OpenStack Compute (nova)

[rfe] modify our usage of privsep in nova

Bug #1996213 reported by Sylvain Bauza on 2022-11-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	In Progress	Wishlist	Jorge San Emeterio

Bug Description

Nova compute services use the privsep library [1] for specific 'root' privilege usage for a command or a direct call to the system.

Unfortunately, our current usage we do from this library is not really a good recommendation : instead of using a sysadmin context that uses *all* privileged caps for any caller we have [2], we should rather define a per-call context with specific caps.

[1] https://docs.openstack.org/oslo.privsep/latest/user/index.html
[2] https://github.com/openstack/nova/blob/c97507dfcd57cce9d76670d3b0d48538900c00e9/nova/privsep/__init__.py#L21-L31

Tags:

Jorge San Emeterio (jsanemet) on 2022-11-21

Changed in nova:
assignee:	nobody → Jorge San Emeterio (jsanemet)

Revision history for this message

Jorge San Emeterio (jsanemet) wrote on 2022-11-21:

I will post my proposal and more at the following etherpad: https://etherpad.opendev.org/p/nova-privsep-review

Changed in nova:
status:	Triaged → In Progress

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.