Jump to: navigation, search

Trove/Blueprints/rootwrap-for-guest

Description

Make use of the oslo-rootwrap library in the guest instead of direct sudo calls

Justification/Benefits

Justification

Right now, trove requires a 'trove' user with full sudo rights to run all his commands on the guest VM. oslo-rootwrap is a library designed to handle these tasks, in the safest manner possible.

Benefits

  • It provides a clean view of the commands used by trove
  • Make trove behave like all the other Openstack core projects

Impacts

Configuration

  • A new key 'rootwrap_config' must be added to the trove configuration files to specify the configuration of rootwrap.
  • A new file /etc/trove/trove-roowrap.conf must be created to configure rootwrap
  • A directory /etc/trove/trove-rootwrap.d will be created, with files containing the commands that require root privileges.

Database

No changes

Public API

No changes

Internal API

No changes

Guest Agent

This has no impact on the task-manager <-> guest agent communications.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Trove/Blueprints/rootwrap-for-guest&oldid=58537"