diff options
author | Michael Still <mikal@stillhq.com> | 2017-08-01 10:28:38 +1000 |
---|---|---|
committer | Michael Still <mikal@stillhq.com> | 2017-09-12 05:38:26 +1000 |
commit | 0952f80d013c4ab85ff82355312feb2464796e38 (patch) | |
tree | b3f9dc673781c29648296d5c734b297d070c9b3f /nova/privsep | |
parent | d83e9c0b177d63c425075438c1462cdd809baa93 (diff) | |
download | nova-0952f80d013c4ab85ff82355312feb2464796e38.tar.gz |
Move execs of tee to privsep.
Instead of calling tee to write to files as root, we should just
write to files as root.
Change-Id: Ic48087fdf283b3ba503294a944be91be0c338132
Diffstat (limited to 'nova/privsep')
-rw-r--r-- | nova/privsep/__init__.py | 12 | ||||
-rw-r--r-- | nova/privsep/libvirt.py | 22 |
2 files changed, 33 insertions, 1 deletions
diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py index 608a040790..76029ad30b 100644 --- a/nova/privsep/__init__.py +++ b/nova/privsep/__init__.py @@ -15,13 +15,14 @@ """Setup privsep decorator.""" +from oslo_privsep import capabilities from oslo_privsep import priv_context # NOTE(tonyb): DAC == Discriminatory Access Control. Basically this context # can bypass permissions checks in the file-system. dac_admin_pctxt = priv_context.PrivContext( 'nova', - cfg_section='nova_privileged', + cfg_section='nova_dac_admin', pypath=__name__ + '.dac_admin_pctxt', # NOTE(tonyb): These map to CAP_CHOWN, CAP_DAC_OVERRIDE, # CAP_DAC_READ_SEARCH and CAP_FOWNER. Some do not have @@ -29,3 +30,12 @@ dac_admin_pctxt = priv_context.PrivContext( # for more information capabilities=[0, 1, 2, 3], ) + + +# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes +dacnet_admin_pctxt = priv_context.PrivContext( + 'nova', + cfg_section='nova_dacnet_admin', + pypath=__name__ + '.dacnet_admin_pctxt', + capabilities=[0, 1, 2, 3, capabilities.CAP_NET_ADMIN], +) diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index d5dc6c8c84..6c2844f318 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -55,3 +55,25 @@ def _last_bytes_inner(file_like_object, num): remaining = file_like_object.tell() return (file_like_object.read(), remaining) + + +@nova.privsep.dacnet_admin_pctxt.entrypoint +def enable_hairpin(interface): + """Enable hairpin mode for a libvirt guest.""" + with open('/sys/class/net/%s/brport/hairpin_mode' % interface, 'w') as f: + f.write('1') + + +@nova.privsep.dacnet_admin_pctxt.entrypoint +def disable_multicast_snooping(interface): + """Disable multicast snooping for a bridge.""" + with open('/sys/class/net/%s/bridge/multicast_snooping' % interface, + 'w') as f: + f.write('0') + + +@nova.privsep.dacnet_admin_pctxt.entrypoint +def disable_ipv6(interface): + """Disable ipv6 for a bridge.""" + with open('/proc/sys/net/ipv6/conf/%s/disable_ipv' % interface, 'w') as f: + f.write('1') |