nova-rootwrap should support path search

Bug #1079723 reported by Thierry Carrez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Wishlist
Thierry Carrez

Bug Description

From original bug 1013147:
nova-rootwrap hardcodes paths instead of using /sbin:/usr/sbin:/usr/bin:/bin

It should support path search instead of forcing us to specify multiple filters to cover the distro differences.

Tags: rootwrap
Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

Is this an option? Allow folks to enter one or more paths and get_command would return the right one for the OS?

    def test_DnsmasqFilter(self):
        usercmd = ['env', 'FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
        f = filters.DnsmasqFilter("/sbin/dnsmasq:/usr/sbin/dnsmasq:/usr/bin/dnsmasq:/bin/dnsmasq", "root")
        self.assertTrue(f.match(usercmd))
        self.assertEqual(f.get_command(usercmd), ['/usr/bin/dnsmasq', 'foo'])
        env = f.get_environment(usercmd)
        self.assertEqual(env.get('FLAGFILE'), 'A')
        self.assertEqual(env.get('NETWORK_ID'), 'foobar')

Is "/sbin/dnsmasq:/usr/sbin/dnsmasq:/usr/bin/dnsmasq:/bin/dnsmasq" syntax ok for listing all the alternative locations where the executable may exist?

Or is the request more of, don't make me specify the executable, just look in all those hard coded paths and pick the first one?

thanks,
dims

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

I think i came up with a compromise which leaves the existing conf files as-is and won't add any new syntax.

Let's take the example
        usercmd = ['env', 'FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
        f = filters.DnsmasqFilter("/usr/bin/dnsmasq", "root")

we will look for "/usr/bin/dnsmasq", if it does not exist then we look for

"/bin/dnsmasq"
"/sbin/dnsmasq"
"/usr/sbin/dnsmasq"

If none exists, we just return the original path "/usr/bin/dnsmasq" so the command will fail just as it would have before this patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/16343

Changed in nova:
assignee: Thierry Carrez (ttx) → Davanum Srinivas (dims-v)
Revision history for this message
Thierry Carrez (ttx) wrote :

@dims: I already started working on this patch (as reflected by my "In progress" status switch). This is actually a bit more complex than just extending the syntax: the search path needs to be configurable and match_filter needs to take it into account.

My patch is almost ready to be proposed, no need to duplicate work...

Changed in nova:
assignee: Davanum Srinivas (dims-v) → nobody
Thierry Carrez (ttx)
Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/16766

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/16766
Committed: http://github.com/openstack/nova/commit/12e264d58f052f192f3408f5cd8637809eff085b
Submitter: Jenkins
Branch: master

commit 12e264d58f052f192f3408f5cd8637809eff085b
Author: Thierry Carrez <email address hidden>
Date: Fri Nov 16 15:50:01 2012 +0100

    Configurable exec_dirs to find rootwrap commands

    Adds support for a configurable set of trusted directories to search
    executables in (exec_dirs), which defaults to system PATH. If your
    filter specifies an exec_path that doesn't start with '/', then it
    will be searched in exec_dirs. Avoids having to write multiple
    filters to care for distro differences. Fixes bug 1079723.

    Also returns a specific error rather than try to run absent executables.

    Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-2 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.