From 952e020fa79bf7595dec2facf645bb14cd69e5e7 Mon Sep 17 00:00:00 2001 From: Ihar Hrachyshka Date: Tue, 31 Oct 2023 20:25:14 +0000 Subject: [PATCH] Don't configure /etc/neutron/rootwrap.d for filters_path The directory is empty for all the agents, and the agents are not meant to be extended through side-loading any additional filters. It's better to keep the list of directories that may contain escalating filters narrow, even if it doesn't affect functionality either way. Signed-off-by: Ihar Hrachyshka --- roles/edpm_neutron_dhcp/defaults/main.yml | 2 +- roles/edpm_neutron_dhcp/meta/argument_specs.yml | 2 +- roles/edpm_neutron_metadata/defaults/main.yml | 2 +- roles/edpm_neutron_metadata/meta/argument_specs.yml | 2 +- roles/edpm_neutron_ovn/defaults/main.yml | 2 +- roles/edpm_neutron_ovn/meta/argument_specs.yml | 2 +- roles/edpm_neutron_sriov/defaults/main.yml | 2 +- roles/edpm_neutron_sriov/meta/argument_specs.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/edpm_neutron_dhcp/defaults/main.yml b/roles/edpm_neutron_dhcp/defaults/main.yml index 7bdd31928..e2ba38f3a 100644 --- a/roles/edpm_neutron_dhcp/defaults/main.yml +++ b/roles/edpm_neutron_dhcp/defaults/main.yml @@ -60,7 +60,7 @@ edpm_neutron_dhcp_oslo_middleware_enable_proxy_headers_parsing: 60 # rootwrap.conf # DEFAULT -edpm_neutron_dhcp_rootwrap_DEFAULT_filters_path: '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap' +edpm_neutron_dhcp_rootwrap_DEFAULT_filters_path: '/usr/share/neutron/rootwrap' edpm_neutron_dhcp_rootwrap_DEFAULT_exec_dirs: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts' edpm_neutron_dhcp_rootwrap_DEFAULT_use_syslog: false edpm_neutron_dhcp_rootwrap_DEFAULT_syslog_log_facility: 'syslog' diff --git a/roles/edpm_neutron_dhcp/meta/argument_specs.yml b/roles/edpm_neutron_dhcp/meta/argument_specs.yml index d0f8a37ba..769c0701e 100644 --- a/roles/edpm_neutron_dhcp/meta/argument_specs.yml +++ b/roles/edpm_neutron_dhcp/meta/argument_specs.yml @@ -84,7 +84,7 @@ argument_specs: description: '' type: int edpm_neutron_dhcp_rootwrap_DEFAULT_filters_path: - default: '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap' + default: '/usr/share/neutron/rootwrap' edpm_neutron_dhcp_rootwrap_DEFAULT_exec_dirs: default: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts' edpm_neutron_dhcp_rootwrap_DEFAULT_use_syslog: diff --git a/roles/edpm_neutron_metadata/defaults/main.yml b/roles/edpm_neutron_metadata/defaults/main.yml index a9283c03c..fa8048b3d 100644 --- a/roles/edpm_neutron_metadata/defaults/main.yml +++ b/roles/edpm_neutron_metadata/defaults/main.yml @@ -38,7 +38,7 @@ edpm_neutron_metadata_agent_oslo_concurrency_lock_patch: '$state_path/lock' edpm_neutron_metadata_agent_agent_report_interval: '300' # rootwrap.conf -edpm_neutron_metadata_agent_rootwrap_DEFAULT_filters_path: '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap' +edpm_neutron_metadata_agent_rootwrap_DEFAULT_filters_path: '/usr/share/neutron/rootwrap' edpm_neutron_metadata_agent_rootwrap_DEFAULT_exec_dirs: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts' edpm_neutron_metadata_agent_rootwrap_DEFAULT_use_syslog: 'False' edpm_neutron_metadata_agent_rootwrap_DEFAULT_syslog_log_facility: 'syslog' diff --git a/roles/edpm_neutron_metadata/meta/argument_specs.yml b/roles/edpm_neutron_metadata/meta/argument_specs.yml index ed613a8b6..bcafe91f8 100644 --- a/roles/edpm_neutron_metadata/meta/argument_specs.yml +++ b/roles/edpm_neutron_metadata/meta/argument_specs.yml @@ -87,7 +87,7 @@ argument_specs: description: '' type: str edpm_neutron_metadata_agent_rootwrap_DEFAULT_filters_path: - default: /etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap + default: /usr/share/neutron/rootwrap description: '' type: str edpm_neutron_metadata_agent_rootwrap_DEFAULT_rlimit_nofile: diff --git a/roles/edpm_neutron_ovn/defaults/main.yml b/roles/edpm_neutron_ovn/defaults/main.yml index 18e665dff..bb5b4fa10 100644 --- a/roles/edpm_neutron_ovn/defaults/main.yml +++ b/roles/edpm_neutron_ovn/defaults/main.yml @@ -24,7 +24,7 @@ edpm_neutron_ovn_common_volumes: edpm_neutron_ovn_agent_DEFAULT_host: '{{ ansible_facts["nodename"] }}' # also in missing vars # rootwrap.conf -edpm_neutron_ovn_agent_rootwrap_DEFAULT_filters_path: '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap' +edpm_neutron_ovn_agent_rootwrap_DEFAULT_filters_path: '/usr/share/neutron/rootwrap' edpm_neutron_ovn_agent_rootwrap_DEFAULT_exec_dirs: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin' edpm_neutron_ovn_agent_rootwrap_DEFAULT_use_syslog: 'False' edpm_neutron_ovn_agent_rootwrap_DEFAULT_syslog_log_facility: 'syslog' diff --git a/roles/edpm_neutron_ovn/meta/argument_specs.yml b/roles/edpm_neutron_ovn/meta/argument_specs.yml index 46b62bfe2..d3dd42334 100644 --- a/roles/edpm_neutron_ovn/meta/argument_specs.yml +++ b/roles/edpm_neutron_ovn/meta/argument_specs.yml @@ -61,7 +61,7 @@ argument_specs: description: List of directories to search executables in type: str edpm_neutron_ovn_agent_rootwrap_DEFAULT_filters_path: - default: /etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap + default: /usr/share/neutron/rootwrap description: List of directories to load filter definitions from type: str edpm_neutron_ovn_agent_rootwrap_DEFAULT_rlimit_nofile: diff --git a/roles/edpm_neutron_sriov/defaults/main.yml b/roles/edpm_neutron_sriov/defaults/main.yml index 211bed810..3e3391627 100644 --- a/roles/edpm_neutron_sriov/defaults/main.yml +++ b/roles/edpm_neutron_sriov/defaults/main.yml @@ -51,7 +51,7 @@ edpm_neutron_sriov_oslo_middleware_enable_proxy_headers_parsing: 60 # rootwrap.conf # DEFAULT -edpm_neutron_sriov_rootwrap_DEFAULT_filters_path: '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap' +edpm_neutron_sriov_rootwrap_DEFAULT_filters_path: '/usr/share/neutron/rootwrap' edpm_neutron_sriov_rootwrap_DEFAULT_exec_dirs: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts' edpm_neutron_sriov_rootwrap_DEFAULT_use_syslog: 'False' edpm_neutron_sriov_rootwrap_DEFAULT_syslog_log_facility: 'syslog' diff --git a/roles/edpm_neutron_sriov/meta/argument_specs.yml b/roles/edpm_neutron_sriov/meta/argument_specs.yml index 72110f8e6..0bd633ed1 100644 --- a/roles/edpm_neutron_sriov/meta/argument_specs.yml +++ b/roles/edpm_neutron_sriov/meta/argument_specs.yml @@ -67,7 +67,7 @@ argument_specs: description: '' type: int edpm_neutron_sriov_rootwrap_DEFAULT_filters_path: - default: '/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap' + default: '/usr/share/neutron/rootwrap' edpm_neutron_sriov_rootwrap_DEFAULT_exec_dirs: default: '/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts' edpm_neutron_sriov_rootwrap_DEFAULT_use_syslog: