Add os-brick rootwrap filter for privsep

This change adds the command required to start the os-brick privsep privileged helper process. This should be the last "routine" merge to rootwrap filters from os-brick, since os-brick privileged operations will now go through the privsep mechanism. The now-obsolete os-brick rootwrap entries will be removed in a followup change that also bumps the os-brick minimum version appropriately. Change-Id: I4e333e73ddfd45c045b9d32dac1506fc25858c4d
2016-02-09 13:49:03 +11:00 · 2016-02-09 13:49:03 +11:00 · 18129874cd
parent 8bddbfe9be
commit 18129874cd
1 changed files with 4 additions and 0 deletions
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@ -214,6 +214,10 @@ drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio
 # Need to pull in os-brick os-brick.filters file instead and clean
 # out stale brick values from this file.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
+# os_brick.privileged.default oslo.privsep context
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*

 # nova/storage/linuxscsi.py: sg_scan device
 sg_scan: CommandFilter, sg_scan, root