This change replaces all uses of rootwrap with a trivial privsep-based
equivalent. This replacement simply executes commands as the privsep
user *without any additional checks*.
There are 2 reasons why this is a reasonable thing to do:
1. We don't have a good workflow for merging rootwrap filter changes
into parent projects (nova/cinder) for a loosely-coupled library like
os-brick.
2. The previous situation was also insecure. The os-brick.filters
rootwrap config permitted commands like "dd" and "cp" with any
arguments, as root. This would have posed only a mild inconvenience
to an attacker. With privsep we can at least (in principle) limit
the commands to the privsep uid/gid and Linux
capabilities (CAP_SYS_ADMIN by default with this change).
This change addresses the urgency of (1). Later refactors will take
greater advantage of privsep to address (2).
Change-Id: I0af542eba97d2f89b1c283bf1e1e985d9690f5de
Depends-On: I90dc41bc77993bd83b80c92286e015e14f290b45
# nova: nova.conf: Set privsep_rootwrap.helper_command
Depends-On: I4e333e73ddfd45c045b9d32dac1506fc25858c4d
# nova: Add os-brick rootwrap filter for privsep
Depends-On: I8a0b1728cc66c4861f69623b1b16b1f759b57b25
# cinder: cinder.conf: Set privsep_rootwrap.helper_command
Depends-On: I3b2e337321875cf4abc0ab9b44fe17cf9327d88b
# cinder: Add os-brick rootwrap filter for privsep
Depends-On: I4299c2fc059807610f83e12a2d470e020930c64c
# privsep: Switch to msgpack for serialization
Depends-On: Ied1ef4fc945e18516b39d1f20d58425cb633dc74
# requirements: require oslo.privsep>=1.5.0 for msgpack fix
This patch adds the local LVM control code from Cinder into os-brick.
Nova has it's own copy of code that does basically the same thing.
This patch is the first step to migrating both Cinder and Nova to using
the same exact code for managing local lvm volume groups and volumes.
This is NOT a replacement for the Cinder lvm volume driver, but the
low level lvm management code.
Change-Id: I80a1ac859b9f3aa50262a8d0db750a00cb3e2dc4
implements blueprint: local-dev-lvm-to-os-brick
Trivial fix to change the "vg*s*-cluster" to the correct "vgc-cluster"
required for the HGST cluster management software.
Change-Id: I1510986a321f60fd5588fea7613dc2a4ba11430d
Closes-Bug: 1498625
This patch changes how we discover Multipath devices for
FibreChannel volume attaches.
Running multipath -l <device> can become slower and slower
as more and more volumes are attached to a host. To overcome this,
there are ways of discovering multipath device paths without
using the multipath -l command at all.
When multipath daemon is running, and it discovers new volumes,
it will create new device paths for the multipath device associated
with that new volume. Those multipath device paths are predictable
and show up after the multipath device is created. This avoids
the repeated looping calls to multipath -l to discover the same paths.
SCSI volumes have a WWN that's supposed to be in page 0x83 on the volume
itself according to the SCSI SPC-3 spec. That WWN is where the multipath
daemon gets it's multipath ID from and what is used to create the predictable
multipath device paths on the system.
When multipath friendly names are disabled, you get paths of
/dev/disk/by-id/dm-uuid-mpath-<WWN>
/dev/disk/by-id/scsi-<WWN>
/dev/mapper/<WWN>
When multipath friendly names are enabled, you get paths of
/dev/disk/by-id/dm-uuid-mpath-<WWN>
/dev/disk/by-id/dm-name-mpath<N>
/dev/disk/by-id/scsi-mpath<N>
/dev/mapper/mpath<N>
This patch does 3 different attempts to find a multipath device path to
use.
First it looks in the common location of:
/dev/disk/by-id/dm-uuid-mpath-<WWN>
Then in the non friendly name path of:
/dev/mapper/<WWN>
And lastly using the fallback of calling multipath -l <device> to get:
/dev/mapper/mpath<N>
Partial-Bug: 1487169
Change-Id: I9a9fffcb6882b1c2750b1e7927475093bde36d04
This patch adds os-bricks list of rootwrap filters for commands
that are needed to execute. The filters are a self contained entire
list of expected filters that os-brick needs to run. It's expected that
this filter file is added to any rootwrap enabled service that needs to use
os-brick.
Devstack associated patch: https://review.openstack.org/#/c/207677/
Partial-Bug: #1479842
UpgradeImpact: Need to place the os-brick.filters file in service's
rootwrap.d directory to enable filters.
Change-Id: I2b1e657b87c7b27548200a20b991f34c3413c24b
Angus Lees