0717df0452
Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425
The Choose Your Own Adventure README for Nova
You have come across a cloud computing fabric controller. It has identified itself as "Nova." It is apparent that it maintains compatibility with the popular Amazon EC2 and S3 APIs.
To monitor it from a distance: follow @openstack on twitter.
To tame it for use in your own cloud: read http://docs.openstack.org
To study its anatomy: read http://nova.openstack.org
To dissect it in detail: visit http://github.com/openstack/nova
To taunt it with its weaknesses: use http://bugs.launchpad.net/nova
To watch it: http://jenkins.openstack.org
To hack at it: read HACKING
To cry over its pylint problems: http://jenkins.openstack.org/job/nova-pylint/violations