Files

Stephen Finucane 5da2dc2060 setup: Remove pbr's wsgi_scripts

This is technical dead end and not something we're going to be able to
support long-term in pbr. We need to push users away from this. Doing so
highlights quite a few place where our docs need some work, particularly
in light of the recent removal of the eventlet servers.

Change-Id: I2ffaed710fac2612f5337aca5192af15eab46861
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

2025-11-04 16:11:50 +00:00

1.1 KiB

Raw Permalink Blame History

nova-rootwrap

Synopsis

nova-rootwrap CONFIG_FILE COMMAND

Description

nova-rootwrap is an application that filters which commands nova is allowed to run as another user.

To use this, you should set the following in nova.conf:

rootwrap_config=/etc/nova/rootwrap.conf

You also need to let the nova user run nova-rootwrap as root in sudoers:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

To make allowed commands node-specific, your packaging should only install {compute,network}.filters respectively on compute and network nodes, i.e. API nodes should not have any of those files installed.

Note

nova-rootwrap is being slowly deprecated and replaced by oslo.privsep, and will eventually be removed.

Files

/etc/nova/nova.conf
/etc/nova/rootwrap.conf
/etc/nova/rootwrap.d/

Bugs

Nova bugs are managed at Launchpad

1.1 KiB Raw Permalink Blame History