d412de7100
If the zun-compute process is owned by a user who doesn't have passwordless sudo privilege, zun-compute will fail to run privileged command (e.g. sudo privsep-helper ...). A native solution is to grant passwordless sudo to the user who owns the zun process, but the best practice is to leverage Rootwrap [1], which can restrict the privilege escalation. This patch make Zun leverage Rootwrap. In particular, it does the following: * Setup Rootwrap in the Zun devstack plugin * Introduce a sample rootwrap config file * Introduce sample rootwrap filters for executing privsep-helper * Introduce a root helper which basically adds "sudo zun-rootwrap" to the beginning of the command to be execute. * Initialize privsep to use the Zun's root helper [1] https://wiki.openstack.org/wiki/Rootwrap Closes-Bug: #1749342 Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7 Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
Team and repository tags
Zun
OpenStack Containers service
Zun (ex. Higgins) is the OpenStack Containers service. It aims to provide an API service for running application containers without the need to manage servers or clusters.
- Free software: Apache license
- Get Started: https://docs.openstack.org/zun/latest/contributor/quickstart.html
- Documentation: https://docs.openstack.org/zun/latest/
- Source: https://git.openstack.org/cgit/openstack/zun
- Bugs: https://bugs.launchpad.net/zun
- Blueprints: https://blueprints.launchpad.net/zun
- REST Client: https://git.openstack.org/cgit/openstack/python-zunclient
Features
- TODO