openstack/openstack-ansible-os_neutron
Code Issues Proposed changes

Update vpnaas rootwrap filters

Browse Source 
The vpnaas rootwrap filters are out of date and therefore not
functional on the latest release of OpenStack Ansible.

This updates and adds all the missing ones so that it becomes
functional again.

Change-Id: Iadcb4c7451cd51526dfd96b305a9d0b1948ce8da
This commit is contained in:
Mohammed Naser 2020-01-13 19:35:33 -05:00
parent 84c02043f0
commit 6ab3f19688
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
files/rootwrap.d/vpnaas.filters
View File

@ -1,7 +1,7 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# This file should be owned by (and only-writable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
@ -13,7 +13,8 @@ ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
ipsec: CommandFilter, ipsec, root
rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
rm_file: RegExpFilter, rm, root, rm, -f, .*/ipsec.secrets
strongswan: CommandFilter, strongswan, root
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/(ipsec.secrets|ipsec/[0-9a-z-]+/log)