Zun

  1. Bug #1749342
  2. Comment #4

Comment 4 for bug 1749342

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to zun (stable/queens)

Reviewed: https://review.openstack.org/554551
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=d9098aab26b82a0f78c8c5e72f76da600279e6b9
Submitter: Zuul
Branch: stable/queens

commit d9098aab26b82a0f78c8c5e72f76da600279e6b9
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000

    Introduce rootwrap and filter

    If the zun-compute process is owned by a user who doesn't have
    passwordless sudo privilege, zun-compute will fail to run
    privileged command (e.g. sudo privsep-helper ...).

    A native solution is to grant passwordless sudo to the user
    who owns the zun process, but the best practice is to leverage
    Rootwrap [1], which can restrict the privilege escalation.

    This patch make Zun leverage Rootwrap. In particular, it does
    the following:
    * Setup Rootwrap in the Zun devstack plugin
    * Introduce a sample rootwrap config file
    * Introduce sample rootwrap filters for executing privsep-helper
    * Introduce a root helper which basically adds "sudo zun-rootwrap"
      to the beginning of the command to be execute.
    * Initialize privsep to use the Zun's root helper

    [1] https://wiki.openstack.org/wiki/Rootwrap

    Closes-Bug: #1749342
    Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
    Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
    (cherry picked from commit d412de7100058f4a362cf58bd11f88b31b500f77)