Implement rootwrap

openstack/openstack-ansible-os_designate

Code Issues Proposed changes

This patch adds the rootwrap templates, filters, etc in order to
ensure that the designate service is capable of executing commands
against bind9 when it needs to.

This commit is contained in:

Jesse Pretorius

2016年03月11日 12:29:04 +00:00

parent d9700294e0

commit 6856ee841d

5 changed files with 60 additions and 0 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml

View File

@@ -154,4 +154,5 @@ designate_service_names:

designate_policy_overrides:{}

designate_designate_conf_overrides:{}

designate_api_paste_ini_overrides:{}

designate_rootwrap_conf_overrides:{}

10
files/rootwrap.d/bind9.filters Normal file

View File

@@ -0,0 +1,10 @@

# designate-rootwrap command filters for nodes on which designate is

# expected to control network

#

# This file should be owned by (and only-writeable by) the root user

# format seems to be

# cmd-name: filter-name, raw-command, user, args

[Filters]

rndc: CommandFilter, /usr/sbin/rndc, root

19
tasks/designate_post_install.yml

View File

@@ -35,6 +35,25 @@

dest:"/etc/designate/policy.json"

config_overrides:"{{ designate_policy_overrides }}"

config_type:"json"

- src:"rootwrap.conf.j2"

dest:"/etc/designate/rootwrap.conf"

owner:"root"

group:"root"

config_overrides:"{{ designate_rootwrap_conf_overrides }}"

config_type:"ini"

notify:Restart designate services

tags:

- designate-config

- designate-post-install

- name:Copy designate rootwrap filter config

copy:

src:"{{ item.src }}"

dest:"{{ item.dest }}"

owner:"root"

group:"root"

with_items:

- {src:"rootwrap.d/bind9.filters", dest:"/etc/designate/rootwrap.d/bind9.filters"}

notify:Restart designate services

tags:

- designate-config

3
templates/designate.conf.j2

View File

@@ -3,6 +3,9 @@ auth_strategy = keystone

verbose = {{ verbose }}

debug = {{ debug }}

# Root helper

root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf

[oslo_messaging_rabbit]

rpc_backend = rabbit

rabbit_port = {{ rabbitmq_port }}

27
templates/rootwrap.conf.j2 Normal file

View File

@@ -0,0 +1,27 @@

# Configuration for designate-rootwrap

# This file should be owned by (and only-writeable by) the root user

[DEFAULT]

# List of directories to load filter definitions from (separated by ',').

# These directories MUST all be only writeable by root !

filters_path=/etc/designate/rootwrap.d,/usr/share/designate/rootwrap

# List of directories to search executables in, in case filters do not

# explicitely specify a full path (separated by ',')

# If not specified, defaults to system PATH environment variable.

# These directories MUST all be only writeable by root !

exec_dirs={{ designate_bin }},/sbin,/usr/sbin,/bin,/usr/bin

# Enable logging to syslog

# Default value is False

use_syslog=False

# Which syslog facility to use.

# Valid values include auth, authpriv, syslog, user0, user1...

# Default value is 'syslog'

syslog_log_facility=syslog

# Which messages to log.

# INFO means log all usage

# ERROR means only log unsuccessful attempts

syslog_log_level=ERROR