openstack/openstack-helm
Code Issues Proposed changes

Security: Container user and rootwrap for neutron

Browse Source 
This PS adds user control for the service user and rootwrap for
the Neutron chart.

Change-Id: Ibefa3e76c9e64427e97cdcbb93a11d2b2125e171
This commit is contained in:
Pete Birley 2017-08-22 19:57:57 -05:00
parent 87723a700c
commit 4740486f63
21 changed files with 615 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
neutron/templates/configmap-etc.yaml
View File

@ -112,4 +112,28 @@ data:
sriov_agent.ini: |+
{{- tuple .Values.conf.sriov_agent "etc/plugins/_sriov_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
dnsmasq.conf: ""
neutron_sudoers: |+
{{- tuple .Values.conf.neutron_sudoers "etc/_neutron_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
rootwrap.conf: |+
{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
debug.filters: |+
{{- tuple .Values.conf.rootwrap_filters.debug "etc/rootwrap.d/_debug.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
dibbler.filters: |+
{{- tuple .Values.conf.rootwrap_filters.dibbler "etc/rootwrap.d/_dibbler.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
ipset-firewall.filters: |+
{{- tuple .Values.conf.rootwrap_filters.ipset_firewall "etc/rootwrap.d/_ipset-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
l3.filters: |+
{{- tuple .Values.conf.rootwrap_filters.l3 "etc/rootwrap.d/_l3.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
netns-cleanup.filters: |+
{{- tuple .Values.conf.rootwrap_filters.netns_cleanup "etc/rootwrap.d/_netns-cleanup.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
dhcp.filters: |+
{{- tuple .Values.conf.rootwrap_filters.dhcp "etc/rootwrap.d/_dhcp.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
ebtables.filters: |+
{{- tuple .Values.conf.rootwrap_filters.ebtables "etc/rootwrap.d/_ebtables.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
iptables-firewall.filters: |+
{{- tuple .Values.conf.rootwrap_filters.iptables_firewall "etc/rootwrap.d/_iptables-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
linuxbridge-plugin.filters: |+
{{- tuple .Values.conf.rootwrap_filters.linuxbridge_plugin "etc/rootwrap.d/_linuxbridge-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
openvswitch-plugin.filters: |+
{{- tuple .Values.conf.rootwrap_filters.openvswitch_plugin "etc/rootwrap.d/_openvswitch-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- end }}

54
neutron/templates/daemonset-dhcp-agent.yaml
View File

@ -36,8 +36,6 @@ spec:
spec:
nodeSelector:
{{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }}
securityContext:
runAsUser: 0
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
initContainers:
@ -48,6 +46,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.neutron.uid }}
privileged: true
command:
- /tmp/neutron-dhcp-agent.sh
@ -76,6 +75,57 @@ spec:
mountPath: /etc/neutron/dnsmasq.conf
subPath: dnsmasq.conf
readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to overide Kollas custom
# sudoers file when using Kolla images, this location will
# also work fine for other images.
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
subPath: neutron_sudoers
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters
subPath: debug.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- name: runopenvswitch
mountPath: /run/openvswitch
- name: socket

54
neutron/templates/daemonset-l3-agent.yaml
View File

@ -36,8 +36,6 @@ spec:
spec:
nodeSelector:
{{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }}
securityContext:
runAsUser: 0
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
initContainers:
@ -48,6 +46,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.neutron.uid }}
privileged: true
command:
- /tmp/neutron-l3-agent.sh
@ -72,6 +71,57 @@ spec:
mountPath: /etc/neutron/l3_agent.ini
subPath: l3_agent.ini
readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to overide Kollas custom
# sudoers file when using Kolla images, this location will
# also work fine for other images.
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
subPath: neutron_sudoers
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters
subPath: debug.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- name: runopenvswitch
mountPath: /run/openvswitch
- name: libmodules

54
neutron/templates/daemonset-metadata-agent.yaml
View File

@ -36,8 +36,6 @@ spec:
spec:
nodeSelector:
{{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }}
securityContext:
runAsUser: 0
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
initContainers:
@ -48,6 +46,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.neutron.uid }}
privileged: true
ports:
- containerPort: {{ .Values.network.metadata.port }}
@ -74,6 +73,57 @@ spec:
mountPath: /etc/neutron/metadata_agent.ini
subPath: metadata_agent.ini
readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to overide Kollas custom
# sudoers file when using Kolla images, this location will
# also work fine for other images.
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
subPath: neutron_sudoers
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters
subPath: debug.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- name: runopenvswitch
mountPath: /run/openvswitch
- name: socket

103
neutron/templates/daemonset-ovs-agent.yaml
View File

@ -68,6 +68,57 @@ spec:
mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
subPath: openvswitch_agent.ini
readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to overide Kollas custom
# sudoers file when using Kolla images, this location will
# also work fine for other images.
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
subPath: neutron_sudoers
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters
subPath: debug.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- name: libmodules
mountPath: /lib/modules
readOnly: true
@ -80,6 +131,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.neutron.uid }}
privileged: true
command:
- /tmp/neutron-openvswitch-agent.sh
@ -110,6 +162,57 @@ spec:
mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
subPath: openvswitch_agent.ini
readOnly: true
- name: neutron-etc
# NOTE (Portdirect): We mount here to overide Kollas custom
# sudoers file when using Kolla images, this location will
# also work fine for other images.
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
subPath: neutron_sudoers
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/debug.filters
subPath: debug.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
subPath: dibbler.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
subPath: ipset-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/l3.filters
subPath: l3.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
subPath: netns-cleanup.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
subPath: dhcp.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
subPath: ebtables.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
subPath: iptables-firewall.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
subPath: linuxbridge-plugin.filters
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
subPath: openvswitch-plugin.filters
readOnly: true
- name: libmodules
mountPath: /lib/modules
readOnly: true

3
neutron/templates/daemonset-ovs-db.yaml
View File

@ -33,8 +33,6 @@ spec:
spec:
nodeSelector:
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
securityContext:
runAsUser: 0
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
containers:
@ -43,6 +41,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: 0
privileged: true
command:
- /tmp/openvswitch-db-server.sh

3
neutron/templates/daemonset-ovs-vswitchd.yaml
View File

@ -33,8 +33,6 @@ spec:
spec:
nodeSelector:
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
securityContext:
runAsUser: 0
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
containers:
@ -43,6 +41,7 @@ spec:
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: 0
privileged: true
# ensures this container can speak to the ovs database
# successfully before its marked as ready

2
neutron/templates/deployment-server.yaml
View File

@ -47,6 +47,8 @@ spec:
image: {{ .Values.images.server }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.neutron.uid }}
command:
- /tmp/neutron-server.sh
- start

20
neutron/templates/etc/_neutron_sudoers.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

34
neutron/templates/etc/_rootwrap.conf.tpl Normal file
View File

@ -0,0 +1,34 @@
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>

18
neutron/templates/etc/rootwrap.d/_debug.filters.tpl Normal file
View File

@ -0,0 +1,18 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# This is needed because we should ping
# from inside a namespace which requires root
# _alt variants allow to match -c and -w in any order
# (used by NeutronDebugAgent.ping_all)
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+

34
neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl Normal file
View File

@ -0,0 +1,34 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
# it looks like these are the only signals needed, per
# neutron/agent/linux/dhcp.py
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
ovs-vsctl: CommandFilter, ovs-vsctl, root
ivs-ctl: CommandFilter, ivs-ctl, root
mm-ctl: CommandFilter, mm-ctl, root
dhcp_release: CommandFilter, dhcp_release, root
dhcp_release6: CommandFilter, dhcp_release6, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -9
kill_metadata7: KillFilter, root, python2.7, -9
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root

16
neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl Normal file
View File

@ -0,0 +1,16 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# Filters for the dibbler-based reference implementation of the pluggable
# Prefix Delegation driver. Other implementations using an alternative agent
# should include a similar filter in this folder.
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root

11
neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl Normal file
View File

@ -0,0 +1,11 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root

12
neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl Normal file
View File

@ -0,0 +1,12 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "ipset", "-A", ...
ipset: CommandFilter, ipset, root

27
neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl Normal file
View File

@ -0,0 +1,27 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root

52
neutron/templates/etc/rootwrap.d/_l3.filters.tpl Normal file
View File

@ -0,0 +1,52 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# arping
arping: CommandFilter, arping, root
# l3_agent
sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
# metadata proxy
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
kill_metadata: KillFilter, root, python, -15, -9
kill_metadata7: KillFilter, root, python2.7, -15, -9
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
# ovs_lib (if OVSInterfaceDriver is used)
ovs-vsctl: CommandFilter, ovs-vsctl, root
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
# l3 agent to delete floatingip's conntrack state
conntrack: CommandFilter, conntrack, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root

28
neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl Normal file
View File

@ -0,0 +1,28 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root
# tc commands needed for QoS support
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop

12
neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl Normal file
View File

@ -0,0 +1,12 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# netns-cleanup
netstat: CommandFilter, netstat, root

24
neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl Normal file
View File

@ -0,0 +1,24 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
ovs-vsctl: CommandFilter, ovs-vsctl, root
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
ovsdb-client: CommandFilter, ovsdb-client, root
xe: CommandFilter, xe, root
# ip_lib
ip: IpFilter, ip, root
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
ip_exec: IpNetnsExecFilter, ip, root

40
neutron/values.yaml
View File

@ -179,6 +179,9 @@ dependencies:
endpoint: internal
pod:
user:
neutron:
uid: 1000
affinity:
anti:
type:
@ -364,6 +367,43 @@ conf:
policy:
override:
append:
neutron_sudoers:
override:
append:
rootwrap:
override:
append:
rootwrap_filters:
debug:
override:
append:
dibbler:
override:
append:
ipset_firewall:
override:
append:
l3:
override:
append:
netns_cleanup:
override:
append:
dhcp:
override:
append:
ebtables:
override:
append:
iptables_firewall:
override:
append:
linuxbridge_plugin:
override:
append:
openvswitch_plugin:
override:
append:
neutron:
override:
append: