From e0460dea1b7f3b097ed623ab464b63f08433f764 Mon Sep 17 00:00:00 2001 From: yuval Date: Tue, 25 Feb 2025 15:08:42 +0200 Subject: [PATCH] Remove usage of the "VIRTUAL_ENV" environment variable In the privsep file, we limit capabilities, and only if the environment variable "VIRTUAL_ENV" is set, we add the c.CAP_DAC_READ_SEARCH capability. This makes deployment very difficult in Docker environments (e.g., Kolla). Looking at Nova and Cinder privsep, this condition does not exist. Change-Id: I0e0d6275bbd7695f836b40d462ef12aa27757968 --- os_brick/privileged/__init__.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/os_brick/privileged/__init__.py b/os_brick/privileged/__init__.py index 4fc348c75..b16f471bf 100644 --- a/os_brick/privileged/__init__.py +++ b/os_brick/privileged/__init__.py @@ -10,19 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. -import os - from oslo_privsep import capabilities as c from oslo_privsep import priv_context -capabilities = [c.CAP_SYS_ADMIN] - -# On virtual environments libraries are not owned by the Daemon user (root), so -# the Daemon needs the capability to bypass file read permission checks in -# order to dynamically load the code to run. -if os.environ.get('VIRTUAL_ENV'): - capabilities.append(c.CAP_DAC_READ_SEARCH) +capabilities = [c.CAP_SYS_ADMIN, c.CAP_DAC_READ_SEARCH] # It is expected that most (if not all) os-brick operations can be # executed with these privileges.