# nova-rootwrap command filters for compute nodes # This file should be owned by (and only-writeable by) the root user [Filters] # nova/virt/disk/mount/api.py: 'kpartx', '-a', device # nova/virt/disk/mount/api.py: 'kpartx', '-d', device kpartx: CommandFilter, kpartx, root # nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path # nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path tune2fs: CommandFilter, tune2fs, root # nova/virt/disk/mount/api.py: 'mount', mapped_device # nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target # nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. # nova/virt/configdrive.py: 'mount', device, mountdir # nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... mount: CommandFilter, mount, root # nova/virt/disk/mount/api.py: 'umount', mapped_device # nova/virt/disk/api.py: 'umount' target # nova/virt/xenapi/vm_utils.py: 'umount', dev_path # nova/virt/configdrive.py: 'umount', mountdir umount: CommandFilter, umount, root # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device qemu-nbd: CommandFilter, qemu-nbd, root # nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device losetup: CommandFilter, losetup, root # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* # nova/virt/disk/vfs/localfs.py: 'tee', canonpath tee: CommandFilter, tee, root # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath mkdir: CommandFilter, mkdir, root # nova/virt/disk/vfs/localfs.py: 'chown' # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') chown: CommandFilter, chown, root # nova/virt/disk/vfs/localfs.py: 'chmod' chmod: CommandFilter, chmod, root # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' # nova/network/linux_net.py: 'ip', 'route', 'add', .. # nova/network/linux_net.py: 'ip', 'route', 'del', . # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev ip: CommandFilter, ip, root # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev tunctl: CommandFilter, tunctl, root # nova/virt/libvirt/vif.py: 'ovs-vsctl', ... # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... # nova/network/linux_net.py: 'ovs-vsctl', .... ovs-vsctl: CommandFilter, ovs-vsctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root # nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... dd: CommandFilter, dd, root # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... iscsiadm: CommandFilter, iscsiadm, root # nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev # nova/virt/libvirt/volume.py: 'aoe-discover' aoe-revalidate: CommandFilter, aoe-revalidate, root aoe-discover: CommandFilter, aoe-discover, root # nova/virt/xenapi/vm_utils.py: parted, --script, ... # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. parted: CommandFilter, parted, root # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path pygrub: CommandFilter, pygrub, root # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s fdisk: CommandFilter, fdisk, root # nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path # nova/virt/disk/api.py: e2fsck, -f, -p, image e2fsck: CommandFilter, e2fsck, root # nova/virt/xenapi/vm_utils.py: resize2fs, partition_path # nova/virt/disk/api.py: resize2fs, image resize2fs: CommandFilter, resize2fs, root # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... iptables-save: CommandFilter, iptables-save, root ip6tables-save: CommandFilter, ip6tables-save, root # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) iptables-restore: CommandFilter, iptables-restore, root ip6tables-restore: CommandFilter, ip6tables-restore, root # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. arping: CommandFilter, arping, root # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address dhcp_release: CommandFilter, dhcp_release, root # nova/network/linux_net.py: 'kill', '-9', pid # nova/network/linux_net.py: 'kill', '-HUP', pid kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP # nova/network/linux_net.py: 'kill', pid kill_radvd: KillFilter, root, /usr/sbin/radvd # nova/network/linux_net.py: dnsmasq call dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. radvd: CommandFilter, radvd, root # nova/network/linux_net.py: 'brctl', 'addbr', bridge # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface brctl: CommandFilter, brctl, root # nova/virt/libvirt/utils.py: 'mkswap' # nova/virt/xenapi/vm_utils.py: 'mkswap' mkswap: CommandFilter, mkswap, root # nova/virt/xenapi/vm_utils.py: 'mkfs' # nova/utils.py: 'mkfs', fs, path, label mkfs: CommandFilter, mkfs, root # nova/virt/libvirt/utils.py: 'qemu-img' qemu-img: CommandFilter, qemu-img, root # nova/virt/disk/vfs/localfs.py: 'readlink', '-e' readlink: CommandFilter, readlink, root # nova/virt/disk/api.py: 'touch', target touch: CommandFilter, touch, root # nova/virt/disk/api.py: mkfs.ext3: CommandFilter, mkfs.ext3, root mkfs.ntfs: CommandFilter, mkfs.ntfs, root # nova/virt/libvirt/connection.py: read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi # nova/virt/libvirt/connection.py: lvremove: CommandFilter, lvremove, root # nova/virt/libvirt/utils.py: lvcreate: CommandFilter, lvcreate, root # nova/virt/libvirt/utils.py: lvs: CommandFilter, lvs, root # nova/virt/libvirt/utils.py: vgs: CommandFilter, vgs, root # nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... tgtadm: CommandFilter, tgtadm, root # nova/utils.py:read_file_as_root: 'cat', file_path # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow # nova/virt/libvirt/volume.py: 'multipath' '-R' multipath: CommandFilter, multipath, root # nova/virt/libvirt/utils.py: systool: CommandFilter, systool, root # nova/virt/libvirt/volume.py: sginfo: CommandFilter, sginfo, root sg_scan: CommandFilter, sg_scan, root ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.* # nova/volume/encryptors.py: # nova/virt/libvirt/dmcrypt.py: cryptsetup: CommandFilter, cryptsetup, root # nova/virt/xenapi/vm_utils.py: xenstore-read: CommandFilter, xenstore-read, root # nova/virt/baremetal/tilera.py: 'rpc.mountd' rpc.mountd: CommandFilter, rpc.mountd, root # nova/virt/libvirt/utils.py: rbd: CommandFilter, rbd, root # nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path shred: CommandFilter, shred, root # nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control.. cp: CommandFilter, cp, root # nova/virt/xenapi/vm_utils.py: sync: CommandFilter, sync, root