diff options
author | Michael Still <mikal@stillhq.com> | 2017-09-18 23:16:52 +1000 |
---|---|---|
committer | Michael Still <mikal@stillhq.com> | 2017-09-18 23:17:35 +1000 |
commit | 90e91ca05245c889949d241cc14902f8496a9b7b (patch) | |
tree | a6589cf0f5d7c4628746949ebaba6abd300c902e | |
parent | e00d8eb7593edb443f18c779b3fedc5bb91d79f8 (diff) | |
download | nova-90e91ca05245c889949d241cc14902f8496a9b7b.tar.gz |
Squash dacnet_admin privsep context.
As discussed at the PTG, we're going to use one big context for
ease of management.
Change-Id: I951abd402736735730e0868f31b85b1817055b2f
blueprint: hurrah-for-privsep
-rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 2 | ||||
-rw-r--r-- | nova/privsep/__init__.py | 12 | ||||
-rw-r--r-- | nova/privsep/libvirt.py | 6 | ||||
-rw-r--r-- | releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml | 3 |
4 files changed, 3 insertions, 20 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index dcee0c1126..014ac19de4 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -198,8 +198,6 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root # and (implicitly) the actual python code invoked. privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* -privsep-rootwrap-dacnet_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dacnet_admin_pctxt, --privsep_sock_path, /tmp/.* - privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.* # nova/virt/libvirt/storage/dmcrypt.py: diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py index c0e138a692..ddb5981710 100644 --- a/nova/privsep/__init__.py +++ b/nova/privsep/__init__.py @@ -18,18 +18,6 @@ from oslo_privsep import capabilities from oslo_privsep import priv_context -# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes -dacnet_admin_pctxt = priv_context.PrivContext( - 'nova', - cfg_section='nova_dacnet_admin', - pypath=__name__ + '.dacnet_admin_pctxt', - capabilities=[capabilities.CAP_CHOWN, - capabilities.CAP_DAC_OVERRIDE, - capabilities.CAP_DAC_READ_SEARCH, - capabilities.CAP_FOWNER, - capabilities.CAP_NET_ADMIN], -) - sys_admin_pctxt = priv_context.PrivContext( 'nova', cfg_section='nova_sys_admin', diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index 4f7f313c61..a65eb2611d 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -56,14 +56,14 @@ def _last_bytes_inner(file_like_object, num): return (file_like_object.read(), remaining) -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def enable_hairpin(interface): """Enable hairpin mode for a libvirt guest.""" with open('/sys/class/net/%s/brport/hairpin_mode' % interface, 'w') as f: f.write('1') -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def disable_multicast_snooping(interface): """Disable multicast snooping for a bridge.""" with open('/sys/class/net/%s/bridge/multicast_snooping' % interface, @@ -71,7 +71,7 @@ def disable_multicast_snooping(interface): f.write('0') -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def disable_ipv6(interface): """Disable ipv6 for a bridge.""" with open('/proc/sys/net/ipv6/conf/%s/disable_ipv' % interface, 'w') as f: diff --git a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml index 5e935774f0..ff9655157f 100644 --- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml +++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml @@ -4,8 +4,5 @@ upgrade: A sys-admin privsep daemon has been added and needs to be included in your rootwrap configuration. - | - A dacnet-admin privsep daemon has been added and needs to be included in - your rootwrap configuration. - - | The following commands are no longer required to be listed in your rootwrap configuration: cat; chown; readlink; tee; touch.
\ No newline at end of file |