Packager/Rootwrap

= Packaging tips: the Nova root helper =

For general information, see Nova/Rootwrap.

rootwrap.conf
You now need to provide /etc/nova/rootwrap.conf. It should be owned and writeable only by root. Example file is at etc/nova/rootwrap.conf in source code. It defines which directories filters will be loaded from. You can use one or multiple directories, but they must all exist, be owned and writeable only by the root user.

nova.conf
The root_helper parameter is deprecated in favor of the rootwrap_config parameter:

rootwrap_config=/etc/nova/rootwrap.conf

If you still want to use root_helper, it now needs to include the configuration file:

root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf

sudoers
The sudoers entry needs to point to the configuration file and allow extra parameters:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

No more Python filter definitions
We removed nova/rootwrap/{compute,network,volume}.py, so they don't need to be shipped anymore.

New filters definitions files
We added etc/nova/rootwrap.d/{compute,network,volume}.filters, so they need to be shipped instead.

You should still ship them only with the type of node they affect. So:


 * compute.filters should only be included in the nova-compute node package
 * network.filters should only be included in the nova-network node package
 * volume.filters should only be included in the nova-volume node package

They should be included in one (or the only) directory defined in rootwrap.conf. They should be owned and only writeable by root.