summaryrefslogtreecommitdiff
path: root/nova/privsep
diff options
context:
space:
mode:
authorMichael Still <mikal@stillhq.com>2017-08-01 10:28:38 +1000
committerMichael Still <mikal@stillhq.com>2017-09-12 05:38:26 +1000
commit0952f80d013c4ab85ff82355312feb2464796e38 (patch)
treeb3f9dc673781c29648296d5c734b297d070c9b3f /nova/privsep
parentd83e9c0b177d63c425075438c1462cdd809baa93 (diff)
downloadnova-0952f80d013c4ab85ff82355312feb2464796e38.tar.gz
Move execs of tee to privsep.
Instead of calling tee to write to files as root, we should just write to files as root. Change-Id: Ic48087fdf283b3ba503294a944be91be0c338132
Diffstat (limited to 'nova/privsep')
-rw-r--r--nova/privsep/__init__.py12
-rw-r--r--nova/privsep/libvirt.py22
2 files changed, 33 insertions, 1 deletions
diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py
index 608a040790..76029ad30b 100644
--- a/nova/privsep/__init__.py
+++ b/nova/privsep/__init__.py
@@ -15,13 +15,14 @@
"""Setup privsep decorator."""
+from oslo_privsep import capabilities
from oslo_privsep import priv_context
# NOTE(tonyb): DAC == Discriminatory Access Control. Basically this context
# can bypass permissions checks in the file-system.
dac_admin_pctxt = priv_context.PrivContext(
'nova',
- cfg_section='nova_privileged',
+ cfg_section='nova_dac_admin',
pypath=__name__ + '.dac_admin_pctxt',
# NOTE(tonyb): These map to CAP_CHOWN, CAP_DAC_OVERRIDE,
# CAP_DAC_READ_SEARCH and CAP_FOWNER. Some do not have
@@ -29,3 +30,12 @@ dac_admin_pctxt = priv_context.PrivContext(
# for more information
capabilities=[0, 1, 2, 3],
)
+
+
+# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes
+dacnet_admin_pctxt = priv_context.PrivContext(
+ 'nova',
+ cfg_section='nova_dacnet_admin',
+ pypath=__name__ + '.dacnet_admin_pctxt',
+ capabilities=[0, 1, 2, 3, capabilities.CAP_NET_ADMIN],
+)
diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py
index d5dc6c8c84..6c2844f318 100644
--- a/nova/privsep/libvirt.py
+++ b/nova/privsep/libvirt.py
@@ -55,3 +55,25 @@ def _last_bytes_inner(file_like_object, num):
remaining = file_like_object.tell()
return (file_like_object.read(), remaining)
+
+
+@nova.privsep.dacnet_admin_pctxt.entrypoint
+def enable_hairpin(interface):
+ """Enable hairpin mode for a libvirt guest."""
+ with open('/sys/class/net/%s/brport/hairpin_mode' % interface, 'w') as f:
+ f.write('1')
+
+
+@nova.privsep.dacnet_admin_pctxt.entrypoint
+def disable_multicast_snooping(interface):
+ """Disable multicast snooping for a bridge."""
+ with open('/sys/class/net/%s/bridge/multicast_snooping' % interface,
+ 'w') as f:
+ f.write('0')
+
+
+@nova.privsep.dacnet_admin_pctxt.entrypoint
+def disable_ipv6(interface):
+ """Disable ipv6 for a bridge."""
+ with open('/proc/sys/net/ipv6/conf/%s/disable_ipv' % interface, 'w') as f:
+ f.write('1')
View Lorry Controller Status