Packaging tips: the Nova root helper

Nova runs under an unprivileged user (typically called nova) and comes with a mechanism to run some commands as root. This mechanism needs packaging support to work properly.

Option 1: --root_helper=sudo (default)

For this to work, you have to provide sudoers directives matching the commands that Nova needs:

Cmnd_Alias NOVACMDS = /sbin/ifconfig,        \
                      /sbin/ip,              \
                      ...
                      /usr/sbin/dnsmasq      \
                      /sbin/kpartx

nova ALL = (root) NOPASSWD: SETENV: NOVACMDS

These directives (or a sudoers.d/ file containing them) should be installed on all Nova nodes, though you also have the option to split the commands allowed based on the type of node requiring them.

Note that this option forces you to maintain the commands in the sudoers file in packaging, which is a bit daunting and brittle. To avoid that, continue reading.

Option 2: --root_helper=sudo nova-rootwrap

Starting with Essex-2, a more secure option is available, allowing more precise control over the commands and arguments used. It is also more maintainable, since the commands are maintained in Nova code instead of in the packaging.

It's a bit more tricky to set up. First you need to ship /usr/bin/nova-rootwrap and a nova.conf file with the following option:

--root_helper=sudo nova-rootwrap

The sudoers directives are static and simplified to:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap

Finally, with this option, commands are defined in filter files (in Python) which need to be shipped only with the type of node they affect. So:

• nova/rootwrap/compute.py should only be included in the nova-compute node package
• nova/rootwrap/network.py should only be included in the nova-network node package
• nova/rootwrap/volume.py should only be included in the nova-volume node package

This allows to limit root commands only to nodes needing them, rather than to the nova user.