[PKG-Openstack-devel] Bug#887188: Bug#887188: nova-compute should depend on e2fsprogs explicitly
Thomas Goirand
zigo at debian.org
Thu Jan 25 08:56:38 UTC 2018
On 01/24/2018 11:46 PM, Andreas Henriksson wrote:
> Hello Thomas Goirand,
>
> On Wed, Jan 24, 2018 at 01:38:01PM +0100, Thomas Goirand wrote:
>> Andreas,
>>
>> rootwrap is just a wrapper around sudo to improve security. So in this
>> case, nova-compute really *is* using the above tools, and should depend
>> on e2fsprogs. I'll push a change with nova-common depending on it.
>
> As mentioned I spent very little time on trying to understand what
> rootwrap is, but it seemed to me like a rootwrap filter would be
> similar to having a /etc/sudoers rule that included eg. mke2fs.
> Ff that was the case the sudo package still would not depend on
> e2fsprogs.... (It would still be the program actually executing
> the command that sudoers gives you permission to run that needs the
> dependency.) .... but apparently spending 2 seconds is not enough to
> correctly understand rootwrap for me. :P
>
> I fully trust you have a much better understanding of this than me,
> so thanks for your swift feedback. Looking forward to seeing this fixed
> soon!
>
> Regards,
> Andreas Henriksson
Just let me explain then.
The nova-common package ships a sudoers.d file with this content:
nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
As you see, only nova-rootwrap can be called. rootwrap then has some
filters in rootwrap.conf to restrict the usage of itself in nova.
So indeed, everything which is listed in /etc/nova/rootwrap.conf is
actually used by nova.
Yes, rootwrap is a band-aid thing, and it's far from perfect. This is
the reason why we now have oslo.privsep, which uses a much nicer
mechanism. Hopefully, Nova will switch to that "soon".
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list