Secure with rootwrap¶
Rootwrap allows unprivileged users to safely run Compute actions as the root user. Compute previously used sudo for this purpose, but this was difficult to maintain, and did not allow advanced filters. The rootwrap command replaces sudo for Compute.
To use rootwrap, prefix the Compute command with nova-rootwrap. For example:
$ sudo nova-rootwrap /etc/nova/rootwrap.conf command
A generic sudoers entry lets the Compute user run nova-rootwrap
as root. The nova-rootwrap code looks for filter definition
directories in its configuration file, and loads command filters from
them. It then checks if the command requested by Compute matches one of
those filters and, if so, executes the command (as root). If no filter
matches, it denies the request.
Note
Be aware of issues with using NFS and root-owned files. The NFS
share must be configured with the no_root_squash option enabled,
in order for rootwrap to work correctly.
Rootwrap is fully controlled by the root user. The root user owns the sudoers entry which allows Compute to run a specific rootwrap executable as root, and only with a specific configuration file (which should also be owned by root). The nova-rootwrap command imports the Python modules it needs from a cleaned, system-default PYTHONPATH. The root-owned configuration file points to root-owned filter definition directories, which contain root-owned filters definition files. This chain ensures that the Compute user itself is not in control of the configuration or modules used by the nova-rootwrap executable.
Configure rootwrap¶
Configure rootwrap in the rootwrap.conf file. Because
it is in the trusted security path, it must be owned and writable
by only the root user. The rootwrap_config=entry parameter
specifies the file’s location in the sudoers entry and in the
nova.conf configuration file.
The rootwrap.conf file uses an INI file format with these
sections and parameters:
| Configuration option=Default value | (Type) Description |
| [DEFAULT] filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap | (ListOpt) Comma-separated list of directories containing filter definition files. Defines where rootwrap filters are stored. Directories defined on this line should all exist, and be owned and writable only by the root user. |
If the root wrapper is not performing correctly, you can add a
workaround option into the nova.conf configuration file. This
workaround re-configures the root wrapper configuration to fall back to
running commands as sudo, and is a Kilo release feature.
Including this workaround in your configuration file safeguards your environment from issues that can impair root wrapper performance. Tool changes that have impacted Python Build Reasonableness (PBR) for example, are a known issue that affects root wrapper performance.
To set up this workaround, configure the disable_rootwrap option in
the [workaround] section of the nova.conf configuration file.
The filters definition files contain lists of filters that rootwrap will
use to allow or deny a specific command. They are generally suffixed by
.filters . Since they are in the trusted security path, they need to
be owned and writable only by the root user. Their location is specified
in the rootwrap.conf file.
Filter definition files use an INI file format with a [Filters]
section and several lines, each with a unique parameter name, which
should be different for each filter you define:
| Configuration option=Default value | (Type) Description |
| [Filters] filter_name=kpartx: CommandFilter, /sbin/kpartx, root | (ListOpt) Comma-separated list containing the filter class to use, followed by the Filter arguments (which vary depending on the Filter class selected). |
Configure the rootwrap daemon¶
Administrators can use rootwrap daemon support instead of running
rootwrap with sudo. The rootwrap daemon reduces the
overhead and performance loss that results from running
oslo.rootwrap with sudo. Each call that needs rootwrap
privileges requires a new instance of rootwrap. The daemon
prevents overhead from the repeated calls. The daemon does not support
long running processes, however.
To enable the rootwrap daemon, set use_rootwrap_daemon to True
in the Compute service configuration file.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.