d412de7100
If the zun-compute process is owned by a user who doesn't have passwordless sudo privilege, zun-compute will fail to run privileged command (e.g. sudo privsep-helper ...). A native solution is to grant passwordless sudo to the user who owns the zun process, but the best practice is to leverage Rootwrap [1], which can restrict the privilege escalation. This patch make Zun leverage Rootwrap. In particular, it does the following: * Setup Rootwrap in the Zun devstack plugin * Introduce a sample rootwrap config file * Introduce sample rootwrap filters for executing privsep-helper * Introduce a root helper which basically adds "sudo zun-rootwrap" to the beginning of the command to be execute. * Initialize privsep to use the Zun's root helper [1] https://wiki.openstack.org/wiki/Rootwrap Closes-Bug: #1749342 Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7 Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
92 lines
2.2 KiB
INI
92 lines
2.2 KiB
INI
[metadata]
|
|
name = zun
|
|
summary = OpenStack Containers service
|
|
description-file =
|
|
README.rst
|
|
author = OpenStack
|
|
author-email = openstack-dev@lists.openstack.org
|
|
home-page = https://docs.openstack.org/zun/latest/
|
|
classifier =
|
|
Environment :: OpenStack
|
|
Intended Audience :: Information Technology
|
|
Intended Audience :: System Administrators
|
|
License :: OSI Approved :: Apache Software License
|
|
Operating System :: POSIX :: Linux
|
|
Programming Language :: Python
|
|
Programming Language :: Python :: 2
|
|
Programming Language :: Python :: 2.7
|
|
Programming Language :: Python :: 3
|
|
Programming Language :: Python :: 3.5
|
|
|
|
[files]
|
|
data_files =
|
|
etc/zun =
|
|
etc/zun/api-paste.ini
|
|
packages =
|
|
zun
|
|
|
|
[build_sphinx]
|
|
source-dir = doc/source
|
|
build-dir = doc/build
|
|
all_files = 1
|
|
warning-is-error = 1
|
|
|
|
[upload_sphinx]
|
|
upload-dir = doc/build/html
|
|
|
|
[compile_catalog]
|
|
directory = zun/locale
|
|
domain = zun
|
|
|
|
[update_catalog]
|
|
domain = zun
|
|
output_dir = zun/locale
|
|
input_file = zun/locale/zun.pot
|
|
|
|
[extract_messages]
|
|
keywords = _ gettext ngettext l_ lazy_gettext
|
|
mapping_file = babel.cfg
|
|
output_file = zun/locale/zun.pot
|
|
|
|
[entry_points]
|
|
console_scripts =
|
|
zun-api = zun.cmd.api:main
|
|
zun-compute = zun.cmd.compute:main
|
|
zun-db-manage = zun.cmd.db_manage:main
|
|
zun-wsproxy = zun.cmd.wsproxy:main
|
|
zun-rootwrap = oslo_rootwrap.cmd:main
|
|
wsgi_scripts =
|
|
zun-api-wsgi = zun.api.wsgi:init_application
|
|
|
|
oslo.config.opts =
|
|
zun = zun.opts:list_opts
|
|
zun.conf = zun.conf.opts:list_opts
|
|
|
|
oslo.config.opts.defaults =
|
|
zun = zun.common.config:set_cors_middleware_defaults
|
|
|
|
oslo.policy.policies =
|
|
zun = zun.common.policies:list_rules
|
|
|
|
zun.database.migration_backend =
|
|
sqlalchemy = zun.db.sqlalchemy.migration
|
|
|
|
zun.scheduler.driver =
|
|
chance_scheduler = zun.scheduler.chance_scheduler:ChanceScheduler
|
|
fake_scheduler = zun.tests.unit.scheduler.fakes:FakeScheduler
|
|
filter_scheduler = zun.scheduler.filter_scheduler:FilterScheduler
|
|
|
|
zun.image.driver =
|
|
glance = zun.image.glance.driver:GlanceDriver
|
|
docker = zun.image.docker.driver:DockerDriver
|
|
|
|
zun.network.driver =
|
|
kuryr = zun.network.kuryr_network:KuryrNetwork
|
|
|
|
zun.volume.driver =
|
|
cinder = zun.volume.driver:Cinder
|
|
|
|
[extras]
|
|
osprofiler =
|
|
osprofiler>=1.4.0 # Apache-2.0
|