Merge "Introduce rootwrap and filter"
This commit is contained in:
Zuul
Gerrit Code Review
commit
98474e9465
@ -112,6 +112,8 @@ function configure_zun {
|
||||
sudo chown $STACK_USER $ZUN_CONF_DIR
|
||||
fi
|
||||
|
||||
configure_rootwrap zun
|
||||
|
||||
# Rebuild the config file from scratch
|
||||
create_zun_conf
|
||||
|
||||
|
||||
27
etc/zun/rootwrap.conf
Normal file
27
etc/zun/rootwrap.conf
Normal file
@ -0,0 +1,27 @@
|
||||
# Configuration for zun-rootwrap
|
||||
# This file should be owned by (and only-writable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writable by root !
|
||||
filters_path=/etc/zun/rootwrap.d
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
8
etc/zun/rootwrap.d/zun.filters
Normal file
8
etc/zun/rootwrap.d/zun.filters
Normal file
@ -0,0 +1,8 @@
|
||||
# zun command filters
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
# privileged/__init__.py: priv_context.PrivContext(default)
|
||||
# This line ties the superuser privs with the config files, context name,
|
||||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
@ -54,6 +54,7 @@ console_scripts =
|
||||
zun-compute = zun.cmd.compute:main
|
||||
zun-db-manage = zun.cmd.db_manage:main
|
||||
zun-wsproxy = zun.cmd.wsproxy:main
|
||||
zun-rootwrap = oslo_rootwrap.cmd:main
|
||||
wsgi_scripts =
|
||||
zun-api-wsgi = zun.api.wsgi:init_application
|
||||
|
||||
|
||||
@ -13,13 +13,16 @@
|
||||
# under the License.
|
||||
|
||||
import os
|
||||
import shlex
|
||||
import sys
|
||||
|
||||
from oslo_log import log as logging
|
||||
from oslo_privsep import priv_context
|
||||
from oslo_service import service
|
||||
|
||||
from zun.common import rpc_service
|
||||
from zun.common import service as zun_service
|
||||
from zun.common import utils
|
||||
import zun.conf
|
||||
|
||||
CONF = zun.conf.CONF
|
||||
@ -27,6 +30,7 @@ LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def main():
|
||||
priv_context.init(root_helper=shlex.split(utils.get_root_helper()))
|
||||
zun_service.prepare_service(sys.argv)
|
||||
|
||||
LOG.info('Starting server in PID %s', os.getpid())
|
||||
|
||||
@ -313,6 +313,10 @@ def custom_execute(*cmd, **kwargs):
|
||||
error=six.text_type(e))
|
||||
|
||||
|
||||
def get_root_helper():
|
||||
return 'sudo zun-rootwrap %s' % CONF.rootwrap_config
|
||||
|
||||
|
||||
@privileged.default.entrypoint
|
||||
def execute_root(*cmd, **kwargs):
|
||||
# NOTE(kiennt): Set run_as_root=False because if it is set to True, the
|
||||
|
||||
@ -34,6 +34,7 @@ from zun.conf import profiler
|
||||
from zun.conf import scheduler
|
||||
from zun.conf import services
|
||||
from zun.conf import ssl
|
||||
from zun.conf import utils
|
||||
from zun.conf import volume
|
||||
from zun.conf import websocket_proxy
|
||||
from zun.conf import zun_client
|
||||
@ -63,3 +64,4 @@ volume.register_opts(CONF)
|
||||
cinder_client.register_opts(CONF)
|
||||
netconf.register_opts(CONF)
|
||||
availability_zone.register_opts(CONF)
|
||||
utils.register_opts(CONF)
|
||||
|
||||
31
zun/conf/utils.py
Normal file
31
zun/conf/utils.py
Normal file
@ -0,0 +1,31 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
|
||||
utils_opts = [
|
||||
cfg.StrOpt('rootwrap_config',
|
||||
default="/etc/zun/rootwrap.conf",
|
||||
help='Path to the rootwrap configuration file to use for '
|
||||
'running commands as root.'),
|
||||
]
|
||||
|
||||
|
||||
def register_opts(conf):
|
||||
conf.register_opts(utils_opts)
|
||||
|
||||
|
||||
def list_opts():
|
||||
return {
|
||||
"DEFAULT": utils_opts
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user