d412de7100
If the zun-compute process is owned by a user who doesn't have passwordless sudo privilege, zun-compute will fail to run privileged command (e.g. sudo privsep-helper ...). A native solution is to grant passwordless sudo to the user who owns the zun process, but the best practice is to leverage Rootwrap [1], which can restrict the privilege escalation. This patch make Zun leverage Rootwrap. In particular, it does the following: * Setup Rootwrap in the Zun devstack plugin * Introduce a sample rootwrap config file * Introduce sample rootwrap filters for executing privsep-helper * Introduce a root helper which basically adds "sudo zun-rootwrap" to the beginning of the command to be execute. * Initialize privsep to use the Zun's root helper [1] https://wiki.openstack.org/wiki/Rootwrap Closes-Bug: #1749342 Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7 Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
68 lines
2.1 KiB
Python
68 lines
2.1 KiB
Python
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_config import cfg
|
|
|
|
from zun.conf import api
|
|
from zun.conf import availability_zone
|
|
from zun.conf import cinder_client
|
|
from zun.conf import compute
|
|
from zun.conf import container_driver
|
|
from zun.conf import database
|
|
from zun.conf import docker
|
|
from zun.conf import glance_client
|
|
from zun.conf import image_driver
|
|
from zun.conf import keystone
|
|
from zun.conf import netconf
|
|
from zun.conf import network
|
|
from zun.conf import neutron_client
|
|
from zun.conf import nova_client
|
|
from zun.conf import path
|
|
from zun.conf import pci
|
|
from zun.conf import profiler
|
|
from zun.conf import scheduler
|
|
from zun.conf import services
|
|
from zun.conf import ssl
|
|
from zun.conf import utils
|
|
from zun.conf import volume
|
|
from zun.conf import websocket_proxy
|
|
from zun.conf import zun_client
|
|
|
|
CONF = cfg.CONF
|
|
|
|
api.register_opts(CONF)
|
|
compute.register_opts(CONF)
|
|
container_driver.register_opts(CONF)
|
|
database.register_opts(CONF)
|
|
docker.register_opts(CONF)
|
|
glance_client.register_opts(CONF)
|
|
image_driver.register_opts(CONF)
|
|
keystone.register_opts(CONF)
|
|
nova_client.register_opts(CONF)
|
|
path.register_opts(CONF)
|
|
scheduler.register_opts(CONF)
|
|
services.register_opts(CONF)
|
|
zun_client.register_opts(CONF)
|
|
ssl.register_opts(CONF)
|
|
profiler.register_opts(CONF)
|
|
neutron_client.register_opts(CONF)
|
|
network.register_opts(CONF)
|
|
websocket_proxy.register_opts(CONF)
|
|
pci.register_opts(CONF)
|
|
volume.register_opts(CONF)
|
|
cinder_client.register_opts(CONF)
|
|
netconf.register_opts(CONF)
|
|
availability_zone.register_opts(CONF)
|
|
utils.register_opts(CONF)
|