Jump to: navigation, search

Packager/Rootwrap

Revision as of 14:29, 25 June 2012 by ThierryCarrez (talk)

Packaging tips: the Nova root helper

For general information, see Nova/Rootwrap#Rootwrap_for_packagers.

Folsom changes

rootwrap.conf

You now need to provide /etc/nova/rootwrap.conf. It should be owned and writeable only by root. Example file is at etc/nova/rootwrap.conf in source code. It defines which directories filters will be loaded from. You can use one or multiple directories, but they must all exist, be owned and writeable only by the root user.

nova.conf

root_helper needs to include the configuration file now: 


root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf


sudoers

The sudoers entry needs to point to the configuration file and allow extra parameters: 


nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *


No more Python filter definitions

We removed nova/rootwrap/{compute,network,volume}.py, so they don't need to be shipped anymore.

New filters definitions files

We added etc/nova/rootwrap.d/{compute,network,volume}.filters, so they need to be shipped instead.

You should still ship them only with the type of node they affect. So:

  • compute.filters should only be included in the nova-compute node package
  • network.filters should only be included in the nova-network node package
  • volume.filters should only be included in the nova-volume node package

They should be included in one (or the only) directory defined in rootwrap.conf. They should be owned and only writeable by root.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Packager/Rootwrap&oldid=10530"