diff options
author | Francisco Redondo Marchena <francisco.marchena@codethink.co.uk> | 2015-02-12 17:26:00 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2015-03-05 22:28:09 +0000 |
commit | 360c51803a40aca979a7c1efae53106f8aad3ea4 (patch) | |
tree | 2d28ccbbfa7079627d5751af0e488daa8ad1fb94 /openstack/etc/neutron/rootwrap.d | |
parent | 8b0de9e8ec789fb2deeef5b2fe945b65bf1108aa (diff) | |
download | definitions-360c51803a40aca979a7c1efae53106f8aad3ea4.tar.gz |
SPLITME: Add all Openstack
Diffstat (limited to 'openstack/etc/neutron/rootwrap.d')
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/cisco-apic.filters | 16 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/debug.filters | 14 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/dhcp.filters | 35 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/ipset-firewall.filters | 12 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/iptables-firewall.filters | 21 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/l3.filters | 48 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters | 26 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters | 19 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/nec-plugin.filters | 12 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/ofagent.filters | 16 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters | 22 | ||||
-rw-r--r-- | openstack/etc/neutron/rootwrap.d/vpnaas.filters | 13 |
12 files changed, 254 insertions, 0 deletions
diff --git a/openstack/etc/neutron/rootwrap.d/cisco-apic.filters b/openstack/etc/neutron/rootwrap.d/cisco-apic.filters new file mode 100644 index 00000000..69e4afcc --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/cisco-apic.filters @@ -0,0 +1,16 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# cisco-apic filters +lldpctl: CommandFilter, lldpctl, root + +# ip_lib filters +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/openstack/etc/neutron/rootwrap.d/debug.filters b/openstack/etc/neutron/rootwrap.d/debug.filters new file mode 100644 index 00000000..b61d9601 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/debug.filters @@ -0,0 +1,14 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# This is needed because we should ping +# from inside a namespace which requires root +ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ +ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ diff --git a/openstack/etc/neutron/rootwrap.d/dhcp.filters b/openstack/etc/neutron/rootwrap.d/dhcp.filters new file mode 100644 index 00000000..0712ec13 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/dhcp.filters @@ -0,0 +1,35 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# dhcp-agent +dnsmasq: EnvFilter, dnsmasq, root, NEUTRON_NETWORK_ID= +# dhcp-agent uses kill as well, that's handled by the generic KillFilter +# it looks like these are the only signals needed, per +# neutron/agent/linux/dhcp.py +kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP +kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + +ovs-vsctl: CommandFilter, ovs-vsctl, root +ivs-ctl: CommandFilter, ivs-ctl, root +mm-ctl: CommandFilter, mm-ctl, root +dhcp_release: CommandFilter, dhcp_release, root + +# metadata proxy +metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root +# If installed from source (say, by devstack), the prefix will be +# /usr/local instead of /usr/bin. +metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root +# RHEL invocation of the metadata proxy will report /usr/bin/python +kill_metadata: KillFilter, root, python, -9 +kill_metadata7: KillFilter, root, python2.7, -9 + +# ip_lib +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/openstack/etc/neutron/rootwrap.d/ipset-firewall.filters b/openstack/etc/neutron/rootwrap.d/ipset-firewall.filters new file mode 100644 index 00000000..52c66373 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/ipset-firewall.filters @@ -0,0 +1,12 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] +# neutron/agent/linux/iptables_firewall.py +# "ipset", "-A", ... +ipset: CommandFilter, ipset, root diff --git a/openstack/etc/neutron/rootwrap.d/iptables-firewall.filters b/openstack/etc/neutron/rootwrap.d/iptables-firewall.filters new file mode 100644 index 00000000..b8a6ab5b --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/iptables-firewall.filters @@ -0,0 +1,21 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# neutron/agent/linux/iptables_manager.py +# "iptables-save", ... +iptables-save: CommandFilter, iptables-save, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-save: CommandFilter, ip6tables-save, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# neutron/agent/linux/iptables_manager.py +# "iptables", "-A", ... +iptables: CommandFilter, iptables, root +ip6tables: CommandFilter, ip6tables, root diff --git a/openstack/etc/neutron/rootwrap.d/l3.filters b/openstack/etc/neutron/rootwrap.d/l3.filters new file mode 100644 index 00000000..be69b32c --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/l3.filters @@ -0,0 +1,48 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# arping +arping: CommandFilter, arping, root + +# l3_agent +sysctl: CommandFilter, sysctl, root +route: CommandFilter, route, root +radvd: CommandFilter, radvd, root + +# metadata proxy +metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root +# If installed from source (say, by devstack), the prefix will be +# /usr/local instead of /usr/bin. +metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root +# RHEL invocation of the metadata proxy will report /usr/bin/python +kill_metadata: KillFilter, root, python, -9 +kill_metadata7: KillFilter, root, python2.7, -9 +kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -9, -HUP +kill_radvd: KillFilter, root, /sbin/radvd, -9, -HUP + +# ip_lib +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root + +# ovs_lib (if OVSInterfaceDriver is used) +ovs-vsctl: CommandFilter, ovs-vsctl, root + +# iptables_manager +iptables-save: CommandFilter, iptables-save, root +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-save: CommandFilter, ip6tables-save, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# Keepalived +keepalived: CommandFilter, keepalived, root +kill_keepalived: KillFilter, root, /usr/sbin/keepalived, -HUP, -15, -9 + +# l3 agent to delete floatingip's conntrack state +conntrack: CommandFilter, conntrack, root diff --git a/openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters b/openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters new file mode 100644 index 00000000..b4e1ecba --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/lbaas-haproxy.filters @@ -0,0 +1,26 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# haproxy +haproxy: CommandFilter, haproxy, root + +# lbaas-agent uses kill as well, that's handled by the generic KillFilter +kill_haproxy_usr: KillFilter, root, /usr/sbin/haproxy, -9, -HUP + +ovs-vsctl: CommandFilter, ovs-vsctl, root +mm-ctl: CommandFilter, mm-ctl, root + +# ip_lib +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root +route: CommandFilter, route, root + +# arping +arping: CommandFilter, arping, root diff --git a/openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters b/openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters new file mode 100644 index 00000000..03df3959 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/linuxbridge-plugin.filters @@ -0,0 +1,19 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# linuxbridge-agent +# unclear whether both variants are necessary, but I'm transliterating +# from the old mechanism +brctl: CommandFilter, brctl, root +bridge: CommandFilter, bridge, root + +# ip_lib +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/openstack/etc/neutron/rootwrap.d/nec-plugin.filters b/openstack/etc/neutron/rootwrap.d/nec-plugin.filters new file mode 100644 index 00000000..89c4cfe3 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/nec-plugin.filters @@ -0,0 +1,12 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# nec_neutron_agent +ovs-vsctl: CommandFilter, ovs-vsctl, root diff --git a/openstack/etc/neutron/rootwrap.d/ofagent.filters b/openstack/etc/neutron/rootwrap.d/ofagent.filters new file mode 100644 index 00000000..11e42564 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/ofagent.filters @@ -0,0 +1,16 @@ +# neutron-rootwrap command filters for nodes on which +# neutron-ofagent-agent is expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# ovs_lib +ovs-vsctl: CommandFilter, ovs-vsctl, root + +# ip_lib +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters new file mode 100644 index 00000000..b63a83b9 --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/openvswitch-plugin.filters @@ -0,0 +1,22 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# openvswitch-agent +# unclear whether both variants are necessary, but I'm transliterating +# from the old mechanism +ovs-vsctl: CommandFilter, ovs-vsctl, root +ovs-ofctl: CommandFilter, ovs-ofctl, root +kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9 +ovsdb-client: CommandFilter, ovsdb-client, root +xe: CommandFilter, xe, root + +# ip_lib +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root diff --git a/openstack/etc/neutron/rootwrap.d/vpnaas.filters b/openstack/etc/neutron/rootwrap.d/vpnaas.filters new file mode 100644 index 00000000..7848136b --- /dev/null +++ b/openstack/etc/neutron/rootwrap.d/vpnaas.filters @@ -0,0 +1,13 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root +openswan: CommandFilter, ipsec, root |