Security: Container user and rootwrap for cinder
This PS adds user control for the service user and rootwrap for the Cinder chart. Change-Id: Ic4153f91edf57be54ecea29abaa8c8663b3c3a36
This commit is contained in:
parent
7463058b73
commit
3717040f47
@ -90,10 +90,14 @@ data:
|
||||
{{- if .Values.conf.backends.append -}}
|
||||
{{ .Values.conf.backends.append | indent 4 }}
|
||||
{{- end }}
|
||||
rootwrap.conf: |+
|
||||
{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
api-paste.ini: |+
|
||||
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
policy.json: |+
|
||||
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
cinder_sudoers: |+
|
||||
{{- tuple .Values.conf.neutron_sudoers "etc/_cinder_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
rootwrap.conf: |+
|
||||
{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
volume.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.volume "etc/rootwrap.d/_volume.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{- end }}
|
||||
|
@ -47,6 +47,8 @@ spec:
|
||||
image: {{ .Values.images.api }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.cinder.uid }}
|
||||
command:
|
||||
- /tmp/cinder-api.sh
|
||||
- start
|
||||
|
@ -45,6 +45,8 @@ spec:
|
||||
- name: ceph-keyring-placement
|
||||
image: {{ .Values.images.backup }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
command:
|
||||
- /tmp/ceph-keyring.sh
|
||||
volumeMounts:
|
||||
@ -53,6 +55,7 @@ spec:
|
||||
- name: cinder-bin
|
||||
mountPath: /tmp/ceph-keyring.sh
|
||||
subPath: ceph-keyring.sh
|
||||
readOnly: true
|
||||
- name: ceph-keyring
|
||||
mountPath: /tmp/client-keyring
|
||||
subPath: key
|
||||
@ -63,6 +66,8 @@ spec:
|
||||
image: {{ .Values.images.backup }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.cinder.uid }}
|
||||
command:
|
||||
- /tmp/cinder-backup.sh
|
||||
volumeMounts:
|
||||
@ -85,7 +90,26 @@ spec:
|
||||
mountPath: /tmp/client-keyring
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
- name: cinder-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_cinder_sudoers
|
||||
subPath: cinder_sudoers
|
||||
readOnly: true
|
||||
- name: cinder-etc
|
||||
mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
|
||||
subPath: cinder_sudoers
|
||||
readOnly: true
|
||||
- name: cinder-etc
|
||||
mountPath: /etc/cinder/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: cinder-etc
|
||||
mountPath: /etc/cinder/rootwrap.d/volume.filters
|
||||
subPath: volume.filters
|
||||
readOnly: true
|
||||
{{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: cinder-etc
|
||||
|
@ -46,6 +46,8 @@ spec:
|
||||
image: {{ .Values.images.scheduler }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.cinder.uid }}
|
||||
command:
|
||||
- /tmp/cinder-scheduler.sh
|
||||
volumeMounts:
|
||||
|
@ -45,6 +45,8 @@ spec:
|
||||
- name: ceph-keyring-placement
|
||||
image: {{ .Values.images.volume }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
command:
|
||||
- /tmp/ceph-keyring.sh
|
||||
volumeMounts:
|
||||
@ -53,6 +55,7 @@ spec:
|
||||
- name: cinder-bin
|
||||
mountPath: /tmp/ceph-keyring.sh
|
||||
subPath: ceph-keyring.sh
|
||||
readOnly: true
|
||||
- name: ceph-keyring
|
||||
mountPath: /tmp/client-keyring
|
||||
subPath: key
|
||||
@ -63,6 +66,8 @@ spec:
|
||||
image: {{ .Values.images.volume }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.cinder.uid }}
|
||||
command:
|
||||
- /tmp/cinder-volume.sh
|
||||
volumeMounts:
|
||||
@ -90,6 +95,25 @@ spec:
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: cinder-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_cinder_sudoers
|
||||
subPath: cinder_sudoers
|
||||
readOnly: true
|
||||
- name: cinder-etc
|
||||
mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
|
||||
subPath: cinder_sudoers
|
||||
readOnly: true
|
||||
- name: cinder-etc
|
||||
mountPath: /etc/cinder/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: cinder-etc
|
||||
mountPath: /etc/cinder/rootwrap.d/volume.filters
|
||||
subPath: volume.filters
|
||||
readOnly: true
|
||||
{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: cinder-bin
|
||||
|
20
cinder/templates/etc/_cinder_sudoers.tpl
Normal file
20
cinder/templates/etc/_cinder_sudoers.tpl
Normal file
@ -0,0 +1,20 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
||||
Defaults !requiretty
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
||||
cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
|
@ -10,7 +10,7 @@ filters_path=/etc/cinder/rootwrap.d
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
|
224
cinder/templates/etc/rootwrap.d/_volume.filters.tpl
Normal file
224
cinder/templates/etc/rootwrap.d/_volume.filters.tpl
Normal file
@ -0,0 +1,224 @@
|
||||
# cinder-rootwrap command filters for volume nodes
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
# cinder/volume/iscsi.py: iscsi_helper '--op' ...
|
||||
ietadm: CommandFilter, ietadm, root
|
||||
tgtadm: CommandFilter, tgtadm, root
|
||||
iscsictl: CommandFilter, iscsictl, root
|
||||
tgt-admin: CommandFilter, tgt-admin, root
|
||||
cinder-rtstool: CommandFilter, cinder-rtstool, root
|
||||
scstadmin: CommandFilter, scstadmin, root
|
||||
|
||||
# LVM related show commands
|
||||
pvs: EnvFilter, env, root, LC_ALL=C, pvs
|
||||
vgs: EnvFilter, env, root, LC_ALL=C, vgs
|
||||
lvs: EnvFilter, env, root, LC_ALL=C, lvs
|
||||
lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
|
||||
|
||||
# -LVM related show commands with suppress fd warnings
|
||||
pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
|
||||
vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
|
||||
lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
|
||||
lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
|
||||
|
||||
|
||||
# -LVM related show commands conf var
|
||||
pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs
|
||||
vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
|
||||
lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
|
||||
lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
|
||||
|
||||
# -LVM conf var with suppress fd_warnings
|
||||
pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
|
||||
vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
|
||||
lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
|
||||
lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
|
||||
|
||||
# os-brick library commands
|
||||
# os_brick.privileged.run_as_root oslo.privsep context
|
||||
# This line ties the superuser privs with the config files, context name,
|
||||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
# The following and any cinder/brick/* entries should all be obsoleted
|
||||
# by privsep, and may be removed once the os-brick version requirement
|
||||
# is updated appropriately.
|
||||
scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
||||
drbdadm: CommandFilter, drbdadm, root
|
||||
|
||||
# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
|
||||
vgcreate: CommandFilter, vgcreate, root
|
||||
|
||||
# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
|
||||
# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
|
||||
lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
|
||||
lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
|
||||
lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate
|
||||
lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate
|
||||
|
||||
# cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
|
||||
dd: CommandFilter, dd, root
|
||||
|
||||
# cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ...
|
||||
lvremove: CommandFilter, lvremove, root
|
||||
|
||||
# cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
|
||||
lvrename: CommandFilter, lvrename, root
|
||||
|
||||
# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
|
||||
# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
|
||||
lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
|
||||
lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
|
||||
lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
|
||||
lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
|
||||
|
||||
# cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
|
||||
lvchange: CommandFilter, lvchange, root
|
||||
|
||||
# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
|
||||
lvconvert: CommandFilter, lvconvert, root
|
||||
|
||||
# cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
|
||||
# cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
|
||||
iscsiadm: CommandFilter, iscsiadm, root
|
||||
|
||||
# cinder/volume/utils.py: utils.temporary_chown(path, 0)
|
||||
chown: CommandFilter, chown, root
|
||||
|
||||
# cinder/volume/utils.py: copy_volume(..., ionice='...')
|
||||
ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]
|
||||
ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]
|
||||
|
||||
# cinder/volume/utils.py: setup_blkio_cgroup()
|
||||
cgcreate: CommandFilter, cgcreate, root
|
||||
cgset: CommandFilter, cgset, root
|
||||
cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+
|
||||
|
||||
# cinder/volume/driver.py
|
||||
dmsetup: CommandFilter, dmsetup, root
|
||||
ln: CommandFilter, ln, root
|
||||
|
||||
# cinder/image/image_utils.py
|
||||
qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img
|
||||
qemu-img_convert: CommandFilter, qemu-img, root
|
||||
|
||||
udevadm: CommandFilter, udevadm, root
|
||||
|
||||
# cinder/volume/driver.py: utils.read_file_as_root()
|
||||
cat: CommandFilter, cat, root
|
||||
|
||||
# cinder/volume/nfs.py
|
||||
stat: CommandFilter, stat, root
|
||||
mount: CommandFilter, mount, root
|
||||
df: CommandFilter, df, root
|
||||
du: CommandFilter, du, root
|
||||
truncate: CommandFilter, truncate, root
|
||||
chmod: CommandFilter, chmod, root
|
||||
rm: CommandFilter, rm, root
|
||||
|
||||
# cinder/volume/drivers/remotefs.py
|
||||
mkdir: CommandFilter, mkdir, root
|
||||
|
||||
# cinder/volume/drivers/netapp/nfs.py:
|
||||
netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+
|
||||
|
||||
# cinder/volume/drivers/glusterfs.py
|
||||
chgrp: CommandFilter, chgrp, root
|
||||
umount: CommandFilter, umount, root
|
||||
fallocate: CommandFilter, fallocate, root
|
||||
|
||||
# cinder/volumes/drivers/hds/hds.py:
|
||||
hus-cmd: CommandFilter, hus-cmd, root
|
||||
hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root
|
||||
|
||||
# cinder/volumes/drivers/hds/hnas_backend.py
|
||||
ssc: CommandFilter, ssc, root
|
||||
|
||||
# cinder/brick/initiator/connector.py:
|
||||
ls: CommandFilter, ls, root
|
||||
tee: CommandFilter, tee, root
|
||||
multipath: CommandFilter, multipath, root
|
||||
multipathd: CommandFilter, multipathd, root
|
||||
systool: CommandFilter, systool, root
|
||||
|
||||
# cinder/volume/drivers/block_device.py
|
||||
blockdev: CommandFilter, blockdev, root
|
||||
|
||||
# cinder/volume/drivers/ibm/gpfs.py
|
||||
# cinder/volume/drivers/tintri.py
|
||||
mv: CommandFilter, mv, root
|
||||
|
||||
# cinder/volume/drivers/ibm/gpfs.py
|
||||
cp: CommandFilter, cp, root
|
||||
mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
|
||||
mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
|
||||
mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
|
||||
mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root
|
||||
mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root
|
||||
mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root
|
||||
mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root
|
||||
mkfs: CommandFilter, mkfs, root
|
||||
mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
|
||||
mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
|
||||
mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
|
||||
mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
|
||||
mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
|
||||
mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
|
||||
|
||||
# cinder/volume/drivers/ibm/gpfs.py
|
||||
# cinder/volume/drivers/ibm/ibmnas.py
|
||||
find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit
|
||||
|
||||
# cinder/brick/initiator/connector.py:
|
||||
aoe-revalidate: CommandFilter, aoe-revalidate, root
|
||||
aoe-discover: CommandFilter, aoe-discover, root
|
||||
aoe-flush: CommandFilter, aoe-flush, root
|
||||
|
||||
# cinder/brick/initiator/linuxscsi.py:
|
||||
sg_scan: CommandFilter, sg_scan, root
|
||||
|
||||
#cinder/backup/services/tsm.py
|
||||
dsmc:CommandFilter,/usr/bin/dsmc,root
|
||||
|
||||
# cinder/volume/drivers/hitachi/hbsd_horcm.py
|
||||
raidqry: CommandFilter, raidqry, root
|
||||
raidcom: CommandFilter, raidcom, root
|
||||
pairsplit: CommandFilter, pairsplit, root
|
||||
paircreate: CommandFilter, paircreate, root
|
||||
pairdisplay: CommandFilter, pairdisplay, root
|
||||
pairevtwait: CommandFilter, pairevtwait, root
|
||||
horcmstart.sh: CommandFilter, horcmstart.sh, root
|
||||
horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root
|
||||
horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr
|
||||
|
||||
# cinder/volume/drivers/hitachi/hbsd_snm2.py
|
||||
auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman
|
||||
auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref
|
||||
auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef
|
||||
aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1
|
||||
auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn
|
||||
auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap
|
||||
autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap
|
||||
aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol
|
||||
auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd
|
||||
auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel
|
||||
auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize
|
||||
auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser
|
||||
autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef
|
||||
autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt
|
||||
autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini
|
||||
auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi
|
||||
audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool
|
||||
aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal
|
||||
aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon
|
||||
|
||||
# cinder/volume/drivers/hgst.py
|
||||
vgc-cluster: CommandFilter, vgc-cluster, root
|
||||
|
||||
# cinder/volume/drivers/vzstorage.py
|
||||
pstorage-mount: CommandFilter, pstorage-mount, root
|
||||
pstorage: CommandFilter, pstorage, root
|
||||
ploop: CommandFilter, ploop, root
|
||||
|
||||
# initiator/connector.py:
|
||||
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
|
@ -41,6 +41,9 @@ images:
|
||||
pull_policy: "IfNotPresent"
|
||||
|
||||
pod:
|
||||
user:
|
||||
cinder:
|
||||
uid: 1000
|
||||
affinity:
|
||||
anti:
|
||||
type:
|
||||
@ -179,9 +182,16 @@ conf:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
cinder_sudoers:
|
||||
override:
|
||||
append:
|
||||
rootwrap:
|
||||
override:
|
||||
append:
|
||||
rootwrap_filters:
|
||||
volume:
|
||||
override:
|
||||
append:
|
||||
ceph:
|
||||
override:
|
||||
append:
|
||||
|
Loading…
x
Reference in New Issue
Block a user