From ae5fa916f7ea0d4f3215738327eb05819bcb5bae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 3 Oct 2022 13:31:59 +0200 Subject: [PATCH] Enable CAP_AUDIT_WRITE for some containers/steps Usually, db_sync involves call to "sudo". Such call are now logging a warning/error in the host log due to a recently removed capability in podman, the CAP_AUDIT_WRITE. This capability allows containers to write in the audit log whenever there's a security related thing. Sudo isn't the only one needing this access - sshd also writes in the audit. Since the nova-migration-target runs sshd, enabling the capability in there will ensure we're keeping clean track of the accesses. Change-Id: I8972b16254b141e7102ea87cb6c0d489d8426751 Closes-Bug: #1991219 --- deployment/aodh/aodh-api-container-puppet.yaml | 2 ++ deployment/barbican/barbican-api-container-puppet.yaml | 2 ++ deployment/cinder/cinder-api-container-puppet.yaml | 2 ++ deployment/designate/designate-central-container-puppet.yaml | 2 ++ deployment/glance/glance-api-container-puppet.yaml | 2 ++ deployment/gnocchi/gnocchi-api-container-puppet.yaml | 2 ++ deployment/heat/heat-engine-container-puppet.yaml | 2 ++ deployment/ironic/ironic-api-container-puppet.yaml | 2 ++ deployment/ironic/ironic-inspector-container-puppet.yaml | 2 ++ deployment/manila/manila-api-container-puppet.yaml | 2 ++ deployment/neutron/neutron-api-container-puppet.yaml | 2 ++ deployment/nova/nova-api-container-puppet.yaml | 2 ++ deployment/nova/nova-conductor-container-puppet.yaml | 2 ++ deployment/nova/nova-migration-target-container-puppet.yaml | 2 ++ deployment/octavia/octavia-api-container-puppet.yaml | 2 ++ deployment/placement/placement-api-container-puppet.yaml | 2 ++ 16 files changed, 32 insertions(+) diff --git a/deployment/aodh/aodh-api-container-puppet.yaml b/deployment/aodh/aodh-api-container-puppet.yaml index ab0d547f54..341ddcd1af 100644 --- a/deployment/aodh/aodh-api-container-puppet.yaml +++ b/deployment/aodh/aodh-api-container-puppet.yaml @@ -301,6 +301,8 @@ outputs: step_3: aodh_db_sync: image: *aodh_api_image + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 939bb4b8bc..1275359d06 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -686,6 +686,8 @@ outputs: - barbican_api_db_sync: start_order: 3 image: *barbican_api_image + cap_add: + - AUDIT_WRITE net: host detach: false user: root diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index 496d9ba722..9cd3fe8030 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -325,6 +325,8 @@ outputs: step_3: cinder_api_db_sync: image: *cinder_api_image + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/designate/designate-central-container-puppet.yaml b/deployment/designate/designate-central-container-puppet.yaml index 1a85c001c1..d3cac734ad 100644 --- a/deployment/designate/designate-central-container-puppet.yaml +++ b/deployment/designate/designate-central-container-puppet.yaml @@ -251,6 +251,8 @@ outputs: step_3: designate_db_sync: image: *designate_central_image + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index 02cc49671f..0fa39eb8cb 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -740,6 +740,8 @@ outputs: step_3: glance_api_db_sync: image: &glance_api_image {get_attr: [RoleParametersValue, value, ContainerGlanceApiImage]} + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index 203e19c58b..86dfb67d0a 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -367,6 +367,8 @@ outputs: gnocchi_db_sync: start_order: 0 image: *gnocchi_api_image + cap_add: + - AUDIT_WRITE net: host detach: false privileged: false diff --git a/deployment/heat/heat-engine-container-puppet.yaml b/deployment/heat/heat-engine-container-puppet.yaml index 6a1bb3599e..59a61af0bb 100644 --- a/deployment/heat/heat-engine-container-puppet.yaml +++ b/deployment/heat/heat-engine-container-puppet.yaml @@ -259,6 +259,8 @@ outputs: step_3: heat_engine_db_sync: image: &heat_engine_image {get_attr: [RoleParametersValue, value, ContainerHeatEngineImage]} + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index b7d2c1f931..39c5a73b96 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -300,6 +300,8 @@ outputs: ironic_db_sync: start_order: 1 image: *ironic_api_image + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 9872d22dc2..056782c1ef 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -487,6 +487,8 @@ outputs: ironic_inspector_db_sync: start_order: 2 image: *ironic_inspector_image + cap_add: + - AUDIT_WRITE net: host user: root privileged: false diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index 2152447418..621d312d1b 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -322,6 +322,8 @@ outputs: manila_api_db_sync: user: root image: *manila_api_image + cap_add: + - AUDIT_WRITE net: host detach: false volumes: diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 0a5ec9dc42..4fa76217a2 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -534,6 +534,8 @@ outputs: step_3: neutron_db_sync: image: &neutron_api_image {get_attr: [RoleParametersValue, value, ContainerNeutronApiImage]} + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index b01018482a..b8f0d48a99 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -585,6 +585,8 @@ outputs: nova_api_db_sync: start_order: 0 # Runs before nova-conductor dbsync image: &nova_api_image {get_attr: [RoleParametersValue, value, ContainerNovaApiImage]} + cap_add: + - AUDIT_WRITE net: host detach: false user: root diff --git a/deployment/nova/nova-conductor-container-puppet.yaml b/deployment/nova/nova-conductor-container-puppet.yaml index a2c0fa7e78..ab38b6b66e 100644 --- a/deployment/nova/nova-conductor-container-puppet.yaml +++ b/deployment/nova/nova-conductor-container-puppet.yaml @@ -189,6 +189,8 @@ outputs: step_3: nova_db_sync: image: &nova_conductor_image {get_attr: [RoleParametersValue, value, ContainerNovaConductorImage]} + cap_add: + - AUDIT_WRITE start_order: 3 # Runs after nova-api tasks if installed on this host net: host detach: false diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index 4ce60460d9..b2e11a9a2e 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -193,6 +193,8 @@ outputs: step_4: nova_migration_target: image: {get_attr: [RoleParametersValue, value, ContainerNovaComputeImage]} + cap_add: + - AUDIT_WRITE net: host privileged: true user: root diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index 7a438734a2..95fb9e1a40 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -383,6 +383,8 @@ outputs: octavia_db_sync: start_order: 0 image: *octavia_api_image + cap_add: + - AUDIT_WRITE net: host privileged: false detach: false diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index b82d772efc..993f733100 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -294,6 +294,8 @@ outputs: placement_api_db_sync: start_order: 1 image: &placement_api_image {get_attr: [RoleParametersValue, value, ContainerPlacementImage]} + cap_add: + - AUDIT_WRITE net: host detach: false user: root