From: Dirk Mueller Date: Sat, 18 May 2013 15:06:30 +0000 (+0200) Subject: Use exec_dirs for rootwrap commands X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=d1a623bc97d26b55dde5431d6445a556b5a27c21;p=openstack-build%2Fneutron-build.git Use exec_dirs for rootwrap commands Avoid depending on platform specific paths for rootwrap by using exec_dirs in rootwrap. Fixes rootwrap configuration for SUSE. Fixes bug #1156044 Change-Id: I54d082c543fd84b40db0caa3571300ac0bb07b57 --- diff --git a/etc/quantum/rootwrap.d/debug.filters b/etc/quantum/rootwrap.d/debug.filters index 6dbb4d7d3..0ff40e5c7 100644 --- a/etc/quantum/rootwrap.d/debug.filters +++ b/etc/quantum/rootwrap.d/debug.filters @@ -10,5 +10,5 @@ # This is needed because we should ping # from inside a namespace which requires root -ping: RegExpFilter, /bin/ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ -ping6: RegExpFilter, /bin/ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ +ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ +ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ diff --git a/etc/quantum/rootwrap.d/dhcp.filters b/etc/quantum/rootwrap.d/dhcp.filters index 4a4635a26..0a4ac41b3 100644 --- a/etc/quantum/rootwrap.d/dhcp.filters +++ b/etc/quantum/rootwrap.d/dhcp.filters @@ -9,7 +9,7 @@ [Filters] # dhcp-agent -ip_exec_dnsmasq: DnsmasqNetnsFilter, /sbin/ip, root +ip_exec_dnsmasq: DnsmasqNetnsFilter, ip, root dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root # dhcp-agent uses kill as well, that's handled by the generic KillFilter @@ -19,14 +19,11 @@ kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP # dhcp-agent uses cat -cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline -ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root -ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root -ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root -ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root +cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline +ovs-vsctl: CommandFilter, ovs-vsctl, root # metadata proxy -metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, root +metadata_proxy: CommandFilter, quantum-ns-metadata-proxy, root # If installed from source (say, by devstack), the prefix will be # /usr/local instead of /usr/bin. metadata_proxy_local: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root @@ -36,7 +33,5 @@ kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9 kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9 # ip_lib -ip: IpFilter, /sbin/ip, root -ip_usr: IpFilter, /usr/sbin/ip, root -ip_exec: IpNetnsExecFilter, /sbin/ip, root -ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/quantum/rootwrap.d/iptables-firewall.filters b/etc/quantum/rootwrap.d/iptables-firewall.filters index 2049e0e9f..8725596ad 100644 --- a/etc/quantum/rootwrap.d/iptables-firewall.filters +++ b/etc/quantum/rootwrap.d/iptables-firewall.filters @@ -10,12 +10,12 @@ # quantum/agent/linux/iptables_manager.py # "iptables-save", ... -iptables-save: CommandFilter, /sbin/iptables-save, root -iptables-restore: CommandFilter, /sbin/iptables-restore, root -ip6tables-save: CommandFilter, /sbin/ip6tables-save, root -ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root +iptables-save: CommandFilter, iptables-save, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-save: CommandFilter, ip6tables-save, root +ip6tables-restore: CommandFilter, ip6tables-restore, root # quantum/agent/linux/iptables_manager.py # "iptables", "-A", ... -iptables: CommandFilter, /sbin/iptables, root -ip6tables: CommandFilter, /sbin/ip6tables, root +iptables: CommandFilter, iptables, root +ip6tables: CommandFilter, ip6tables, root diff --git a/etc/quantum/rootwrap.d/l3.filters b/etc/quantum/rootwrap.d/l3.filters index 480a77b06..5e7892cf8 100644 --- a/etc/quantum/rootwrap.d/l3.filters +++ b/etc/quantum/rootwrap.d/l3.filters @@ -9,15 +9,14 @@ [Filters] # arping -arping: CommandFilter, /usr/bin/arping, root -arping_sbin: CommandFilter, /sbin/arping, root +arping: CommandFilter, arping, root # l3_agent -sysctl: CommandFilter, /sbin/sysctl, root -route: CommandFilter, /sbin/route, root +sysctl: CommandFilter, sysctl, root +route: CommandFilter, route, root # metadata proxy -metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, root +metadata_proxy: CommandFilter, quantum-ns-metadata-proxy, root # If installed from source (say, by devstack), the prefix will be # /usr/local instead of /usr/bin. metadata_proxy_local: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root @@ -27,19 +26,14 @@ kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9 kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9 # ip_lib -ip: IpFilter, /sbin/ip, root -ip_usr: IpFilter, /usr/sbin/ip, root -ip_exec: IpNetnsExecFilter, /sbin/ip, root -ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root # ovs_lib (if OVSInterfaceDriver is used) -ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root -ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root -ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root -ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root +ovs-vsctl: CommandFilter, ovs-vsctl, root # iptables_manager -iptables-save: CommandFilter, /sbin/iptables-save, root -iptables-restore: CommandFilter, /sbin/iptables-restore, root -ip6tables-save: CommandFilter, /sbin/ip6tables-save, root -ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root +iptables-save: CommandFilter, iptables-save, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-save: CommandFilter, ip6tables-save, root +ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/etc/quantum/rootwrap.d/lbaas-haproxy.filters b/etc/quantum/rootwrap.d/lbaas-haproxy.filters index e00a7197a..b87657e2c 100644 --- a/etc/quantum/rootwrap.d/lbaas-haproxy.filters +++ b/etc/quantum/rootwrap.d/lbaas-haproxy.filters @@ -9,21 +9,16 @@ [Filters] # haproxy -haproxy: CommandFilter, /usr/sbin/haproxy, root +haproxy: CommandFilter, haproxy, root # lbaas-agent uses kill as well, that's handled by the generic KillFilter kill_haproxy_usr: KillFilter, root, /usr/sbin/haproxy, -9, -HUP # lbaas-agent uses cat -cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline +cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline -ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root -ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root -ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root -ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root +ovs-vsctl: CommandFilter, ovs-vsctl, root # ip_lib -ip: IpFilter, /sbin/ip, root -ip_usr: IpFilter, /usr/sbin/ip, root -ip_exec: IpNetnsExecFilter, /sbin/ip, root -ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/quantum/rootwrap.d/linuxbridge-plugin.filters b/etc/quantum/rootwrap.d/linuxbridge-plugin.filters index 301280cb0..7814c95c9 100644 --- a/etc/quantum/rootwrap.d/linuxbridge-plugin.filters +++ b/etc/quantum/rootwrap.d/linuxbridge-plugin.filters @@ -11,11 +11,8 @@ # linuxbridge-agent # unclear whether both variants are necessary, but I'm transliterating # from the old mechanism -brctl: CommandFilter, /sbin/brctl, root -brctl_usr: CommandFilter, /usr/sbin/brctl, root +brctl: CommandFilter, brctl, root # ip_lib -ip: IpFilter, /sbin/ip, root -ip_usr: IpFilter, /usr/sbin/ip, root -ip_exec: IpNetnsExecFilter, /sbin/ip, root -ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/quantum/rootwrap.d/nec-plugin.filters b/etc/quantum/rootwrap.d/nec-plugin.filters index 6d8f9c2a1..f175b4d68 100644 --- a/etc/quantum/rootwrap.d/nec-plugin.filters +++ b/etc/quantum/rootwrap.d/nec-plugin.filters @@ -9,7 +9,4 @@ [Filters] # nec_quantum_agent -ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root -ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root -ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root -ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root +ovs-vsctl: CommandFilter, ovs-vsctl, root diff --git a/etc/quantum/rootwrap.d/openvswitch-plugin.filters b/etc/quantum/rootwrap.d/openvswitch-plugin.filters index c3164480c..5cf14ab59 100644 --- a/etc/quantum/rootwrap.d/openvswitch-plugin.filters +++ b/etc/quantum/rootwrap.d/openvswitch-plugin.filters @@ -11,19 +11,10 @@ # openvswitch-agent # unclear whether both variants are necessary, but I'm transliterating # from the old mechanism -ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root -ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root -ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root -ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root -ovs-ofctl: CommandFilter, /bin/ovs-ofctl, root -ovs-ofctl_usr: CommandFilter, /usr/bin/ovs-ofctl, root -ovs-ofctl_sbin: CommandFilter, /sbin/ovs-ofctl, root -ovs-ofctl_sbin_usr: CommandFilter, /usr/sbin/ovs-ofctl, root -xe: CommandFilter, /sbin/xe, root -xe_usr: CommandFilter, /usr/sbin/xe, root +ovs-vsctl: CommandFilter, ovs-vsctl, root +ovs-ofctl: CommandFilter, ovs-ofctl, root +xe: CommandFilter, xe, root # ip_lib -ip: IpFilter, /sbin/ip, root -ip_usr: IpFilter, /usr/sbin/ip, root -ip_exec: IpNetnsExecFilter, /sbin/ip, root -ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/quantum/rootwrap.d/ryu-plugin.filters b/etc/quantum/rootwrap.d/ryu-plugin.filters index 696c7d39a..a7f9b9c36 100644 --- a/etc/quantum/rootwrap.d/ryu-plugin.filters +++ b/etc/quantum/rootwrap.d/ryu-plugin.filters @@ -14,12 +14,8 @@ # quantum/plugins/ryu/agent/ryu_quantum_agent.py: # "ovs-vsctl", "--timeout=2", ... -ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root -ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root -ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root -ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root +ovs-vsctl: CommandFilter, ovs-vsctl, root # quantum/plugins/ryu/agent/ryu_quantum_agent.py: # "xe", "vif-param-get", ... -xe: CommandFilter, /bin/xe, root -xe_usr: CommandFilter, /usr/bin/xe, root +xe: CommandFilter, xe, root diff --git a/etc/rootwrap.conf b/etc/rootwrap.conf index cd472f5ce..5c70197b5 100644 --- a/etc/rootwrap.conf +++ b/etc/rootwrap.conf @@ -3,6 +3,12 @@ # These directories MUST all be only writeable by root ! filters_path=/etc/quantum/rootwrap.d,/usr/share/quantum/rootwrap +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin + [XENAPI] # XenAPI configuration is only required by the L2 agent if it is to # target a XenServer/XCP compute host's dom0.