From 221737e136dd84824514f0e7874687be76e121b1 Mon Sep 17 00:00:00 2001 From: Bernard Landon Date: Tue, 4 Jun 2024 23:29:54 +0200 Subject: [PATCH] cephadm/services/ingress: configure security user in keepalived template It is cleaner to enable script security and define a script user for keepalived. Signed-off-by: Bernard Landon --- .../services/ingress/keepalived.conf.j2 | 5 +++++ src/pybind/mgr/cephadm/tests/test_services.py | 20 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 b/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 index e19f556c6f427..4a8237a4f2bba 100644 --- a/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2 @@ -1,4 +1,9 @@ # {{ cephadm_managed }} +global_defs { + enable_script_security + script_user root +} + vrrp_script check_backend { script "{{ script }}" weight -20 diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py index f0b5360e6e30e..3440a575402cb 100644 --- a/src/pybind/mgr/cephadm/tests/test_services.py +++ b/src/pybind/mgr/cephadm/tests/test_services.py @@ -1738,6 +1738,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://1.2.3.7:8999/health"\n ' 'weight -20\n ' @@ -1861,6 +1865,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://[1::4]:8999/health"\n ' 'weight -20\n ' @@ -1987,6 +1995,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://1.2.3.7:8999/health"\n ' 'weight -20\n ' @@ -2121,6 +2133,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/curl http://1.2.3.1:8999/health"\n ' 'weight -20\n ' @@ -2312,6 +2328,10 @@ class TestIngressService: { 'keepalived.conf': '# This file is generated by cephadm.\n' + 'global_defs {\n ' + 'enable_script_security\n ' + 'script_user root\n' + '}\n\n' 'vrrp_script check_backend {\n ' 'script "/usr/bin/false"\n ' 'weight -20\n ' -- 2.39.5