openstack/zun
Code Issues Proposed changes

Merge "Introduce rootwrap and filter"

Browse Source
This commit is contained in:
Zuul 2018-03-20 09:42:27 +00:00 committed by Gerrit Code Review
commit 98474e9465
8 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devstack/lib/zun
View File

@ -112,6 +112,8 @@ function configure_zun {
sudo chown $STACK_USER $ZUN_CONF_DIR sudo chown $STACK_USER $ZUN_CONF_DIR
fi fi
configure_rootwrap zun
# Rebuild the config file from scratch # Rebuild the config file from scratch
create_zun_conf create_zun_conf

27
etc/zun/rootwrap.conf Normal file
View File

@ -0,0 +1,27 @@
# Configuration for zun-rootwrap
# This file should be owned by (and only-writable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writable by root !
filters_path=/etc/zun/rootwrap.d
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

8
etc/zun/rootwrap.d/zun.filters Normal file
View File

@ -0,0 +1,8 @@
# zun command filters
# This file should be owned by (and only-writeable by) the root user
[Filters]
# privileged/__init__.py: priv_context.PrivContext(default)
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*

1
setup.cfg
View File

@ -54,6 +54,7 @@ console_scripts =
zun-compute = zun.cmd.compute:main zun-compute = zun.cmd.compute:main
zun-db-manage = zun.cmd.db_manage:main zun-db-manage = zun.cmd.db_manage:main
zun-wsproxy = zun.cmd.wsproxy:main zun-wsproxy = zun.cmd.wsproxy:main
zun-rootwrap = oslo_rootwrap.cmd:main
wsgi_scripts = wsgi_scripts =
zun-api-wsgi = zun.api.wsgi:init_application zun-api-wsgi = zun.api.wsgi:init_application

4
zun/cmd/compute.py
View File

@ -13,13 +13,16 @@
# under the License. # under the License.
import os import os
import shlex
import sys import sys
from oslo_log import log as logging from oslo_log import log as logging
from oslo_privsep import priv_context
from oslo_service import service from oslo_service import service
from zun.common import rpc_service from zun.common import rpc_service
from zun.common import service as zun_service from zun.common import service as zun_service
from zun.common import utils
import zun.conf import zun.conf
CONF = zun.conf.CONF CONF = zun.conf.CONF
@ -27,6 +30,7 @@ LOG = logging.getLogger(__name__)
def main(): def main():
priv_context.init(root_helper=shlex.split(utils.get_root_helper()))
zun_service.prepare_service(sys.argv) zun_service.prepare_service(sys.argv)
LOG.info('Starting server in PID %s', os.getpid()) LOG.info('Starting server in PID %s', os.getpid())

4
zun/common/utils.py
View File

@ -313,6 +313,10 @@ def custom_execute(*cmd, **kwargs):
error=six.text_type(e)) error=six.text_type(e))
def get_root_helper():
return 'sudo zun-rootwrap %s' % CONF.rootwrap_config
@privileged.default.entrypoint @privileged.default.entrypoint
def execute_root(*cmd, **kwargs): def execute_root(*cmd, **kwargs):
# NOTE(kiennt): Set run_as_root=False because if it is set to True, the # NOTE(kiennt): Set run_as_root=False because if it is set to True, the

2
zun/conf/__init__.py
View File

@ -34,6 +34,7 @@ from zun.conf import profiler
from zun.conf import scheduler from zun.conf import scheduler
from zun.conf import services from zun.conf import services
from zun.conf import ssl from zun.conf import ssl
from zun.conf import utils
from zun.conf import volume from zun.conf import volume
from zun.conf import websocket_proxy from zun.conf import websocket_proxy
from zun.conf import zun_client from zun.conf import zun_client
@ -63,3 +64,4 @@ volume.register_opts(CONF)
cinder_client.register_opts(CONF) cinder_client.register_opts(CONF)
netconf.register_opts(CONF) netconf.register_opts(CONF)
availability_zone.register_opts(CONF) availability_zone.register_opts(CONF)
utils.register_opts(CONF)

31
zun/conf/utils.py Normal file
View File

@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
utils_opts = [
cfg.StrOpt('rootwrap_config',
default="/etc/zun/rootwrap.conf",
help='Path to the rootwrap configuration file to use for '
'running commands as root.'),
]
def register_opts(conf):
conf.register_opts(utils_opts)
def list_opts():
return {
"DEFAULT": utils_opts
}