Jump to: navigation, search


Packaging tips: the Nova root helper

For general information, see Nova/Rootwrap#Rootwrap_for_packagers.

Folsom changes


You now need to provide /etc/nova/rootwrap.conf. It should be owned and writeable only by root. Example file is at etc/nova/rootwrap.conf in source code. It defines which directories filters will be loaded from. You can use one or multiple directories, but they must all exist, be owned and writeable only by the root user.


The root_helper parameter is deprecated in favor of the rootwrap_config parameter:


If you still want to use root_helper, it now needs to include the configuration file:

root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf


The sudoers entry needs to point to the configuration file and allow extra parameters:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

No more Python filter definitions

We removed nova/rootwrap/{compute,network,volume}.py, so they don't need to be shipped anymore.

New filters definitions files

We added etc/nova/rootwrap.d/{compute,network,volume}.filters, so they need to be shipped instead.

You should still ship them only with the type of node they affect. So:

  • compute.filters should only be included in the nova-compute node package
  • network.filters should only be included in the nova-network node package
  • volume.filters should only be included in the nova-volume node package

They should be included in one (or the only) directory defined in rootwrap.conf. They should be owned and only writeable by root.