Merge "Deprecate root_helper in favor of rootwrap_config"

3 files changed, 18 insertions, 4 deletions

diff --git a/bin/nova-rootwrap b/bin/nova-rootwrap
index 0fd44939c..b9827944c 100755
--- a/bin/nova-rootwrap
+++ b/bin/nova-rootwrap
@@ -21,7 +21,7 @@
    Filters which commands nova is allowed to run as another user.
 
    To use this, you should set the following in nova.conf:
-   root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+   rootwrap_config=/etc/nova/rootwrap.conf
 
    You also need to let the nova user run nova-rootwrap as root in sudoers:
    nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
diff --git a/nova/flags.py b/nova/flags.py
index 9c98bbdf4..588ecfe5f 100644
--- a/nova/flags.py
+++ b/nova/flags.py
@@ -339,7 +339,11 @@ global_opts = [
                     'formatted with on creation.'),
     cfg.StrOpt('root_helper',
                default='sudo',
-               help='Command prefix to use for running commands as root'),
+               help='Deprecated: command to use for running commands as root'),
+    cfg.StrOpt('rootwrap_config',
+               default=None,
+               help='Path to the rootwrap configuration file to use for '
+                    'running commands as root'),
     cfg.StrOpt('network_driver',
                default='nova.network.linux_net',
                help='Driver to use for network creation'),
diff --git a/nova/utils.py b/nova/utils.py
index e5b4fe2d2..b05e0956d 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -49,6 +49,7 @@ from eventlet import semaphore
 import lockfile
 import netaddr
 
+from nova.common import deprecated
 from nova import exception
 from nova import flags
 from nova.openstack.common import cfg
@@ -65,6 +66,12 @@ FLAGS.register_opt(
     cfg.BoolOpt('disable_process_locking', default=False,
                 help='Whether to disable inter-process locks'))
 
+if FLAGS.rootwrap_config is None or FLAGS.root_helper != 'sudo':
+    deprecated.warn(_('The root_helper option (which lets you specify a '
+                      'root wrapper different from nova-rootwrap, and '
+                      'defaults to using sudo) is now deprecated. You '
+                      'should use the rootwrap_config option instead.'))
+
 
 def vpn_ping(address, port, timeout=0.05, session_id=None):
     """Sends a vpn negotiation packet and returns the server session.
@@ -118,7 +125,7 @@ def execute(*cmd, **kwargs):
     """Helper method to execute command with optional retry.
 
     If you add a run_as_root=True command, don't forget to add the
-    corresponding filter to nova.rootwrap !
+    corresponding filter to etc/nova/rootwrap.d !
 
     :param cmd:                Passed to subprocess.Popen.
     :param process_input:      Send to opened process.
@@ -159,7 +166,10 @@ def execute(*cmd, **kwargs):
                                         'to utils.execute: %r') % kwargs)
 
     if run_as_root:
-        cmd = shlex.split(FLAGS.root_helper) + list(cmd)
+        if (FLAGS.rootwrap_config is not None):
+            cmd = ['sudo', 'nova-rootwrap', FLAGS.rootwrap_config] + list(cmd)
+        else:
+            cmd = shlex.split(FLAGS.root_helper) + list(cmd)
     cmd = map(str, cmd)
 
     while attempts > 0: