Security: Container user and rootwrap for neutron
This PS adds user control for the service user and rootwrap for the Neutron chart. Change-Id: Ibefa3e76c9e64427e97cdcbb93a11d2b2125e171
This commit is contained in:
parent
87723a700c
commit
4740486f63
@ -112,4 +112,28 @@ data:
|
||||
sriov_agent.ini: |+
|
||||
{{- tuple .Values.conf.sriov_agent "etc/plugins/_sriov_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
dnsmasq.conf: ""
|
||||
neutron_sudoers: |+
|
||||
{{- tuple .Values.conf.neutron_sudoers "etc/_neutron_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
rootwrap.conf: |+
|
||||
{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
debug.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.debug "etc/rootwrap.d/_debug.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
dibbler.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.dibbler "etc/rootwrap.d/_dibbler.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
ipset-firewall.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.ipset_firewall "etc/rootwrap.d/_ipset-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
l3.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.l3 "etc/rootwrap.d/_l3.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
netns-cleanup.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.netns_cleanup "etc/rootwrap.d/_netns-cleanup.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
dhcp.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.dhcp "etc/rootwrap.d/_dhcp.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
ebtables.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.ebtables "etc/rootwrap.d/_ebtables.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
iptables-firewall.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.iptables_firewall "etc/rootwrap.d/_iptables-firewall.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
linuxbridge-plugin.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.linuxbridge_plugin "etc/rootwrap.d/_linuxbridge-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
openvswitch-plugin.filters: |+
|
||||
{{- tuple .Values.conf.rootwrap_filters.openvswitch_plugin "etc/rootwrap.d/_openvswitch-plugin.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
{{- end }}
|
||||
|
@ -36,8 +36,6 @@ spec:
|
||||
spec:
|
||||
nodeSelector:
|
||||
{{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
@ -48,6 +46,7 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.neutron.uid }}
|
||||
privileged: true
|
||||
command:
|
||||
- /tmp/neutron-dhcp-agent.sh
|
||||
@ -76,6 +75,57 @@ spec:
|
||||
mountPath: /etc/neutron/dnsmasq.conf
|
||||
subPath: dnsmasq.conf
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
|
||||
subPath: neutron_sudoers
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
readOnly: true
|
||||
- name: runopenvswitch
|
||||
mountPath: /run/openvswitch
|
||||
- name: socket
|
||||
|
@ -36,8 +36,6 @@ spec:
|
||||
spec:
|
||||
nodeSelector:
|
||||
{{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
@ -48,6 +46,7 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.neutron.uid }}
|
||||
privileged: true
|
||||
command:
|
||||
- /tmp/neutron-l3-agent.sh
|
||||
@ -72,6 +71,57 @@ spec:
|
||||
mountPath: /etc/neutron/l3_agent.ini
|
||||
subPath: l3_agent.ini
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
|
||||
subPath: neutron_sudoers
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
readOnly: true
|
||||
- name: runopenvswitch
|
||||
mountPath: /run/openvswitch
|
||||
- name: libmodules
|
||||
|
@ -36,8 +36,6 @@ spec:
|
||||
spec:
|
||||
nodeSelector:
|
||||
{{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
@ -48,6 +46,7 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.neutron.uid }}
|
||||
privileged: true
|
||||
ports:
|
||||
- containerPort: {{ .Values.network.metadata.port }}
|
||||
@ -74,6 +73,57 @@ spec:
|
||||
mountPath: /etc/neutron/metadata_agent.ini
|
||||
subPath: metadata_agent.ini
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
|
||||
subPath: neutron_sudoers
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
readOnly: true
|
||||
- name: runopenvswitch
|
||||
mountPath: /run/openvswitch
|
||||
- name: socket
|
||||
|
@ -68,6 +68,57 @@ spec:
|
||||
mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
|
||||
subPath: openvswitch_agent.ini
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
|
||||
subPath: neutron_sudoers
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
readOnly: true
|
||||
- name: libmodules
|
||||
mountPath: /lib/modules
|
||||
readOnly: true
|
||||
@ -80,6 +131,7 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.neutron.uid }}
|
||||
privileged: true
|
||||
command:
|
||||
- /tmp/neutron-openvswitch-agent.sh
|
||||
@ -110,6 +162,57 @@ spec:
|
||||
mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
|
||||
subPath: openvswitch_agent.ini
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
# NOTE (Portdirect): We mount here to overide Kollas custom
|
||||
# sudoers file when using Kolla images, this location will
|
||||
# also work fine for other images.
|
||||
mountPath: /etc/sudoers.d/kolla_neutron_sudoers
|
||||
subPath: neutron_sudoers
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/debug.filters
|
||||
subPath: debug.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dibbler.filters
|
||||
subPath: dibbler.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ipset-firewall.filters
|
||||
subPath: ipset-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/l3.filters
|
||||
subPath: l3.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/netns-cleanup.filters
|
||||
subPath: netns-cleanup.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/dhcp.filters
|
||||
subPath: dhcp.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/ebtables.filters
|
||||
subPath: ebtables.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/iptables-firewall.filters
|
||||
subPath: iptables-firewall.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/linuxbridge-plugin.filters
|
||||
subPath: linuxbridge-plugin.filters
|
||||
readOnly: true
|
||||
- name: neutron-etc
|
||||
mountPath: /etc/neutron/rootwrap.d/openvswitch-plugin.filters
|
||||
subPath: openvswitch-plugin.filters
|
||||
readOnly: true
|
||||
- name: libmodules
|
||||
mountPath: /lib/modules
|
||||
readOnly: true
|
||||
|
@ -33,8 +33,6 @@ spec:
|
||||
spec:
|
||||
nodeSelector:
|
||||
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
hostNetwork: true
|
||||
containers:
|
||||
@ -43,6 +41,7 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
privileged: true
|
||||
command:
|
||||
- /tmp/openvswitch-db-server.sh
|
||||
|
@ -33,8 +33,6 @@ spec:
|
||||
spec:
|
||||
nodeSelector:
|
||||
{{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
hostNetwork: true
|
||||
containers:
|
||||
@ -43,6 +41,7 @@ spec:
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
privileged: true
|
||||
# ensures this container can speak to the ovs database
|
||||
# successfully before its marked as ready
|
||||
|
@ -47,6 +47,8 @@ spec:
|
||||
image: {{ .Values.images.server }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.pod.user.neutron.uid }}
|
||||
command:
|
||||
- /tmp/neutron-server.sh
|
||||
- start
|
||||
|
20
neutron/templates/etc/_neutron_sudoers.tpl
Normal file
20
neutron/templates/etc/_neutron_sudoers.tpl
Normal file
@ -0,0 +1,20 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
|
||||
Defaults !requiretty
|
||||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
|
||||
neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
|
34
neutron/templates/etc/_rootwrap.conf.tpl
Normal file
34
neutron/templates/etc/_rootwrap.conf.tpl
Normal file
@ -0,0 +1,34 @@
|
||||
# Configuration for neutron-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
|
||||
[xenapi]
|
||||
# XenAPI configuration is only required by the L2 agent if it is to
|
||||
# target a XenServer/XCP compute host's dom0.
|
||||
xenapi_connection_url=<None>
|
||||
xenapi_connection_username=root
|
||||
xenapi_connection_password=<None>
|
18
neutron/templates/etc/rootwrap.d/_debug.filters.tpl
Normal file
18
neutron/templates/etc/rootwrap.d/_debug.filters.tpl
Normal file
@ -0,0 +1,18 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# This is needed because we should ping
|
||||
# from inside a namespace which requires root
|
||||
# _alt variants allow to match -c and -w in any order
|
||||
# (used by NeutronDebugAgent.ping_all)
|
||||
ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
|
||||
ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
|
||||
ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
|
||||
ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
|
34
neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl
Normal file
34
neutron/templates/etc/rootwrap.d/_dhcp.filters.tpl
Normal file
@ -0,0 +1,34 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# dhcp-agent
|
||||
dnsmasq: CommandFilter, dnsmasq, root
|
||||
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
||||
# it looks like these are the only signals needed, per
|
||||
# neutron/agent/linux/dhcp.py
|
||||
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
|
||||
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
|
||||
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
ivs-ctl: CommandFilter, ivs-ctl, root
|
||||
mm-ctl: CommandFilter, mm-ctl, root
|
||||
dhcp_release: CommandFilter, dhcp_release, root
|
||||
dhcp_release6: CommandFilter, dhcp_release6, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
||||
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
||||
kill_metadata: KillFilter, root, python, -9
|
||||
kill_metadata7: KillFilter, root, python2.7, -9
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
16
neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl
Normal file
16
neutron/templates/etc/rootwrap.d/_dibbler.filters.tpl
Normal file
@ -0,0 +1,16 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# Filters for the dibbler-based reference implementation of the pluggable
|
||||
# Prefix Delegation driver. Other implementations using an alternative agent
|
||||
# should include a similar filter in this folder.
|
||||
|
||||
# prefix_delegation_agent
|
||||
dibbler-client: CommandFilter, dibbler-client, root
|
11
neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl
Normal file
11
neutron/templates/etc/rootwrap.d/_ebtables.filters.tpl
Normal file
@ -0,0 +1,11 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
ebtables: CommandFilter, ebtables, root
|
12
neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl
Normal file
12
neutron/templates/etc/rootwrap.d/_ipset-firewall.filters.tpl
Normal file
@ -0,0 +1,12 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "ipset", "-A", ...
|
||||
ipset: CommandFilter, ipset, root
|
@ -0,0 +1,27 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables-save", ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables", "-A", ...
|
||||
iptables: CommandFilter, iptables, root
|
||||
ip6tables: CommandFilter, ip6tables, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
|
||||
# neutron/agent/linux/ip_conntrack.py
|
||||
conntrack: CommandFilter, conntrack, root
|
52
neutron/templates/etc/rootwrap.d/_l3.filters.tpl
Normal file
52
neutron/templates/etc/rootwrap.d/_l3.filters.tpl
Normal file
@ -0,0 +1,52 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# arping
|
||||
arping: CommandFilter, arping, root
|
||||
|
||||
# l3_agent
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
route: CommandFilter, route, root
|
||||
radvd: CommandFilter, radvd, root
|
||||
|
||||
# metadata proxy
|
||||
metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
|
||||
# RHEL invocation of the metadata proxy will report /usr/bin/python
|
||||
kill_metadata: KillFilter, root, python, -15, -9
|
||||
kill_metadata7: KillFilter, root, python2.7, -15, -9
|
||||
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
|
||||
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# For ip monitor
|
||||
kill_ip_monitor: KillFilter, root, ip, -9
|
||||
|
||||
# ovs_lib (if OVSInterfaceDriver is used)
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# iptables_manager
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# Keepalived
|
||||
keepalived: CommandFilter, keepalived, root
|
||||
kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9
|
||||
|
||||
# l3 agent to delete floatingip's conntrack state
|
||||
conntrack: CommandFilter, conntrack, root
|
||||
|
||||
# keepalived state change monitor
|
||||
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
@ -0,0 +1,28 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# linuxbridge-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
brctl: CommandFilter, brctl, root
|
||||
bridge: CommandFilter, bridge, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
|
||||
# tc commands needed for QoS support
|
||||
tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
|
||||
tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
|
||||
tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
|
||||
tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
|
||||
tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
|
||||
tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
|
12
neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl
Normal file
12
neutron/templates/etc/rootwrap.d/_netns-cleanup.filters.tpl
Normal file
@ -0,0 +1,12 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# netns-cleanup
|
||||
netstat: CommandFilter, netstat, root
|
@ -0,0 +1,24 @@
|
||||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# openvswitch-agent
|
||||
# unclear whether both variants are necessary, but I'm transliterating
|
||||
# from the old mechanism
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
|
||||
ovsdb-client: CommandFilter, ovsdb-client, root
|
||||
xe: CommandFilter, xe, root
|
||||
|
||||
# ip_lib
|
||||
ip: IpFilter, ip, root
|
||||
find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
@ -179,6 +179,9 @@ dependencies:
|
||||
endpoint: internal
|
||||
|
||||
pod:
|
||||
user:
|
||||
neutron:
|
||||
uid: 1000
|
||||
affinity:
|
||||
anti:
|
||||
type:
|
||||
@ -364,6 +367,43 @@ conf:
|
||||
policy:
|
||||
override:
|
||||
append:
|
||||
neutron_sudoers:
|
||||
override:
|
||||
append:
|
||||
rootwrap:
|
||||
override:
|
||||
append:
|
||||
rootwrap_filters:
|
||||
debug:
|
||||
override:
|
||||
append:
|
||||
dibbler:
|
||||
override:
|
||||
append:
|
||||
ipset_firewall:
|
||||
override:
|
||||
append:
|
||||
l3:
|
||||
override:
|
||||
append:
|
||||
netns_cleanup:
|
||||
override:
|
||||
append:
|
||||
dhcp:
|
||||
override:
|
||||
append:
|
||||
ebtables:
|
||||
override:
|
||||
append:
|
||||
iptables_firewall:
|
||||
override:
|
||||
append:
|
||||
linuxbridge_plugin:
|
||||
override:
|
||||
append:
|
||||
openvswitch_plugin:
|
||||
override:
|
||||
append:
|
||||
neutron:
|
||||
override:
|
||||
append:
|
||||
|
Loading…
x
Reference in New Issue
Block a user