nova-rootwrap should support path search

Bug #1079723 reported by Thierry Carrez on 2012-11-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Thierry Carrez

Bug Description

From original bug 1013147:
nova-rootwrap hardcodes paths instead of using /sbin:/usr/sbin:/usr/bin:/bin

It should support path search instead of forcing us to specify multiple filters to cover the distro differences.

Is this an option? Allow folks to enter one or more paths and get_command would return the right one for the OS?

    def test_DnsmasqFilter(self):
        usercmd = ['env', 'FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
        f = filters.DnsmasqFilter("/sbin/dnsmasq:/usr/sbin/dnsmasq:/usr/bin/dnsmasq:/bin/dnsmasq", "root")
        self.assertEqual(f.get_command(usercmd), ['/usr/bin/dnsmasq', 'foo'])
        env = f.get_environment(usercmd)
        self.assertEqual(env.get('FLAGFILE'), 'A')
        self.assertEqual(env.get('NETWORK_ID'), 'foobar')

Is "/sbin/dnsmasq:/usr/sbin/dnsmasq:/usr/bin/dnsmasq:/bin/dnsmasq" syntax ok for listing all the alternative locations where the executable may exist?

Or is the request more of, don't make me specify the executable, just look in all those hard coded paths and pick the first one?


I think i came up with a compromise which leaves the existing conf files as-is and won't add any new syntax.

Let's take the example
        usercmd = ['env', 'FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
        f = filters.DnsmasqFilter("/usr/bin/dnsmasq", "root")

we will look for "/usr/bin/dnsmasq", if it does not exist then we look for


If none exists, we just return the original path "/usr/bin/dnsmasq" so the command will fail just as it would have before this patch.

Fix proposed to branch: master

Changed in nova:
assignee: Thierry Carrez (ttx) → Davanum Srinivas (dims-v)
Thierry Carrez (ttx) wrote :

@dims: I already started working on this patch (as reflected by my "In progress" status switch). This is actually a bit more complex than just extending the syntax: the search path needs to be configurable and match_filter needs to take it into account.

My patch is almost ready to be proposed, no need to duplicate work...

Changed in nova:
assignee: Davanum Srinivas (dims-v) → nobody
Thierry Carrez (ttx) on 2012-11-19
Changed in nova:
assignee: nobody → Thierry Carrez (ttx)

Fix proposed to branch: master

Submitter: Jenkins
Branch: master

commit 12e264d58f052f192f3408f5cd8637809eff085b
Author: Thierry Carrez <email address hidden>
Date: Fri Nov 16 15:50:01 2012 +0100

    Configurable exec_dirs to find rootwrap commands

    Adds support for a configurable set of trusted directories to search
    executables in (exec_dirs), which defaults to system PATH. If your
    filter specifies an exec_path that doesn't start with '/', then it
    will be searched in exec_dirs. Avoids having to write multiple
    filters to care for distro differences. Fixes bug 1079723.

    Also returns a specific error rather than try to run absent executables.

    Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-01-09
Changed in nova:
milestone: none → grizzly-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-04-04
Changed in nova:
milestone: grizzly-2 → 2013.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers