Service parameter config for auditd grub parameter
This commit implements enable/disable the kernel grub parameter for auditd, using the service parameter mechanism. The new "audit" parameter, with full name "platform::compute::grub::params::d_audit", gets stored as a system-wide service parameter and is instrumented for certain personalities. Only System Controllers and Worker hosts would be allowed to have the "audit" kernel parameter enabled. Story: 2008849 Task: 43364 Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/810018 Change-Id: I574616b32e70862261c3dc5acfee73d57c06c7df Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
This commit is contained in:
parent
23406f3a07
commit
f2ec1e3370
|
@ -1195,6 +1195,13 @@ SERVICE_PARAM_NAME_ENDPOINT_DOMAIN = "endpoint_domain"
|
||||||
SERVICE_PARAM_SECTION_COLLECTD = 'collectd'
|
SERVICE_PARAM_SECTION_COLLECTD = 'collectd'
|
||||||
SERVICE_PARAM_COLLECTD_NETWORK_SERVERS = 'network_servers'
|
SERVICE_PARAM_COLLECTD_NETWORK_SERVERS = 'network_servers'
|
||||||
|
|
||||||
|
# platform kernel parameter auditd
|
||||||
|
# enables and disables auditd
|
||||||
|
SERVICE_PARAM_SECTION_PLATFORM_KERNEL = 'kernel'
|
||||||
|
SERVICE_PARAM_NAME_PLATFORM_AUDITD = 'audit'
|
||||||
|
SERVICE_PARAM_PLATFORM_AUDITD_DISABLED = '0'
|
||||||
|
SERVICE_PARAM_PLATFORM_AUDITD_ENABLED = '1'
|
||||||
|
|
||||||
# TIS part number, CPE = combined load, STD = standard load
|
# TIS part number, CPE = combined load, STD = standard load
|
||||||
TIS_STD_BUILD = 'Standard'
|
TIS_STD_BUILD = 'Standard'
|
||||||
TIS_AIO_BUILD = 'All-in-one'
|
TIS_AIO_BUILD = 'All-in-one'
|
||||||
|
|
|
@ -396,6 +396,21 @@ def _validate_pod_max_pids(name, value):
|
||||||
constants.SERVICE_PARAM_KUBERNETES_POD_MAX_PIDS_MAX)
|
constants.SERVICE_PARAM_KUBERNETES_POD_MAX_PIDS_MAX)
|
||||||
|
|
||||||
|
|
||||||
|
def _validate_kernel_audit(name, value):
|
||||||
|
"""Check if specified value is supported"""
|
||||||
|
try:
|
||||||
|
if str(value) in [constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
|
||||||
|
constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED]:
|
||||||
|
return
|
||||||
|
except ValueError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
raise wsme.exc.ClientSideError(_(
|
||||||
|
"Parameter '%s' value must be either '%s' or '%s'" %
|
||||||
|
(name, constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
|
||||||
|
constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED)))
|
||||||
|
|
||||||
|
|
||||||
PLATFORM_CONFIG_PARAMETER_OPTIONAL = [
|
PLATFORM_CONFIG_PARAMETER_OPTIONAL = [
|
||||||
constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL,
|
constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL,
|
||||||
]
|
]
|
||||||
|
@ -524,6 +539,19 @@ PLATFORM_MTCE_PARAMETER_RESOURCE = {
|
||||||
constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT: 'platform::mtce::params::mnfa_timeout',
|
constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT: 'platform::mtce::params::mnfa_timeout',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
PLATFORM_KERNEL_PARAMETER_OPTIONAL = [
|
||||||
|
constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
|
||||||
|
]
|
||||||
|
|
||||||
|
PLATFORM_KERNEL_PARAMETER_VALIDATOR = {
|
||||||
|
constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD: _validate_kernel_audit,
|
||||||
|
}
|
||||||
|
|
||||||
|
PLATFORM_KERNEL_PARAMETER_RESOURCE = {
|
||||||
|
constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD:
|
||||||
|
'platform::compute::grub::params::g_audit',
|
||||||
|
}
|
||||||
|
|
||||||
RADOSGW_CONFIG_PARAMETER_MANDATORY = [
|
RADOSGW_CONFIG_PARAMETER_MANDATORY = [
|
||||||
constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
|
constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
|
||||||
]
|
]
|
||||||
|
@ -797,6 +825,11 @@ SERVICE_PARAMETER_SCHEMA = {
|
||||||
SERVICE_PARAM_RESOURCE: COLLECTD_PARAMETER_RESOURCE,
|
SERVICE_PARAM_RESOURCE: COLLECTD_PARAMETER_RESOURCE,
|
||||||
SERVICE_PARAM_DATA_FORMAT: COLLECTD_NETWORK_SERVERS_PARAMETER_DATA_FORMAT,
|
SERVICE_PARAM_DATA_FORMAT: COLLECTD_NETWORK_SERVERS_PARAMETER_DATA_FORMAT,
|
||||||
},
|
},
|
||||||
|
constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL: {
|
||||||
|
SERVICE_PARAM_OPTIONAL: PLATFORM_KERNEL_PARAMETER_OPTIONAL,
|
||||||
|
SERVICE_PARAM_VALIDATOR: PLATFORM_KERNEL_PARAMETER_VALIDATOR,
|
||||||
|
SERVICE_PARAM_RESOURCE: PLATFORM_KERNEL_PARAMETER_RESOURCE,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
constants.SERVICE_TYPE_HORIZON: {
|
constants.SERVICE_TYPE_HORIZON: {
|
||||||
constants.SERVICE_PARAM_SECTION_HORIZON_AUTH: {
|
constants.SERVICE_PARAM_SECTION_HORIZON_AUTH: {
|
||||||
|
|
|
@ -673,6 +673,11 @@ class ConductorManager(service.PeriodicService):
|
||||||
'name': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT,
|
'name': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT,
|
||||||
'value': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT_DEFAULT,
|
'value': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT_DEFAULT,
|
||||||
},
|
},
|
||||||
|
{'service': constants.SERVICE_TYPE_PLATFORM,
|
||||||
|
'section': constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL,
|
||||||
|
'name': constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
|
||||||
|
'value': constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
|
||||||
|
},
|
||||||
{'service': constants.SERVICE_TYPE_RADOSGW,
|
{'service': constants.SERVICE_TYPE_RADOSGW,
|
||||||
'section': constants.SERVICE_PARAM_SECTION_RADOSGW_CONFIG,
|
'section': constants.SERVICE_PARAM_SECTION_RADOSGW_CONFIG,
|
||||||
'name': constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
|
'name': constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
|
||||||
|
@ -8955,6 +8960,21 @@ class ConductorManager(service.PeriodicService):
|
||||||
personalities = [constants.CONTROLLER,
|
personalities = [constants.CONTROLLER,
|
||||||
constants.WORKER,
|
constants.WORKER,
|
||||||
constants.STORAGE]
|
constants.STORAGE]
|
||||||
|
elif section == constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL:
|
||||||
|
reboot = True
|
||||||
|
personalities = [constants.CONTROLLER,
|
||||||
|
constants.WORKER]
|
||||||
|
config_uuid = self._config_update_hosts(context, personalities, reboot=True)
|
||||||
|
|
||||||
|
config_dict = {
|
||||||
|
'personalities': personalities,
|
||||||
|
"classes": ['platform::compute::grub::runtime']
|
||||||
|
}
|
||||||
|
|
||||||
|
# Apply runtime config but keep reboot required flag set in
|
||||||
|
# _config_update_hosts() above. Node needs a reboot to clear it.
|
||||||
|
config_uuid = self._config_clear_reboot_required(config_uuid)
|
||||||
|
self._config_apply_runtime_manifest(context, config_uuid, config_dict, force=True)
|
||||||
|
|
||||||
# we should not set the reboot flag on operations that are not
|
# we should not set the reboot flag on operations that are not
|
||||||
# reboot required. An apply of a service parameter is not reboot
|
# reboot required. An apply of a service parameter is not reboot
|
||||||
|
|
Loading…
Reference in New Issue