The root wrapper enables an unprivileged user to run a number of Compute actions as the
root user in the safest manner possible. Historically, Compute used a specific
sudoers
file that listed every command that the Compute user was
allowed to run, and used sudo to run that command as
root
. However this was difficult to maintain (the
sudoers
file was in packaging), and did not enable complex
filtering of parameters (advanced filters). The rootwrap was designed to solve those
issues.
Instead of calling sudo make me a sandwich, Compute services start with a nova-rootwrap call; for example, sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich. A generic sudoers entry lets the Compute user run nova-rootwrap as root. The nova-rootwrap code looks for filter definition directories in its configuration file, and loads command filters from them. Then it checks if the command requested by Compute matches one of those filters, in which case it executes the command (as root). If no filter matches, it denies the request.
Note | |
---|---|
To use nova-rootwrap, you must be aware of the issues with using NFS and
root-owned files. The NFS share must be configured with the
|
The escalation path is fully controlled by the root user. A sudoers entry (owned by
root) allows Compute to run (as root) a specific rootwrap executable, and only with a
specific configuration file (which should be owned by root).
nova-rootwrap imports the Python modules it needs from a cleaned
(and system-default) PYTHONPATH
. The configuration file (also
root-owned) points to root-owned filter definition directories, which contain root-owned
filters definition files. This chain ensures that the Compute user itself is not in
control of the configuration or modules used by the nova-rootwrap
executable.
You configure nova-rootwrap in the
rootwrap.conf
file. Because it's in the trusted security path,
it must be owned and writable by only the root user. The file's location is specified
both in the sudoers entry and in the nova.conf
configuration file
with the rootwrap_config=entry
.
The rootwrap.conf
file uses an INI file format with these
sections and parameters:
Configuration option=Default value |
(Type) Description |
[DEFAULT] filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap |
(ListOpt) Comma-separated list of directories containing filter definition files. Defines where filters for root wrap are stored. Directories defined on this line should all exist, be owned and writable only by the root user. |
Filters definition files contain lists of filters that
nova-rootwrap will use to allow or deny a specific command. They
are generally suffixed by .filters. Since they are in the trusted security path, they
need to be owned and writable only by the root user. Their location is specified in the
rootwrap.conf
file.
Filter definition files use an INI file format with a [Filters] section and several lines, each with a unique parameter name (different for each filter that you define):
Configuration option=Default value |
(Type) Description |
[Filters] filter_name=kpartx: CommandFilter, /sbin/kpartx, root |
(ListOpt) Comma-separated list containing first the Filter class to use, followed by that Filter arguments (which vary depending on the Filter class selected). |