Latest revision as of 23:31, 17 February 2013

Packaging tips: the Nova root helper

For general information, see Nova/Rootwrap#Rootwrap_for_packagers.

Folsom changes

rootwrap.conf

You now need to provide /etc/nova/rootwrap.conf. It should be owned and writeable only by root. Example file is at etc/nova/rootwrap.conf in source code. It defines which directories filters will be loaded from. You can use one or multiple directories, but they must all exist, be owned and writeable only by the root user.

nova.conf

The root_helper parameter is deprecated in favor of the rootwrap_config parameter:

rootwrap_config=/etc/nova/rootwrap.conf

If you still want to use root_helper, it now needs to include the configuration file:

root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf

sudoers

The sudoers entry needs to point to the configuration file and allow extra parameters:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

No more Python filter definitions

We removed nova/rootwrap/{compute,network,volume}.py, so they don't need to be shipped anymore.

New filters definitions files

We added etc/nova/rootwrap.d/{compute,network,volume}.filters, so they need to be shipped instead.

You should still ship them only with the type of node they affect. So:

• compute.filters should only be included in the nova-compute node package
• network.filters should only be included in the nova-network node package
• volume.filters should only be included in the nova-volume node package

They should be included in one (or the only) directory defined in rootwrap.conf. They should be owned and only writeable by root.