d9098aab26
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).
A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.
This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper
[1] https://wiki.openstack.org/wiki/Rootwrap
Closes-Bug: #1749342
Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| __init__.py | ||
| api.py | ||
| compute.py | ||
| db_manage.py | ||
| wsproxy.py | ||