zun/setup.cfg
Hongbin Lu d412de7100 Introduce rootwrap and filter
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).

A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.

This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
  to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper

[1] https://wiki.openstack.org/wiki/Rootwrap

Closes-Bug: #1749342
Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
2018-03-14 04:36:33 +00:00

92 lines
2.2 KiB
INI

[metadata]
name = zun
summary = OpenStack Containers service
description-file =
README.rst
author = OpenStack
author-email = openstack-dev@lists.openstack.org
home-page = https://docs.openstack.org/zun/latest/
classifier =
Environment :: OpenStack
Intended Audience :: Information Technology
Intended Audience :: System Administrators
License :: OSI Approved :: Apache Software License
Operating System :: POSIX :: Linux
Programming Language :: Python
Programming Language :: Python :: 2
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3
Programming Language :: Python :: 3.5
[files]
data_files =
etc/zun =
etc/zun/api-paste.ini
packages =
zun
[build_sphinx]
source-dir = doc/source
build-dir = doc/build
all_files = 1
warning-is-error = 1
[upload_sphinx]
upload-dir = doc/build/html
[compile_catalog]
directory = zun/locale
domain = zun
[update_catalog]
domain = zun
output_dir = zun/locale
input_file = zun/locale/zun.pot
[extract_messages]
keywords = _ gettext ngettext l_ lazy_gettext
mapping_file = babel.cfg
output_file = zun/locale/zun.pot
[entry_points]
console_scripts =
zun-api = zun.cmd.api:main
zun-compute = zun.cmd.compute:main
zun-db-manage = zun.cmd.db_manage:main
zun-wsproxy = zun.cmd.wsproxy:main
zun-rootwrap = oslo_rootwrap.cmd:main
wsgi_scripts =
zun-api-wsgi = zun.api.wsgi:init_application
oslo.config.opts =
zun = zun.opts:list_opts
zun.conf = zun.conf.opts:list_opts
oslo.config.opts.defaults =
zun = zun.common.config:set_cors_middleware_defaults
oslo.policy.policies =
zun = zun.common.policies:list_rules
zun.database.migration_backend =
sqlalchemy = zun.db.sqlalchemy.migration
zun.scheduler.driver =
chance_scheduler = zun.scheduler.chance_scheduler:ChanceScheduler
fake_scheduler = zun.tests.unit.scheduler.fakes:FakeScheduler
filter_scheduler = zun.scheduler.filter_scheduler:FilterScheduler
zun.image.driver =
glance = zun.image.glance.driver:GlanceDriver
docker = zun.image.docker.driver:DockerDriver
zun.network.driver =
kuryr = zun.network.kuryr_network:KuryrNetwork
zun.volume.driver =
cinder = zun.volume.driver:Cinder
[extras]
osprofiler =
osprofiler>=1.4.0 # Apache-2.0