Daniel P. Berrange wrote: > FWIW, if you've got libguestfs available, the file injection code does > not require any rootwrap usage. Ironically the config drive stuff now > does require root if you configure it to use FAT instead of ISO9660 :-(
My issue is that we enable a very permissive compute.filters just to care for the case where you use localfs-style injection. We generally hurt the security model to care for a specific less-secure deploy option. What we /could/ do is split compute.filters so that you have a specific filters file for localfs-style injection commands. Deployers would enable that specific file in the case they use localfs-style injection. It's tricky because you can't really trust nova to tell you which option it runs with, so you have to rely on deployers enabling the localfs-option to also enable that specific filters file, which is a bit of a configuration nightmare and very error-prone. Alternatively we could rip out localfs-style injection altogether. > I have a general desire to make it such that you can run with KVM and > Nova without requiring rootwrap for anything. last time I looked the > three general areas where we required root wrap were networking, storage > and file injection. My recent refactoring of file injection addressed > the latter by using libguestfs APIs instead of libguestfs FUSE. Networking > is mostly solved if using newest libvirt + Quantum instead of Nova's > own networking. Storage is something that cna be addressed by using > libvirt's storage APIs instead of running commands directly. That's my goal too. Ideally devs would think twice before adding any new run_as_root=True command. Every command we add lowers the security model around openstack. It's very easy to add one, and very difficult to remove one once it's in. -- Thierry Carrez (ttx) Release Manager, OpenStack _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
