x/snap-nova-hypervisor
Code Issues Proposed changes

Drop privileges when running commands

Browse Source 
Drop privileges to a regular user when running commands defined
by this snap.

Change-Id: I6b4526a53432992c201f0b2693598bd7f090b3a1
This commit is contained in:
Corey Bryant 2017-05-17 19:47:05 +00:00
parent d9e1e5bfb2
commit 78c8c92b4b
2 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
snap/snap-openstack.yaml
View File

@ -1,12 +1,19 @@
setup: setup:
users:
snap-nova-hypervisor: [snap-nova-hypervisor]
default-owner: "root:snap-nova-hypervisor"
dirs: dirs:
- "{snap_common}/etc"
- "{snap_common}/etc/nova"
- "{snap_common}/etc/nova/conf.d" - "{snap_common}/etc/nova/conf.d"
- "{snap_common}/etc/neutron"
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
- "{snap_common}/etc/neutron/plugins"
- "{snap_common}/etc/neutron/plugins/ml2" - "{snap_common}/etc/neutron/plugins/ml2"
- "{snap_common}/instances" - "{snap_common}/instances"
- "{snap_common}/lib" - "{snap_common}/lib"
- "{snap_common}/log"
- "{snap_common}/lock" - "{snap_common}/lock"
- "{snap_common}/log"
- "{snap_common}/run" - "{snap_common}/run"
templates: templates:
nova-snap.conf.j2: "{snap_common}/etc/nova/conf.d/nova-snap.conf" nova-snap.conf.j2: "{snap_common}/etc/nova/conf.d/nova-snap.conf"
@ -14,6 +21,12 @@ setup:
copyfiles: copyfiles:
"{snap}/etc/nova": "{snap_common}/etc/nova" "{snap}/etc/nova": "{snap_common}/etc/nova"
"{snap}/etc/neutron": "{snap_common}/etc/neutron" "{snap}/etc/neutron": "{snap_common}/etc/neutron"
rchown:
"{snap_common}/instances": "snap-nova-hypervisor:snap-nova-hypervisor"
"{snap_common}/lib": "snap-nova-hypervisor:snap-nova-hypervisor"
"{snap_common}/lock": "snap-nova-hypervisor:snap-nova-hypervisor"
"{snap_common}/log": "snap-nova-hypervisor:snap-nova-hypervisor"
"{snap_common}/run": "snap-nova-hypervisor:snap-nova-hypervisor"
entry_points: entry_points:
nova-compute: nova-compute:
binary: "{snap}/bin/nova-compute" binary: "{snap}/bin/nova-compute"
@ -22,6 +35,8 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/nova/conf.d" - "{snap_common}/etc/nova/conf.d"
log-file: "{snap_common}/log/nova-compute.log" log-file: "{snap_common}/log/nova-compute.log"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
nova-api-metadata: nova-api-metadata:
binary: "{snap}/bin/nova-api-metadata" binary: "{snap}/bin/nova-api-metadata"
config-files: config-files:
@ -29,6 +44,8 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/nova/conf.d" - "{snap_common}/etc/nova/conf.d"
log-file: "{snap_common}/log/nova-api-metadata.log" log-file: "{snap_common}/log/nova-api-metadata.log"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
neutron-openvswitch-agent: neutron-openvswitch-agent:
binary: "{snap}/bin/neutron-openvswitch-agent" binary: "{snap}/bin/neutron-openvswitch-agent"
config-files: config-files:
@ -37,18 +54,24 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-openvswitch-agent.log" log-file: "{snap_common}/log/neutron-openvswitch-agent.log"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
neutron-ovs-cleanup: neutron-ovs-cleanup:
binary: "{snap}/bin/neutron-ovs-cleanup" binary: "{snap}/bin/neutron-ovs-cleanup"
config-files: config-files:
- "{snap_common}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/neutron.conf"
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
neutron-netns-cleanup: neutron-netns-cleanup:
binary: "{snap}/bin/neutron-netns-cleanup" binary: "{snap}/bin/neutron-netns-cleanup"
config-files: config-files:
- "{snap_common}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/neutron.conf"
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
neutron-l3-agent: neutron-l3-agent:
binary: "{snap}/bin/neutron-l3-agent" binary: "{snap}/bin/neutron-l3-agent"
config-files: config-files:
@ -57,6 +80,8 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-l3-agent.log" log-file: "{snap_common}/log/neutron-l3-agent.log"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
neutron-dhcp-agent: neutron-dhcp-agent:
binary: "{snap}/bin/neutron-dhcp-agent" binary: "{snap}/bin/neutron-dhcp-agent"
config-files: config-files:
@ -65,6 +90,8 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-dhcp-agent.log" log-file: "{snap_common}/log/neutron-dhcp-agent.log"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]
neutron-metadata-agent: neutron-metadata-agent:
binary: "{snap}/bin/neutron-metadata-agent" binary: "{snap}/bin/neutron-metadata-agent"
config-files: config-files:
@ -73,3 +100,5 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/conf.d" - "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-metadata-agent.log" log-file: "{snap_common}/log/neutron-metadata-agent.log"
run-as:
snap-nova-hypervisor: [snap-nova-hypervisor]

2
snapcraft.yaml
View File

@ -80,7 +80,7 @@ parts:
bin: bin:
- bin/dnsmasq - bin/dnsmasq
stage: [$bin] stage: [$bin]
snap: [$bin] prime: [$bin]
openvswitch: openvswitch:
source: http://openvswitch.org/releases/openvswitch-2.6.1.tar.gz source: http://openvswitch.org/releases/openvswitch-2.6.1.tar.gz
plugin: autotools plugin: autotools