Service parameter config for auditd grub parameter
This commit implements enable/disable the kernel grub parameter for auditd, using the service parameter mechanism. The new "audit" parameter, with full name "platform::compute::grub::params::d_audit", gets stored as a system-wide service parameter and is instrumented for certain personalities. Only System Controllers and Worker hosts would be allowed to have the "audit" kernel parameter enabled. Story: 2008849 Task: 43364 Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/810018 Change-Id: I574616b32e70862261c3dc5acfee73d57c06c7df Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
This commit is contained in:
parent
23406f3a07
commit
f2ec1e3370
|
@ -1195,6 +1195,13 @@ SERVICE_PARAM_NAME_ENDPOINT_DOMAIN = "endpoint_domain"
|
|||
SERVICE_PARAM_SECTION_COLLECTD = 'collectd'
|
||||
SERVICE_PARAM_COLLECTD_NETWORK_SERVERS = 'network_servers'
|
||||
|
||||
# platform kernel parameter auditd
|
||||
# enables and disables auditd
|
||||
SERVICE_PARAM_SECTION_PLATFORM_KERNEL = 'kernel'
|
||||
SERVICE_PARAM_NAME_PLATFORM_AUDITD = 'audit'
|
||||
SERVICE_PARAM_PLATFORM_AUDITD_DISABLED = '0'
|
||||
SERVICE_PARAM_PLATFORM_AUDITD_ENABLED = '1'
|
||||
|
||||
# TIS part number, CPE = combined load, STD = standard load
|
||||
TIS_STD_BUILD = 'Standard'
|
||||
TIS_AIO_BUILD = 'All-in-one'
|
||||
|
|
|
@ -396,6 +396,21 @@ def _validate_pod_max_pids(name, value):
|
|||
constants.SERVICE_PARAM_KUBERNETES_POD_MAX_PIDS_MAX)
|
||||
|
||||
|
||||
def _validate_kernel_audit(name, value):
|
||||
"""Check if specified value is supported"""
|
||||
try:
|
||||
if str(value) in [constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
|
||||
constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED]:
|
||||
return
|
||||
except ValueError:
|
||||
pass
|
||||
|
||||
raise wsme.exc.ClientSideError(_(
|
||||
"Parameter '%s' value must be either '%s' or '%s'" %
|
||||
(name, constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
|
||||
constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED)))
|
||||
|
||||
|
||||
PLATFORM_CONFIG_PARAMETER_OPTIONAL = [
|
||||
constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL,
|
||||
]
|
||||
|
@ -524,6 +539,19 @@ PLATFORM_MTCE_PARAMETER_RESOURCE = {
|
|||
constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT: 'platform::mtce::params::mnfa_timeout',
|
||||
}
|
||||
|
||||
PLATFORM_KERNEL_PARAMETER_OPTIONAL = [
|
||||
constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
|
||||
]
|
||||
|
||||
PLATFORM_KERNEL_PARAMETER_VALIDATOR = {
|
||||
constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD: _validate_kernel_audit,
|
||||
}
|
||||
|
||||
PLATFORM_KERNEL_PARAMETER_RESOURCE = {
|
||||
constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD:
|
||||
'platform::compute::grub::params::g_audit',
|
||||
}
|
||||
|
||||
RADOSGW_CONFIG_PARAMETER_MANDATORY = [
|
||||
constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
|
||||
]
|
||||
|
@ -797,6 +825,11 @@ SERVICE_PARAMETER_SCHEMA = {
|
|||
SERVICE_PARAM_RESOURCE: COLLECTD_PARAMETER_RESOURCE,
|
||||
SERVICE_PARAM_DATA_FORMAT: COLLECTD_NETWORK_SERVERS_PARAMETER_DATA_FORMAT,
|
||||
},
|
||||
constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL: {
|
||||
SERVICE_PARAM_OPTIONAL: PLATFORM_KERNEL_PARAMETER_OPTIONAL,
|
||||
SERVICE_PARAM_VALIDATOR: PLATFORM_KERNEL_PARAMETER_VALIDATOR,
|
||||
SERVICE_PARAM_RESOURCE: PLATFORM_KERNEL_PARAMETER_RESOURCE,
|
||||
},
|
||||
},
|
||||
constants.SERVICE_TYPE_HORIZON: {
|
||||
constants.SERVICE_PARAM_SECTION_HORIZON_AUTH: {
|
||||
|
|
|
@ -673,6 +673,11 @@ class ConductorManager(service.PeriodicService):
|
|||
'name': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT,
|
||||
'value': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT_DEFAULT,
|
||||
},
|
||||
{'service': constants.SERVICE_TYPE_PLATFORM,
|
||||
'section': constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL,
|
||||
'name': constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
|
||||
'value': constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
|
||||
},
|
||||
{'service': constants.SERVICE_TYPE_RADOSGW,
|
||||
'section': constants.SERVICE_PARAM_SECTION_RADOSGW_CONFIG,
|
||||
'name': constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
|
||||
|
@ -8955,6 +8960,21 @@ class ConductorManager(service.PeriodicService):
|
|||
personalities = [constants.CONTROLLER,
|
||||
constants.WORKER,
|
||||
constants.STORAGE]
|
||||
elif section == constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL:
|
||||
reboot = True
|
||||
personalities = [constants.CONTROLLER,
|
||||
constants.WORKER]
|
||||
config_uuid = self._config_update_hosts(context, personalities, reboot=True)
|
||||
|
||||
config_dict = {
|
||||
'personalities': personalities,
|
||||
"classes": ['platform::compute::grub::runtime']
|
||||
}
|
||||
|
||||
# Apply runtime config but keep reboot required flag set in
|
||||
# _config_update_hosts() above. Node needs a reboot to clear it.
|
||||
config_uuid = self._config_clear_reboot_required(config_uuid)
|
||||
self._config_apply_runtime_manifest(context, config_uuid, config_dict, force=True)
|
||||
|
||||
# we should not set the reboot flag on operations that are not
|
||||
# reboot required. An apply of a service parameter is not reboot
|
||||
|
|
Loading…
Reference in New Issue