commit d412de7100058f4a362cf58bd11f88b31b500f77
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000
Introduce rootwrap and filter
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).
A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.
This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper
Reviewed: https:/ /review. openstack. org/544155 /git.openstack. org/cgit/ openstack/ zun/commit/ ?id=d412de71000 58f4a362cf58bd1 1f88b31b500f77
Committed: https:/
Submitter: Zuul
Branch: master
commit d412de7100058f4 a362cf58bd11f88 b31b500f77
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000
Introduce rootwrap and filter
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).
A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.
This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper
[1] https:/ /wiki.openstack .org/wiki/ Rootwrap
Closes-Bug: #1749342 e08efad9daa71d2 f550425a5e7 05cb6cb2410df16 e16a621c030
Needed-By: I69c47d25fa53f8
Change-Id: I3ca5d853588b37