diff options
| author | John Griffith <john.griffith8@gmail.com> | 2014-08-28 17:27:35 -0600 |
|---|---|---|
| committer | Alan Pevec <alan.pevec@redhat.com> | 2014-09-19 12:08:15 +0200 |
| commit | a7f5a9d23a3085d079d1abd3415e8e931895046f (patch) | |
| tree | 28df44a0b85ab3e66a2be14daaadd745953a5ed2 | |
| parent | 13bab4c9aa64f47d33f3158ebd1e14ed924d2060 (diff) | |
| download | nova-a7f5a9d23a3085d079d1abd3415e8e931895046f.tar.gz | |
Fix rootwrap for non openstack.org iqn's
The encryption methods implemented for attached volumes
require a symbolic link created to the /dev/disk-by* iqn.
The current implementation works fine for LVM, however the rootwrap
is restricted to only allow iqns of the form openstack.org, for
vendors that use their own target and iqn this won't work and will
result in the attach failing for unauthorized command.
This just makes the regex for the rootwrap filter a bit more
permissive, only looking for iscsi-iqn.*
Closes-Bug: 1362854
(cherry picked from commit 00808f2072c3ee8958ad16eabad7994730bb8b86)
Change-Id: I023ad24867c045a88f72c5ac7ac4e4da097a3643
Conflicts:
etc/nova/rootwrap.d/compute.filters
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 87f3d37624..eda7fcdf3b 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -203,7 +203,7 @@ systool: CommandFilter, systool, root sginfo: CommandFilter, sginfo, root sg_scan: CommandFilter, sg_scan, root cryptsetup: CommandFilter, cryptsetup, root -ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.* +ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.* # nova/virt/xenapi/vm_utils.py: xenstore-read: CommandFilter, xenstore-read, root |