From 6219bba2c75d63a20c79eb787f0e374b63259756 Mon Sep 17 00:00:00 2001 From: portdirect Date: Tue, 27 Mar 2018 14:24:07 -0400 Subject: [PATCH] Cinder: Move all config to be directly values driven. This PS moves all the config files to be directly values driven, both simplifying over-ride and allowing configs to be targeted to pods in future work. Change-Id: I286af7434aab6de941f9700a7fbf70c6dd0ee4cb --- cinder/templates/configmap-etc.yaml | 11 +- cinder/templates/deployment-volume.yaml | 10 +- cinder/templates/etc/_cinder_sudoers.tpl | 20 -- cinder/templates/etc/_rootwrap.conf.tpl | 27 -- .../etc/rootwrap.d/_volume.filters.tpl | 224 --------------- cinder/values.yaml | 268 +++++++++++++++++- 6 files changed, 275 insertions(+), 285 deletions(-) delete mode 100644 cinder/templates/etc/_cinder_sudoers.tpl delete mode 100644 cinder/templates/etc/_rootwrap.conf.tpl delete mode 100644 cinder/templates/etc/rootwrap.d/_volume.filters.tpl diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index e345814299..b3f8a3e2b3 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -110,9 +110,12 @@ data: policy.json: | {{ toJson .Values.conf.policy | indent 4 }} cinder_sudoers: | -{{- tuple .Values.conf.cinder_sudoers "etc/_cinder_sudoers.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ $envAll.Values.conf.cinder_sudoers | indent 4 }} rootwrap.conf: | -{{- tuple .Values.conf.rootwrap "etc/_rootwrap.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - volume.filters: | -{{- tuple .Values.conf.rootwrap_filters.volume "etc/rootwrap.d/_volume.filters.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ $envAll.Values.conf.rootwrap | indent 4 }} +{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} +{{- $filePrefix := replace "_" "-" $key }} + {{ printf "%s.filters" $filePrefix }}: | +{{ $value.content | indent 4 }} +{{- end }} {{- end }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 65bd2a2b46..d721be97c3 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -137,10 +137,16 @@ spec: mountPath: /etc/cinder/rootwrap.conf subPath: rootwrap.conf readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "volume" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/cinder/rootwrap.d/%s.filters" $filePrefix }} - name: cinder-etc - mountPath: /etc/cinder/rootwrap.d/volume.filters - subPath: volume.filters + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} readOnly: true + {{- end }} + {{- end }} {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} volumes: - name: cinder-bin diff --git a/cinder/templates/etc/_cinder_sudoers.tpl b/cinder/templates/etc/_cinder_sudoers.tpl deleted file mode 100644 index 2b822ab2d2..0000000000 --- a/cinder/templates/etc/_cinder_sudoers.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -# This sudoers file supports rootwrap for both Kolla and LOCI Images. -Defaults !requiretty -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" -cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf * diff --git a/cinder/templates/etc/_rootwrap.conf.tpl b/cinder/templates/etc/_rootwrap.conf.tpl deleted file mode 100644 index 2d88d689e4..0000000000 --- a/cinder/templates/etc/_rootwrap.conf.tpl +++ /dev/null @@ -1,27 +0,0 @@ -# Configuration for cinder-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/cinder/rootwrap.d - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/cinder/templates/etc/rootwrap.d/_volume.filters.tpl b/cinder/templates/etc/rootwrap.d/_volume.filters.tpl deleted file mode 100644 index f7810c46f7..0000000000 --- a/cinder/templates/etc/rootwrap.d/_volume.filters.tpl +++ /dev/null @@ -1,224 +0,0 @@ -# cinder-rootwrap command filters for volume nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# cinder/volume/iscsi.py: iscsi_helper '--op' ... -ietadm: CommandFilter, ietadm, root -tgtadm: CommandFilter, tgtadm, root -iscsictl: CommandFilter, iscsictl, root -tgt-admin: CommandFilter, tgt-admin, root -cinder-rtstool: CommandFilter, cinder-rtstool, root -scstadmin: CommandFilter, scstadmin, root - -# LVM related show commands -pvs: EnvFilter, env, root, LC_ALL=C, pvs -vgs: EnvFilter, env, root, LC_ALL=C, vgs -lvs: EnvFilter, env, root, LC_ALL=C, lvs -lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay - -# -LVM related show commands with suppress fd warnings -pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs -vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs -lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs -lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay - - -# -LVM related show commands conf var -pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs -vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs -lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs -lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay - -# -LVM conf var with suppress fd_warnings -pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs -vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs -lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs -lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay - -# os-brick library commands -# os_brick.privileged.run_as_root oslo.privsep context -# This line ties the superuser privs with the config files, context name, -# and (implicitly) the actual python code invoked. -privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* -# The following and any cinder/brick/* entries should all be obsoleted -# by privsep, and may be removed once the os-brick version requirement -# is updated appropriately. -scsi_id: CommandFilter, /lib/udev/scsi_id, root -drbdadm: CommandFilter, drbdadm, root - -# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list -vgcreate: CommandFilter, vgcreate, root - -# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. -# cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ... -lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate -lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate -lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate -lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate - -# cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,... -dd: CommandFilter, dd, root - -# cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ... -lvremove: CommandFilter, lvremove, root - -# cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'... -lvrename: CommandFilter, lvrename, root - -# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... -# cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... -lvextend: EnvFilter, env, root, LC_ALL=C, lvextend -lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend -lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend -lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend - -# cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' -lvchange: CommandFilter, lvchange, root - -# cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name -lvconvert: CommandFilter, lvconvert, root - -# cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',... -# cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ... -iscsiadm: CommandFilter, iscsiadm, root - -# cinder/volume/utils.py: utils.temporary_chown(path, 0) -chown: CommandFilter, chown, root - -# cinder/volume/utils.py: copy_volume(..., ionice='...') -ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7] -ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3] - -# cinder/volume/utils.py: setup_blkio_cgroup() -cgcreate: CommandFilter, cgcreate, root -cgset: CommandFilter, cgset, root -cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+ - -# cinder/volume/driver.py -dmsetup: CommandFilter, dmsetup, root -ln: CommandFilter, ln, root - -# cinder/image/image_utils.py -qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img -qemu-img_convert: CommandFilter, qemu-img, root - -udevadm: CommandFilter, udevadm, root - -# cinder/volume/driver.py: utils.read_file_as_root() -cat: CommandFilter, cat, root - -# cinder/volume/nfs.py -stat: CommandFilter, stat, root -mount: CommandFilter, mount, root -df: CommandFilter, df, root -du: CommandFilter, du, root -truncate: CommandFilter, truncate, root -chmod: CommandFilter, chmod, root -rm: CommandFilter, rm, root - -# cinder/volume/drivers/remotefs.py -mkdir: CommandFilter, mkdir, root - -# cinder/volume/drivers/netapp/nfs.py: -netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+ - -# cinder/volume/drivers/glusterfs.py -chgrp: CommandFilter, chgrp, root -umount: CommandFilter, umount, root -fallocate: CommandFilter, fallocate, root - -# cinder/volumes/drivers/hds/hds.py: -hus-cmd: CommandFilter, hus-cmd, root -hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root - -# cinder/volumes/drivers/hds/hnas_backend.py -ssc: CommandFilter, ssc, root - -# cinder/brick/initiator/connector.py: -ls: CommandFilter, ls, root -tee: CommandFilter, tee, root -multipath: CommandFilter, multipath, root -multipathd: CommandFilter, multipathd, root -systool: CommandFilter, systool, root - -# cinder/volume/drivers/block_device.py -blockdev: CommandFilter, blockdev, root - -# cinder/volume/drivers/ibm/gpfs.py -# cinder/volume/drivers/tintri.py -mv: CommandFilter, mv, root - -# cinder/volume/drivers/ibm/gpfs.py -cp: CommandFilter, cp, root -mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root -mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root -mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root -mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root -mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root -mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root -mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root -mkfs: CommandFilter, mkfs, root -mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root -mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root -mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root -mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root -mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root -mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root - -# cinder/volume/drivers/ibm/gpfs.py -# cinder/volume/drivers/ibm/ibmnas.py -find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit - -# cinder/brick/initiator/connector.py: -aoe-revalidate: CommandFilter, aoe-revalidate, root -aoe-discover: CommandFilter, aoe-discover, root -aoe-flush: CommandFilter, aoe-flush, root - -# cinder/brick/initiator/linuxscsi.py: -sg_scan: CommandFilter, sg_scan, root - -#cinder/backup/services/tsm.py -dsmc:CommandFilter,/usr/bin/dsmc,root - -# cinder/volume/drivers/hitachi/hbsd_horcm.py -raidqry: CommandFilter, raidqry, root -raidcom: CommandFilter, raidcom, root -pairsplit: CommandFilter, pairsplit, root -paircreate: CommandFilter, paircreate, root -pairdisplay: CommandFilter, pairdisplay, root -pairevtwait: CommandFilter, pairevtwait, root -horcmstart.sh: CommandFilter, horcmstart.sh, root -horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root -horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr - -# cinder/volume/drivers/hitachi/hbsd_snm2.py -auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman -auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref -auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef -aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1 -auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn -auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap -autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap -aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol -auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd -auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel -auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize -auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser -autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef -autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt -autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini -auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi -audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool -aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal -aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon - -# cinder/volume/drivers/hgst.py -vgc-cluster: CommandFilter, vgc-cluster, root - -# cinder/volume/drivers/vzstorage.py -pstorage-mount: CommandFilter, pstorage-mount, root -pstorage: CommandFilter, pstorage, root -ploop: CommandFilter, ploop, root - -# initiator/connector.py: -drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid diff --git a/cinder/values.yaml b/cinder/values.yaml index 80cfdbf8bf..ec63d09116 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -424,16 +424,268 @@ conf: clusters:get: rule:admin_api clusters:get_all: rule:admin_api clusters:update: rule:admin_api - cinder_sudoers: - override: - append: - rootwrap: - override: - append: + cinder_sudoers: | + # This sudoers file supports rootwrap for both Kolla and LOCI Images. + Defaults !requiretty + Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin" + cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf * + rootwrap: | + # Configuration for cinder-rootwrap + # This file should be owned by (and only-writeable by) the root user + + [DEFAULT] + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path=/etc/cinder/rootwrap.d + + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin + + # Enable logging to syslog + # Default value is False + use_syslog=False + + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility=syslog + + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level=ERROR rootwrap_filters: volume: - override: - append: + pods: + - volume + content: | + # cinder-rootwrap command filters for volume nodes + # This file should be owned by (and only-writeable by) the root user + + [Filters] + # cinder/volume/iscsi.py: iscsi_helper '--op' ... + ietadm: CommandFilter, ietadm, root + tgtadm: CommandFilter, tgtadm, root + iscsictl: CommandFilter, iscsictl, root + tgt-admin: CommandFilter, tgt-admin, root + cinder-rtstool: CommandFilter, cinder-rtstool, root + scstadmin: CommandFilter, scstadmin, root + + # LVM related show commands + pvs: EnvFilter, env, root, LC_ALL=C, pvs + vgs: EnvFilter, env, root, LC_ALL=C, vgs + lvs: EnvFilter, env, root, LC_ALL=C, lvs + lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay + + # -LVM related show commands with suppress fd warnings + pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs + vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs + lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs + lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay + + + # -LVM related show commands conf var + pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs + vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs + lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs + lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay + + # -LVM conf var with suppress fd_warnings + pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs + vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs + lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs + lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay + + # os-brick library commands + # os_brick.privileged.run_as_root oslo.privsep context + # This line ties the superuser privs with the config files, context name, + # and (implicitly) the actual python code invoked. + privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* + # The following and any cinder/brick/* entries should all be obsoleted + # by privsep, and may be removed once the os-brick version requirement + # is updated appropriately. + scsi_id: CommandFilter, /lib/udev/scsi_id, root + drbdadm: CommandFilter, drbdadm, root + + # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list + vgcreate: CommandFilter, vgcreate, root + + # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. + # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ... + lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate + lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate + lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate + lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate + + # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,... + dd: CommandFilter, dd, root + + # cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ... + lvremove: CommandFilter, lvremove, root + + # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'... + lvrename: CommandFilter, lvrename, root + + # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... + # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... + lvextend: EnvFilter, env, root, LC_ALL=C, lvextend + lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend + lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend + lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend + + # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' + lvchange: CommandFilter, lvchange, root + + # cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name + lvconvert: CommandFilter, lvconvert, root + + # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',... + # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ... + iscsiadm: CommandFilter, iscsiadm, root + + # cinder/volume/utils.py: utils.temporary_chown(path, 0) + chown: CommandFilter, chown, root + + # cinder/volume/utils.py: copy_volume(..., ionice='...') + ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7] + ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3] + + # cinder/volume/utils.py: setup_blkio_cgroup() + cgcreate: CommandFilter, cgcreate, root + cgset: CommandFilter, cgset, root + cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+ + + # cinder/volume/driver.py + dmsetup: CommandFilter, dmsetup, root + ln: CommandFilter, ln, root + + # cinder/image/image_utils.py + qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img + qemu-img_convert: CommandFilter, qemu-img, root + + udevadm: CommandFilter, udevadm, root + + # cinder/volume/driver.py: utils.read_file_as_root() + cat: CommandFilter, cat, root + + # cinder/volume/nfs.py + stat: CommandFilter, stat, root + mount: CommandFilter, mount, root + df: CommandFilter, df, root + du: CommandFilter, du, root + truncate: CommandFilter, truncate, root + chmod: CommandFilter, chmod, root + rm: CommandFilter, rm, root + + # cinder/volume/drivers/remotefs.py + mkdir: CommandFilter, mkdir, root + + # cinder/volume/drivers/netapp/nfs.py: + netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+ + + # cinder/volume/drivers/glusterfs.py + chgrp: CommandFilter, chgrp, root + umount: CommandFilter, umount, root + fallocate: CommandFilter, fallocate, root + + # cinder/volumes/drivers/hds/hds.py: + hus-cmd: CommandFilter, hus-cmd, root + hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root + + # cinder/volumes/drivers/hds/hnas_backend.py + ssc: CommandFilter, ssc, root + + # cinder/brick/initiator/connector.py: + ls: CommandFilter, ls, root + tee: CommandFilter, tee, root + multipath: CommandFilter, multipath, root + multipathd: CommandFilter, multipathd, root + systool: CommandFilter, systool, root + + # cinder/volume/drivers/block_device.py + blockdev: CommandFilter, blockdev, root + + # cinder/volume/drivers/ibm/gpfs.py + # cinder/volume/drivers/tintri.py + mv: CommandFilter, mv, root + + # cinder/volume/drivers/ibm/gpfs.py + cp: CommandFilter, cp, root + mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root + mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root + mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root + mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root + mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root + mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root + mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root + mkfs: CommandFilter, mkfs, root + mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root + mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root + mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root + mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root + mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root + mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root + + # cinder/volume/drivers/ibm/gpfs.py + # cinder/volume/drivers/ibm/ibmnas.py + find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit + + # cinder/brick/initiator/connector.py: + aoe-revalidate: CommandFilter, aoe-revalidate, root + aoe-discover: CommandFilter, aoe-discover, root + aoe-flush: CommandFilter, aoe-flush, root + + # cinder/brick/initiator/linuxscsi.py: + sg_scan: CommandFilter, sg_scan, root + + #cinder/backup/services/tsm.py + dsmc:CommandFilter,/usr/bin/dsmc,root + + # cinder/volume/drivers/hitachi/hbsd_horcm.py + raidqry: CommandFilter, raidqry, root + raidcom: CommandFilter, raidcom, root + pairsplit: CommandFilter, pairsplit, root + paircreate: CommandFilter, paircreate, root + pairdisplay: CommandFilter, pairdisplay, root + pairevtwait: CommandFilter, pairevtwait, root + horcmstart.sh: CommandFilter, horcmstart.sh, root + horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root + horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr + + # cinder/volume/drivers/hitachi/hbsd_snm2.py + auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman + auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref + auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef + aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1 + auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn + auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap + autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap + aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol + auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd + auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel + auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize + auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser + autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef + autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt + autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini + auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi + audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool + aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal + aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon + + # cinder/volume/drivers/hgst.py + vgc-cluster: CommandFilter, vgc-cluster, root + + # cinder/volume/drivers/vzstorage.py + pstorage-mount: CommandFilter, pstorage-mount, root + pstorage: CommandFilter, pstorage, root + ploop: CommandFilter, ploop, root + + # initiator/connector.py: + drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid ceph: override: append: