commit d9098aab26b82a0f78c8c5e72f76da600279e6b9
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000
Introduce rootwrap and filter
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).
A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.
This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper
Reviewed: https:/ /review. openstack. org/554551 /git.openstack. org/cgit/ openstack/ zun/commit/ ?id=d9098aab26b 82a0f78c8c5e72f 76da600279e6b9
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit d9098aab26b82a0 f78c8c5e72f76da 600279e6b9
Author: Hongbin Lu <email address hidden>
Date: Wed Feb 14 02:55:07 2018 +0000
Introduce rootwrap and filter
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).
A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.
This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper
[1] https:/ /wiki.openstack .org/wiki/ Rootwrap
Closes-Bug: #1749342 e08efad9daa71d2 f550425a5e7 05cb6cb2410df16 e16a621c030 a362cf58bd11f88 b31b500f77)
Needed-By: I69c47d25fa53f8
Change-Id: I3ca5d853588b37
(cherry picked from commit d412de7100058f4