This change replaces all uses of rootwrap with a trivial privsep-based
equivalent. This replacement simply executes commands as the privsep
user *without any additional checks*.
There are 2 reasons why this is a reasonable thing to do:
1. We don't have a good workflow for merging rootwrap filter changes
into parent projects (nova/cinder) for a loosely-coupled library like
2. The previous situation was also insecure. The os-brick.filters
rootwrap config permitted commands like "dd" and "cp" with any
arguments, as root. This would have posed only a mild inconvenience
to an attacker. With privsep we can at least (in principle) limit
the commands to the privsep uid/gid and Linux
capabilities (CAP_SYS_ADMIN by default with this change).
This change addresses the urgency of (1). Later refactors will take
greater advantage of privsep to address (2).
# nova: nova.conf: Set privsep_rootwrap.helper_command
# nova: Add os-brick rootwrap filter for privsep
# cinder: cinder.conf: Set privsep_rootwrap.helper_command
# cinder: Add os-brick rootwrap filter for privsep
# privsep: Switch to msgpack for serialization
# requirements: require oslo.privsep>=1.5.0 for msgpack fix
This patch adds the local LVM control code from Cinder into os-brick.
Nova has it's own copy of code that does basically the same thing.
This patch is the first step to migrating both Cinder and Nova to using
the same exact code for managing local lvm volume groups and volumes.
This is NOT a replacement for the Cinder lvm volume driver, but the
low level lvm management code.
implements blueprint: local-dev-lvm-to-os-brick
This patch changes how we discover Multipath devices for
FibreChannel volume attaches.
Running multipath -l <device> can become slower and slower
as more and more volumes are attached to a host. To overcome this,
there are ways of discovering multipath device paths without
using the multipath -l command at all.
When multipath daemon is running, and it discovers new volumes,
it will create new device paths for the multipath device associated
with that new volume. Those multipath device paths are predictable
and show up after the multipath device is created. This avoids
the repeated looping calls to multipath -l to discover the same paths.
SCSI volumes have a WWN that's supposed to be in page 0x83 on the volume
itself according to the SCSI SPC-3 spec. That WWN is where the multipath
daemon gets it's multipath ID from and what is used to create the predictable
multipath device paths on the system.
When multipath friendly names are disabled, you get paths of
When multipath friendly names are enabled, you get paths of
This patch does 3 different attempts to find a multipath device path to
First it looks in the common location of:
Then in the non friendly name path of:
And lastly using the fallback of calling multipath -l <device> to get:
This patch adds os-bricks list of rootwrap filters for commands
that are needed to execute. The filters are a self contained entire
list of expected filters that os-brick needs to run. It's expected that
this filter file is added to any rootwrap enabled service that needs to use
Devstack associated patch: https://review.openstack.org/#/c/207677/
UpgradeImpact: Need to place the os-brick.filters file in service's
rootwrap.d directory to enable filters.