a06b316cb4
When running commands that require root privileges, the linuxbridge, openvswitch, and ryu agent now prepend the commands with the value of the root_helper config variable. This is set to "sudo" in the plugins' .ini files, allowing the agent to run as a non-root user with appropriate sudo privilidges. If root_helper is changed to "sudo quantum-rootwrap", then the command being run will be filtered against lists of each agent's valid commands in quantum/rootwrap. See http://wiki.openstack.org/Packager/Rootwrap for details. Fixes bug 948467. Change-Id: I549515068a4ce8ae480905ec5eaab6257445d0c3 Signed-off-by: Bob Kukura <rkukura@redhat.com>
32 lines
1.1 KiB
Python
32 lines
1.1 KiB
Python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright (c) 2012 Openstack, LLC.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
from quantum.rootwrap import filters
|
|
|
|
filterlist = [
|
|
# quantum/plugins/ryu/agent/ryu_quantum_agent.py:
|
|
# "ovs-vsctl", "--timeout=2", ...
|
|
filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),
|
|
filters.CommandFilter("/bin/ovs-vsctl", "root"),
|
|
|
|
# quantum/plugins/ryu/agent/ryu_quantum_agent.py:
|
|
# "xe", "vif-param-get", ...
|
|
filters.CommandFilter("/usr/bin/xe", "root"),
|
|
filters.CommandFilter("/usr/sbin/xe", "root"),
|
|
]
|