwrap.d = - etc/tacker/rootwrap.d/tacker.filters etc/init.d = etc/init.d/tacker-server etc/systemd/system = etc/systemd/system/tacker.service @@ -44,7 +41,6 @@ console_scripts = tacker-db-manage = tacker.db.migration.cli:main tacker-server = tacker.cmd.eventlet.tacker_server:main tacker-conductor = tacker.cmd.eventlet.conductor:main - tacker-rootwrap = oslo_rootwrap.cmd:main tacker-status = tacker.cmd.status:main tacker.service_plugins = dummy = tacker.tests.unit.dummy_plugin:DummyServicePlugin diff --git a/tacker/privileged/__init__.py b/tacker/privileged/__init__.py deleted file mode 100644 index db3958554..000000000 --- a/tacker/privileged/__init__.py +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -"""Setup privsep decorator.""" - -from oslo_privsep import capabilities as caps -from oslo_privsep import priv_context - -default = priv_context.PrivContext( - __name__, - cfg_section='privsep', - pypath=__name__ + '.default', - capabilities=[caps.CAP_SYS_ADMIN, - caps.CAP_NET_ADMIN, - caps.CAP_DAC_OVERRIDE, - caps.CAP_DAC_READ_SEARCH, - caps.CAP_SYS_PTRACE], -) diff --git a/tacker/privileged/linux_cmd.py b/tacker/privileged/linux_cmd.py deleted file mode 100644 index 141b5b2da..000000000 --- a/tacker/privileged/linux_cmd.py +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -"""Basic Linux commands intented to be used in unittests""" - -from oslo_concurrency import processutils - -import tacker.privileged - - -@tacker.privileged.default.entrypoint -def pwd(): - pwd = processutils.execute('pwd') - return pwd - - -@tacker.privileged.default.entrypoint -def ls(): - ls = processutils.execute('ls') - return ls diff --git a/tacker/tests/unit/test_privsep.py b/tacker/tests/unit/test_privsep.py deleted file mode 100644 index 4182cb954..000000000 --- a/tacker/tests/unit/test_privsep.py +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright (c) 2012 OpenStack Foundation -# Copyright (C) 2022 Nippon Telegraph and Telephone Corporation -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import getpass -import os -from oslo_log import log as logging -import unittest - -from tacker.agent.linux import utils -import tacker.privileged.linux_cmd -from tacker.tests import base - - -LOG = logging.getLogger(__name__) - -# Use env 'PWD' to check if tests are run on zuul because we cannot run the -# tests require root privileges. Skip them on zuul, but still run on -# localhost to test privsep features. -_PWD = os.environ['PWD'] -_PWD_ZUUL = "/home/zuul/src/opendev.org/openstack/tacker" - - -class PrivsepTest(base.BaseTestCase): - """Simple unit test to test the basic privsep mechanism - - Essentially hello-world. Just run a command as root and check that - it actually *did* run as root. - """ - - def setUp(self): - super(PrivsepTest, self).setUp() - - @unittest.skipIf(_PWD == _PWD_ZUUL or getpass.getuser() != 'stack', - "Failed on zuul or non-devstack env for root privilege") - def test_privsep_ls(self): - """Run ls with root privilege - - This ls command is expected to be run on `/`. - """ - - ls = tacker.privileged.linux_cmd.ls() - # The result is a series of dirs on '/' and separated with '\n' like - # as 'bin\nboot\ndev\netc\n...'. - res = ls[0].split('\n') - - # 'boot' dir must be under '/'. - self.assertIn('boot', res) - - @unittest.skipIf(_PWD == _PWD_ZUUL or getpass.getuser() != 'stack', - "Failed on zuul or non-devstack env for root privilege") - def test_privsep_pwd(self): - """Run pwd with root privilege - - This ls command is expected to be run on `/`. - """ - res = tacker.privileged.linux_cmd.pwd()[0] - self.assertEqual('/\n', res) - - @unittest.skipIf(_PWD == _PWD_ZUUL or getpass.getuser() != 'stack', - "Failed on zuul or non-devstack env for root privilege") - def test_rootwrap(self): - """Confirm a command can be run with tacker-rootwrap - - pwd is used as a harmless command in this test and defined in - '/etc/tacker/rootwrap.d/tacker.filters' as a CommandFilter. - """ - - root_helper = ["sudo", "tacker-rootwrap", - "/etc/tacker/rootwrap.conf"] - cmd = "pwd" - - actual = utils.execute(root_helper + [cmd]) - expected = utils.execute([cmd]) - - self.assertEqual(expected, actual)