Latest revision as of 23:31, 17 February 2013

Packaging tips: the Nova root helper

For general information, see Nova/Rootwrap#Rootwrap_for_packagers.

Folsom changes

rootwrap.conf

You now need to provide /etc/nova/rootwrap.conf. It should be owned and writeable only by root. Example file is at etc/nova/rootwrap.conf in source code. It defines which directories filters will be loaded from. You can use one or multiple directories, but they must all exist, be owned and writeable only by the root user.

nova.conf

The root_helper parameter is deprecated in favor of the rootwrap_config parameter:

rootwrap_config=/etc/nova/rootwrap.conf

If you still want to use root_helper, it now needs to include the configuration file:

root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf

sudoers

The sudoers entry needs to point to the configuration file and allow extra parameters:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

No more Python filter definitions

We removed nova/rootwrap/{compute,network,volume}.py, so they don't need to be shipped anymore.

New filters definitions files

We added etc/nova/rootwrap.d/{compute,network,volume}.filters, so they need to be shipped instead.

You should still ship them only with the type of node they affect. So:

compute.filters should only be included in the nova-compute node package
network.filters should only be included in the nova-network node package
volume.filters should only be included in the nova-volume node package

They should be included in one (or the only) directory defined in rootwrap.conf. They should be owned and only writeable by root.

@@ Line 1: / Line 1: @@
-__NOTOC__
 = Packaging tips: the Nova root helper =
-Nova runs under an unprivileged user (typically called ''nova'') and comes with a mechanism to run some commands as ''root''. This mechanism needs packaging support to work properly.
+For general information, see [[Nova/Rootwrap#Rootwrap_for_packagers]].
+== Folsom changes ==
+=== rootwrap.conf ===
+You now need to provide /etc/nova/rootwrap.conf. It should be owned and writeable only by root. Example file is at etc/nova/rootwrap.conf in source code. It defines which directories filters will be loaded from. You can use one or multiple directories, but they must all exist, be owned and writeable only by the root user.
-== Option 1: --root_helper=sudo (default) ==
+=== nova.conf ===
-For this to work, you have to provide ''sudoers'' directives matching the commands that Nova needs:
+The root_helper parameter is deprecated in favor of the rootwrap_config parameter:
 <pre><nowiki>
-Cmnd_Alias NOVACMDS = /sbin/ifconfig,        \
+rootwrap_config=/etc/nova/rootwrap.conf
-                      /sbin/ip,              \
-                      ...
-                      /usr/sbin/dnsmasq      \
-                      /sbin/kpartx
-nova ALL = (root) NOPASSWD: SETENV: NOVACMDS
 </nowiki></pre>
-These directives (or a ''sudoers.d/'' file containing them) should be installed on all Nova nodes, though you also have the option to split the commands allowed based on the type of node requiring them.
+If you still want to use root_helper, it now needs to include the configuration file:
-Note that this option forces you to maintain the commands in the ''sudoers'' file in packaging, which is a bit daunting and brittle. To avoid that, continue reading.
-== Option 2: --root_helper=sudo nova-rootwrap ==
+<pre><nowiki>
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+</nowiki></pre>
-Starting with Essex-2, a more secure option is available, allowing more precise control over the commands and arguments used. It is also more maintainable, since the commands are maintained in Nova code instead of in the packaging.
-It's a bit more tricky to set up. First you need to ship ''/usr/bin/nova-rootwrap'' and a ''nova.conf'' file with the following option:
+=== sudoers ===
+The sudoers entry needs to point to the configuration file and allow extra parameters:
 <pre><nowiki>
---root_helper=sudo nova-rootwrap
+nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
 </nowiki></pre>
-The ''sudoers'' directives are static and simplified to:
+=== No more Python filter definitions ===
+We removed nova/rootwrap/{compute,network,volume}.py, so they don't need to be shipped anymore.
-<pre><nowiki>
+=== New filters definitions files ===
-nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap
-</nowiki></pre>
-You should make sure setenv is not set, to disallow the nova user to preserve the environment.
+We added etc/nova/rootwrap.d/{compute,network,volume}.filters, so they need to be shipped instead.
-Finally, with this option, commands are defined in filter files (in Python) which need to be shipped only with the type of node they affect. So:
+You should still ship them only with the type of node they affect. So:
-* ''nova/rootwrap/compute.py'' should only be included in the ''nova-compute'' node package
+* ''compute.filters'' should only be included in the ''nova-compute'' node package
-* ''nova/rootwrap/network.py'' should only be included in the ''nova-network'' node package
+* ''network.filters'' should only be included in the ''nova-network'' node package
-* ''nova/rootwrap/volume.py'' should only be included in the ''nova-volume'' node package
+* ''volume.filters'' should only be included in the ''nova-volume'' node package
-This allows to limit ''root'' commands only to nodes needing them, rather than to the ''nova'' user.
+They should be included in one (or the only) directory defined in rootwrap.conf. They should be owned and only writeable by root.

Difference between revisions of "Packager/Rootwrap"