diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 8442c9f06e..6c597d1bfd 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -112,4 +112,28 @@ data: sriov_agent.ini: |+ {{- tuple .Values.conf.sriov_agent "etc/plugins/_sriov_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} dnsmasq.conf: "" + neutron_sudoers: |+ +{{- tuple .Values.conf.neutron_sudoers "etc/_neutron_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + rootwrap.conf: |+ +{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + debug.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.debug "etc/rootwrap.d/_debug.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + dibbler.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.dibbler "etc/rootwrap.d/_dibbler.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + ipset-firewall.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.ipset_firewall "etc/rootwrap.d/_ipset-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + l3.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.l3 "etc/rootwrap.d/_l3.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + netns-cleanup.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.netns_cleanup "etc/rootwrap.d/_netns-cleanup.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + dhcp.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.dhcp "etc/rootwrap.d/_dhcp.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + ebtables.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.ebtables "etc/rootwrap.d/_ebtables.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + iptables-firewall.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.iptables_firewall "etc/rootwrap.d/_iptables-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + linuxbridge-plugin.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.linuxbridge_plugin "etc/rootwrap.d/_linuxbridge-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + openvswitch-plugin.filters: |+ +{{- tuple .Values.conf.rootwrap_filters.openvswitch_plugin "etc/rootwrap.d/_openvswitch-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- end }} diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index 5ff0f4f43d..ccabc2ae1b 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -36,8 +36,6 @@ spec: spec: nodeSelector: {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }} - securityContext: - runAsUser: 0 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: @@ -48,6 +46,7 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: + runAsUser: {{ .Values.pod.user.neutron.uid }} privileged: true command: - /tmp/neutron-dhcp-agent.sh @@ -76,6 +75,57 @@ spec: mountPath: /etc/neutron/dnsmasq.conf subPath: dnsmasq.conf readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/debug.filters + subPath: debug.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dibbler.filters + subPath: dibbler.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters + subPath: ipset-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/l3.filters + subPath: l3.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters + subPath: netns-cleanup.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dhcp.filters + subPath: dhcp.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ebtables.filters + subPath: ebtables.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters + subPath: iptables-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters + subPath: linuxbridge-plugin.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters + subPath: openvswitch-plugin.filters + readOnly: true - name: runopenvswitch mountPath: /run/openvswitch - name: socket diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index fa13d12e07..c616e642ec 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -36,8 +36,6 @@ spec: spec: nodeSelector: {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }} - securityContext: - runAsUser: 0 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: @@ -48,6 +46,7 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: + runAsUser: {{ .Values.pod.user.neutron.uid }} privileged: true command: - /tmp/neutron-l3-agent.sh @@ -72,6 +71,57 @@ spec: mountPath: /etc/neutron/l3_agent.ini subPath: l3_agent.ini readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/debug.filters + subPath: debug.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dibbler.filters + subPath: dibbler.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters + subPath: ipset-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/l3.filters + subPath: l3.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters + subPath: netns-cleanup.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dhcp.filters + subPath: dhcp.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ebtables.filters + subPath: ebtables.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters + subPath: iptables-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters + subPath: linuxbridge-plugin.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters + subPath: openvswitch-plugin.filters + readOnly: true - name: runopenvswitch mountPath: /run/openvswitch - name: libmodules diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index 8cf6b890c9..afbeb1772e 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -36,8 +36,6 @@ spec: spec: nodeSelector: {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }} - securityContext: - runAsUser: 0 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: @@ -48,6 +46,7 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: + runAsUser: {{ .Values.pod.user.neutron.uid }} privileged: true ports: - containerPort: {{ .Values.network.metadata.port }} @@ -74,6 +73,57 @@ spec: mountPath: /etc/neutron/metadata_agent.ini subPath: metadata_agent.ini readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/debug.filters + subPath: debug.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dibbler.filters + subPath: dibbler.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters + subPath: ipset-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/l3.filters + subPath: l3.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters + subPath: netns-cleanup.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dhcp.filters + subPath: dhcp.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ebtables.filters + subPath: ebtables.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters + subPath: iptables-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters + subPath: linuxbridge-plugin.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters + subPath: openvswitch-plugin.filters + readOnly: true - name: runopenvswitch mountPath: /run/openvswitch - name: socket diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index 3b1a1d3edb..23011d245f 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -68,6 +68,57 @@ spec: mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini subPath: openvswitch_agent.ini readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/debug.filters + subPath: debug.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dibbler.filters + subPath: dibbler.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters + subPath: ipset-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/l3.filters + subPath: l3.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters + subPath: netns-cleanup.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dhcp.filters + subPath: dhcp.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ebtables.filters + subPath: ebtables.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters + subPath: iptables-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters + subPath: linuxbridge-plugin.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters + subPath: openvswitch-plugin.filters + readOnly: true - name: libmodules mountPath: /lib/modules readOnly: true @@ -80,6 +131,7 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: + runAsUser: {{ .Values.pod.user.neutron.uid }} privileged: true command: - /tmp/neutron-openvswitch-agent.sh @@ -110,6 +162,57 @@ spec: mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini subPath: openvswitch_agent.ini readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to overide Kollas custom + # sudoers file when using Kolla images, this location will + # also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/debug.filters + subPath: debug.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dibbler.filters + subPath: dibbler.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters + subPath: ipset-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/l3.filters + subPath: l3.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters + subPath: netns-cleanup.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/dhcp.filters + subPath: dhcp.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/ebtables.filters + subPath: ebtables.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters + subPath: iptables-firewall.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters + subPath: linuxbridge-plugin.filters + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters + subPath: openvswitch-plugin.filters + readOnly: true - name: libmodules mountPath: /lib/modules readOnly: true diff --git a/neutron/templates/daemonset-ovs-db.yaml b/neutron/templates/daemonset-ovs-db.yaml index db1cfea7d3..0d1dfb5f5c 100644 --- a/neutron/templates/daemonset-ovs-db.yaml +++ b/neutron/templates/daemonset-ovs-db.yaml @@ -33,8 +33,6 @@ spec: spec: nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} - securityContext: - runAsUser: 0 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true containers: @@ -43,6 +41,7 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: + runAsUser: 0 privileged: true command: - /tmp/openvswitch-db-server.sh diff --git a/neutron/templates/daemonset-ovs-vswitchd.yaml b/neutron/templates/daemonset-ovs-vswitchd.yaml index ab617861e5..8ab84859e6 100644 --- a/neutron/templates/daemonset-ovs-vswitchd.yaml +++ b/neutron/templates/daemonset-ovs-vswitchd.yaml @@ -33,8 +33,6 @@ spec: spec: nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} - securityContext: - runAsUser: 0 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true containers: @@ -43,6 +41,7 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: + runAsUser: 0 privileged: true # ensures this container can speak to the ovs database # successfully before its marked as ready diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index a98c08c45c..418fb8a064 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.server }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.neutron.uid }} command: - /tmp/neutron-server.sh - start diff --git a/neutron/templates/etc/_neutron_sudoers.tpl b/neutron/templates/etc/_neutron_sudoers.tpl new file mode 100644 index 0000000000..cf1f12aca6 --- /dev/null +++ b/neutron/templates/etc/_neutron_sudoers.tpl @@ -0,0 +1,20 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +# This sudoers file supports rootwrap for both Kolla and LOCI Images. +Defaults !requiretty +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" +neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf * diff --git a/neutron/templates/etc/_rootwrap.conf.tpl b/neutron/templates/etc/_rootwrap.conf.tpl new file mode 100644 index 0000000000..0e7c3c5789 --- /dev/null +++ b/neutron/templates/etc/_rootwrap.conf.tpl @@ -0,0 +1,34 @@ +# Configuration for neutron-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, local0, local1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR + +[xenapi] +# XenAPI configuration is only required by the L2 agent if it is to +# target a XenServer/XCP compute host's dom0. +xenapi_connection_url= +xenapi_connection_username=root +xenapi_connection_password= diff --git a/neutron/templates/etc/rootwrap.d/_debug.filters.tpl b/neutron/templates/etc/rootwrap.d/_debug.filters.tpl new file mode 100644 index 0000000000..89cb042a3a --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_debug.filters.tpl @@ -0,0 +1,18 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# This is needed because we should ping +# from inside a namespace which requires root +# _alt variants allow to match -c and -w in any order +# (used by NeutronDebugAgent.ping_all) +ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ +ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+ +ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ +ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+ diff --git a/neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl b/neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl new file mode 100644 index 0000000000..3f06b4ae26 --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl @@ -0,0 +1,34 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# dhcp-agent +dnsmasq: CommandFilter, dnsmasq, root +# dhcp-agent uses kill as well, that's handled by the generic KillFilter +# it looks like these are the only signals needed, per +# neutron/agent/linux/dhcp.py +kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15 +kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15 + +ovs-vsctl: CommandFilter, ovs-vsctl, root +ivs-ctl: CommandFilter, ivs-ctl, root +mm-ctl: CommandFilter, mm-ctl, root +dhcp_release: CommandFilter, dhcp_release, root +dhcp_release6: CommandFilter, dhcp_release6, root + +# metadata proxy +metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root +# RHEL invocation of the metadata proxy will report /usr/bin/python +kill_metadata: KillFilter, root, python, -9 +kill_metadata7: KillFilter, root, python2.7, -9 + +# ip_lib +ip: IpFilter, ip, root +find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* +ip_exec: IpNetnsExecFilter, ip, root diff --git a/neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl b/neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl new file mode 100644 index 0000000000..eea55252f3 --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl @@ -0,0 +1,16 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# Filters for the dibbler-based reference implementation of the pluggable +# Prefix Delegation driver. Other implementations using an alternative agent +# should include a similar filter in this folder. + +# prefix_delegation_agent +dibbler-client: CommandFilter, dibbler-client, root diff --git a/neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl b/neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl new file mode 100644 index 0000000000..8e810e7b55 --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl @@ -0,0 +1,11 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +ebtables: CommandFilter, ebtables, root diff --git a/neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl b/neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl new file mode 100644 index 0000000000..52c66373b2 --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl @@ -0,0 +1,12 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] +# neutron/agent/linux/iptables_firewall.py +# "ipset", "-A", ... +ipset: CommandFilter, ipset, root diff --git a/neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl b/neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl new file mode 100644 index 0000000000..0a81f9ddb4 --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_iptables-firewall.filters.tpl @@ -0,0 +1,27 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# neutron/agent/linux/iptables_firewall.py +# "iptables-save", ... +iptables-save: CommandFilter, iptables-save, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-save: CommandFilter, ip6tables-save, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# neutron/agent/linux/iptables_firewall.py +# "iptables", "-A", ... +iptables: CommandFilter, iptables, root +ip6tables: CommandFilter, ip6tables, root + +# neutron/agent/linux/iptables_firewall.py +sysctl: CommandFilter, sysctl, root + +# neutron/agent/linux/ip_conntrack.py +conntrack: CommandFilter, conntrack, root diff --git a/neutron/templates/etc/rootwrap.d/_l3.filters.tpl b/neutron/templates/etc/rootwrap.d/_l3.filters.tpl new file mode 100644 index 0000000000..789a16f80e --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_l3.filters.tpl @@ -0,0 +1,52 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# arping +arping: CommandFilter, arping, root + +# l3_agent +sysctl: CommandFilter, sysctl, root +route: CommandFilter, route, root +radvd: CommandFilter, radvd, root + +# metadata proxy +metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root +# RHEL invocation of the metadata proxy will report /usr/bin/python +kill_metadata: KillFilter, root, python, -15, -9 +kill_metadata7: KillFilter, root, python2.7, -15, -9 +kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP +kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP + +# ip_lib +ip: IpFilter, ip, root +find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* +ip_exec: IpNetnsExecFilter, ip, root + +# For ip monitor +kill_ip_monitor: KillFilter, root, ip, -9 + +# ovs_lib (if OVSInterfaceDriver is used) +ovs-vsctl: CommandFilter, ovs-vsctl, root + +# iptables_manager +iptables-save: CommandFilter, iptables-save, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-save: CommandFilter, ip6tables-save, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# Keepalived +keepalived: CommandFilter, keepalived, root +kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9 + +# l3 agent to delete floatingip's conntrack state +conntrack: CommandFilter, conntrack, root + +# keepalived state change monitor +keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root diff --git a/neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl b/neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl new file mode 100644 index 0000000000..f0934357ba --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_linuxbridge-plugin.filters.tpl @@ -0,0 +1,28 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# linuxbridge-agent +# unclear whether both variants are necessary, but I'm transliterating +# from the old mechanism +brctl: CommandFilter, brctl, root +bridge: CommandFilter, bridge, root + +# ip_lib +ip: IpFilter, ip, root +find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* +ip_exec: IpNetnsExecFilter, ip, root + +# tc commands needed for QoS support +tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+ +tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+ +tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+ +tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+ +tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+ +tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop diff --git a/neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl b/neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl new file mode 100644 index 0000000000..1ee142e54c --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl @@ -0,0 +1,12 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# netns-cleanup +netstat: CommandFilter, netstat, root diff --git a/neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl b/neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl new file mode 100644 index 0000000000..c738733bb4 --- /dev/null +++ b/neutron/templates/etc/rootwrap.d/_openvswitch-plugin.filters.tpl @@ -0,0 +1,24 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# openvswitch-agent +# unclear whether both variants are necessary, but I'm transliterating +# from the old mechanism +ovs-vsctl: CommandFilter, ovs-vsctl, root +# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl +ovs-ofctl: CommandFilter, ovs-ofctl, root +kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9 +ovsdb-client: CommandFilter, ovsdb-client, root +xe: CommandFilter, xe, root + +# ip_lib +ip: IpFilter, ip, root +find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.* +ip_exec: IpNetnsExecFilter, ip, root diff --git a/neutron/values.yaml b/neutron/values.yaml index 8ea01ed38a..a9fce4fc3d 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -179,6 +179,9 @@ dependencies: endpoint: internal pod: + user: + neutron: + uid: 1000 affinity: anti: type: @@ -364,6 +367,43 @@ conf: policy: override: append: + neutron_sudoers: + override: + append: + rootwrap: + override: + append: + rootwrap_filters: + debug: + override: + append: + dibbler: + override: + append: + ipset_firewall: + override: + append: + l3: + override: + append: + netns_cleanup: + override: + append: + dhcp: + override: + append: + ebtables: + override: + append: + iptables_firewall: + override: + append: + linuxbridge_plugin: + override: + append: + openvswitch_plugin: + override: + append: neutron: override: append: