Comment 6 for bug 1427228

Reviewed: https://review.openstack.org/165115
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=80bea7a38670620934faafd5f583fe6164b9f9b3
Submitter: Jenkins
Branch: master

commit 80bea7a38670620934faafd5f583fe6164b9f9b3
Author: Cedric Brandily <email address hidden>
Date: Tue Mar 17 15:20:07 2015 +0000

    Allow metadata proxy running with nobody user/group

    Currently metadata proxy cannot run with nobody user/group as metadata
    proxy requires to connect to metadata_proxy_socket when queried.

    This change allows to run metadata proxy with nobody user/group by
    allowing to choose the metadata_proxy_socket mode with the new option
    metadata_proxy_socket_mode (4 choices) in order to adapt socket
    permissions to metadata proxy user/group.

    This change refactors also where options are defined to enable
    metadata_proxy_user/group options in the metadata agent.

    In practice:
    * if metadata_proxy_user is agent effective user or root, then:
      * metadata proxy is allowed to use rootwrap (unsecure)
      * set metadata_proxy_socket_mode = user (0o644)
    * else if metadata_proxy_group is agent effective group, then:
      * metadata proxy is not allowed to use rootwrap (secure)
      * set metadata_proxy_socket_mode = group (0o664)
      * set metadata_proxy_log_watch = false
    * else:
      * metadata proxy has lowest permissions (securest) but metadata proxy
        socket can be opened by everyone
      * set metadata_proxy_socket_mode = all (0o666)
      * set metadata_proxy_log_watch = false

    An alternative is to set metadata_proxy_socket_mode = deduce, in such
    case metadata agent uses previous rules to choose the correct mode.

    DocImpact
    Closes-Bug: #1427228
    Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d