41 lines
1.5 KiB
XML
41 lines
1.5 KiB
XML
# neutron-rootwrap command filters for nodes on which neutron is
|
|
# expected to control network
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
# format seems to be
|
|
# cmd-name: filter-name, raw-command, user, args
|
|
|
|
[Filters]
|
|
|
|
# dhcp-agent
|
|
ip_exec_dnsmasq: DnsmasqNetnsFilter, ip, root
|
|
dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root
|
|
dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root
|
|
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
|
# it looks like these are the only signals needed, per
|
|
# neutron/agent/linux/dhcp.py
|
|
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP
|
|
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
|
|
|
# dhcp-agent uses cat
|
|
cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline
|
|
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
|
ivs-ctl: CommandFilter, ivs-ctl, root
|
|
|
|
# metadata proxy
|
|
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
|
metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
|
|
# If installed from source (say, by devstack), the prefix will be
|
|
# /usr/local instead of /usr/bin.
|
|
metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
|
|
metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
|
|
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
|
kill_metadata: KillFilter, root, /usr/bin/python, -9
|
|
kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
|
|
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
|
|
|
|
# ip_lib
|
|
ip: IpFilter, ip, root
|
|
ip_exec: IpNetnsExecFilter, ip, root
|