1fed955fa4
/usr/local/{sbin,bin} is a standardised location for admins to install non-distro executables, and these executables are no less "trustworthy" than /usr/bin and friends. See neutron and cinder's rootwrap.conf (and probably others), and typical distro default values for sudoers/secure_path for extremely similar precedents that all include /usr/local/*bin. In particular, some sort of change like this is required for oslo.privsep to find its "privsep-helper" executable in devstack (installed into /usr/local/bin via pip). The only open question (imo) is whether this change is made here in nova (and any other project that doesn't already have this), or rootwrap.conf is modified in the same way at "deployment time" by devstack and other deployment methods. Doing it here means it is far more likely to "just work" for the common case of installing at least one affected command into /usr/local. See I710cf142b834381c00e651cfc062299ae755c33f for some brief discussion of doing this via devstack, and pointers to earlier neutron, etc discussion. Change-Id: I6a0a4b7f952193ce0f4ed2594613188854d36bf1
28 lines
966 B
Plaintext
28 lines
966 B
Plaintext
# Configuration for nova-rootwrap
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[DEFAULT]
|
|
# List of directories to load filter definitions from (separated by ',').
|
|
# These directories MUST all be only writeable by root !
|
|
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
|
|
|
|
# List of directories to search executables in, in case filters do not
|
|
# explicitly specify a full path (separated by ',')
|
|
# If not specified, defaults to system PATH environment variable.
|
|
# These directories MUST all be only writeable by root !
|
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
|
|
|
|
# Enable logging to syslog
|
|
# Default value is False
|
|
use_syslog=False
|
|
|
|
# Which syslog facility to use.
|
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
|
# Default value is 'syslog'
|
|
syslog_log_facility=syslog
|
|
|
|
# Which messages to log.
|
|
# INFO means log all usage
|
|
# ERROR means only log unsuccessful attempts
|
|
syslog_log_level=ERROR
|