909d0de68e
Thanks to mikal, nova was fully transitioned to using privsep over the past cycles. However the old rootwrap filter definitions have been left behind, which basically means that there is limited security benefit right now (code gone rogue could still call rootwrap to execute some code as root). As far as I can tell, those can be removed now. os-brick calls in compute.filters should be covered by the os_brick.privileged.default context. Rootwrap is now only used to launch the two privileged privsep contexts. Since those are one-shot at the start of the service, there is little point in using rootwrap-daemon on nova nodes. network.filters and api-metadata.filters are being removed in https://review.opendev.org/#/c/696518 as part of the nova-net cleanup. Change-Id: Ie5e5ab17dabad713d4ad1261ab8b5d62b017f31e |
||
|---|---|---|
| .. | ||
| rootwrap.d | ||
| README-nova.conf.txt | ||
| README-policy.yaml.txt | ||
| api-paste.ini | ||
| logging_sample.conf | ||
| nova-config-generator.conf | ||
| nova-policy-generator.conf | ||
| release.sample | ||
| rootwrap.conf | ||