diff options
author | Michael Still <mikal@stillhq.com> | 2017-09-18 23:16:52 +1000 |
---|---|---|
committer | Michael Still <mikal@stillhq.com> | 2017-09-18 23:17:35 +1000 |
commit | 90e91ca05245c889949d241cc14902f8496a9b7b (patch) | |
tree | a6589cf0f5d7c4628746949ebaba6abd300c902e /nova/privsep | |
parent | e00d8eb7593edb443f18c779b3fedc5bb91d79f8 (diff) | |
download | nova-90e91ca05245c889949d241cc14902f8496a9b7b.tar.gz |
Squash dacnet_admin privsep context.
As discussed at the PTG, we're going to use one big context for
ease of management.
Change-Id: I951abd402736735730e0868f31b85b1817055b2f
blueprint: hurrah-for-privsep
Diffstat (limited to 'nova/privsep')
-rw-r--r-- | nova/privsep/__init__.py | 12 | ||||
-rw-r--r-- | nova/privsep/libvirt.py | 6 |
2 files changed, 3 insertions, 15 deletions
diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py index c0e138a692..ddb5981710 100644 --- a/nova/privsep/__init__.py +++ b/nova/privsep/__init__.py @@ -18,18 +18,6 @@ from oslo_privsep import capabilities from oslo_privsep import priv_context -# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes -dacnet_admin_pctxt = priv_context.PrivContext( - 'nova', - cfg_section='nova_dacnet_admin', - pypath=__name__ + '.dacnet_admin_pctxt', - capabilities=[capabilities.CAP_CHOWN, - capabilities.CAP_DAC_OVERRIDE, - capabilities.CAP_DAC_READ_SEARCH, - capabilities.CAP_FOWNER, - capabilities.CAP_NET_ADMIN], -) - sys_admin_pctxt = priv_context.PrivContext( 'nova', cfg_section='nova_sys_admin', diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index 4f7f313c61..a65eb2611d 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -56,14 +56,14 @@ def _last_bytes_inner(file_like_object, num): return (file_like_object.read(), remaining) -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def enable_hairpin(interface): """Enable hairpin mode for a libvirt guest.""" with open('/sys/class/net/%s/brport/hairpin_mode' % interface, 'w') as f: f.write('1') -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def disable_multicast_snooping(interface): """Disable multicast snooping for a bridge.""" with open('/sys/class/net/%s/bridge/multicast_snooping' % interface, @@ -71,7 +71,7 @@ def disable_multicast_snooping(interface): f.write('0') -@nova.privsep.dacnet_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def disable_ipv6(interface): """Disable ipv6 for a bridge.""" with open('/proc/sys/net/ipv6/conf/%s/disable_ipv' % interface, 'w') as f: |