From 1d447e69f9f898eeda6fc37c965baa905105a1cc Mon Sep 17 00:00:00 2001 From: Thierry Carrez Date: Wed, 1 Aug 2012 14:44:28 +0200 Subject: Deprecate root_helper in favor of rootwrap_config Mark the root_helper option deprecated and introduce usage of the rootwrap_config option instead. The root_helper option will still fully be supported in Folsom, but will be removed in Grizzly. Transition notes: you should replace: root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf by: rootwrap_config=/etc/nova/rootwrap.conf Implements bp deprecate-root-helper Change-Id: I8dfc94e9b91f7ffc82d393b345f09409da347e78 --- bin/nova-rootwrap | 2 +- nova/flags.py | 6 +++++- nova/utils.py | 14 ++++++++++++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/bin/nova-rootwrap b/bin/nova-rootwrap index 0fd44939c..b9827944c 100755 --- a/bin/nova-rootwrap +++ b/bin/nova-rootwrap @@ -21,7 +21,7 @@ Filters which commands nova is allowed to run as another user. To use this, you should set the following in nova.conf: - root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf + rootwrap_config=/etc/nova/rootwrap.conf You also need to let the nova user run nova-rootwrap as root in sudoers: nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf * diff --git a/nova/flags.py b/nova/flags.py index 9c98bbdf4..588ecfe5f 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -339,7 +339,11 @@ global_opts = [ 'formatted with on creation.'), cfg.StrOpt('root_helper', default='sudo', - help='Command prefix to use for running commands as root'), + help='Deprecated: command to use for running commands as root'), + cfg.StrOpt('rootwrap_config', + default=None, + help='Path to the rootwrap configuration file to use for ' + 'running commands as root'), cfg.StrOpt('network_driver', default='nova.network.linux_net', help='Driver to use for network creation'), diff --git a/nova/utils.py b/nova/utils.py index e5b4fe2d2..b05e0956d 100644 --- a/nova/utils.py +++ b/nova/utils.py @@ -49,6 +49,7 @@ from eventlet import semaphore import lockfile import netaddr +from nova.common import deprecated from nova import exception from nova import flags from nova.openstack.common import cfg @@ -65,6 +66,12 @@ FLAGS.register_opt( cfg.BoolOpt('disable_process_locking', default=False, help='Whether to disable inter-process locks')) +if FLAGS.rootwrap_config is None or FLAGS.root_helper != 'sudo': + deprecated.warn(_('The root_helper option (which lets you specify a ' + 'root wrapper different from nova-rootwrap, and ' + 'defaults to using sudo) is now deprecated. You ' + 'should use the rootwrap_config option instead.')) + def vpn_ping(address, port, timeout=0.05, session_id=None): """Sends a vpn negotiation packet and returns the server session. @@ -118,7 +125,7 @@ def execute(*cmd, **kwargs): """Helper method to execute command with optional retry. If you add a run_as_root=True command, don't forget to add the - corresponding filter to nova.rootwrap ! + corresponding filter to etc/nova/rootwrap.d ! :param cmd: Passed to subprocess.Popen. :param process_input: Send to opened process. @@ -159,7 +166,10 @@ def execute(*cmd, **kwargs): 'to utils.execute: %r') % kwargs) if run_as_root: - cmd = shlex.split(FLAGS.root_helper) + list(cmd) + if (FLAGS.rootwrap_config is not None): + cmd = ['sudo', 'nova-rootwrap', FLAGS.rootwrap_config] + list(cmd) + else: + cmd = shlex.split(FLAGS.root_helper) + list(cmd) cmd = map(str, cmd) while attempts > 0: -- cgit