From: Bernard Landon Date: Tue, 4 Jun 2024 21:29:54 +0000 (+0200) Subject: cephadm/services/ingress: configure security user in keepalived template X-Git-Tag: v19.1.1~189^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0af412a246f1f3e367a6bd373632c5daa8e72ebd;p=ceph.git cephadm/services/ingress: configure security user in keepalived template It is cleaner to enable script security and define a script user for keepalived. Signed-off-by: Bernard Landon (cherry picked from commit 221737e136dd84824514f0e7874687be76e121b1) --- diff --git a/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 b/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 index e19f556c6f42..4a8237a4f2bb 100644 --- a/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 @@ -1,4 +1,9 @@ # {{ cephadm_managed }} +global_defs { + enable_script_security + script_user root +} + vrrp_script check_backend { script "{{ script }}" weight -20 diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py index a6edf1b0d852..440b20d59c42 100644 --- a/src/pybind/mgr/cephadm/tests/test_services.py +++ b/src/pybind/mgr/cephadm/tests/test_services.py @@ -1860,6 +1860,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://1.2.3.7:8999/health"\n ' 'weight -20\n ' @@ -1983,6 +1987,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://[1::4]:8999/health"\n ' 'weight -20\n ' @@ -2109,6 +2117,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://1.2.3.7:8999/health"\n ' 'weight -20\n ' @@ -2243,6 +2255,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://1.2.3.1:8999/health"\n ' 'weight -20\n ' @@ -2434,6 +2450,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/false"\n ' 'weight -20\n '