Introduce rootwrap and filter

If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).

A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.

This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
  to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper

[1] https://wiki.openstack.org/wiki/Rootwrap

Closes-Bug: #1749342
Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
(cherry picked from commit d412de7100)

devstack/lib/zun

@@ -112,6 +112,8 @@ function configure_zun {
         sudo chown $STACK_USER $ZUN_CONF_DIR
     fi
 
+    configure_rootwrap zun
+
     # Rebuild the config file from scratch
     create_zun_conf
 

etc/zun/rootwrap.conf

@@ -0,0 +1,27 @@
+# Configuration for zun-rootwrap
+# This file should be owned by (and only-writable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writable by root !
+filters_path=/etc/zun/rootwrap.d
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR

etc/zun/rootwrap.d/zun.filters

@@ -0,0 +1,8 @@
+# zun command filters
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# privileged/__init__.py: priv_context.PrivContext(default)
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*

setup.cfg

@@ -54,6 +54,7 @@ console_scripts =
     zun-compute = zun.cmd.compute:main
     zun-db-manage = zun.cmd.db_manage:main
     zun-wsproxy = zun.cmd.wsproxy:main
+    zun-rootwrap = oslo_rootwrap.cmd:main
 wsgi_scripts =
     zun-api-wsgi = zun.api.wsgi:init_application
 

zun/cmd/compute.py

@@ -13,13 +13,16 @@
 #    under the License.
 
 import os
+import shlex
 import sys
 
 from oslo_log import log as logging
+from oslo_privsep import priv_context
 from oslo_service import service
 
 from zun.common import rpc_service
 from zun.common import service as zun_service
+from zun.common import utils
 from zun.compute import manager as compute_manager
 import zun.conf
 
@@ -28,6 +31,7 @@ LOG = logging.getLogger(__name__)
 
 
 def main():
+    priv_context.init(root_helper=shlex.split(utils.get_root_helper()))
     zun_service.prepare_service(sys.argv)
 
     LOG.info('Starting server in PID %s', os.getpid())

zun/common/utils.py

@@ -310,6 +310,10 @@ def custom_execute(*cmd, **kwargs):
                                      error=six.text_type(e))
 
 
+def get_root_helper():
+    return 'sudo zun-rootwrap %s' % CONF.rootwrap_config
+
+
 @privileged.default.entrypoint
 def execute_root(*cmd, **kwargs):
     # NOTE(kiennt): Set run_as_root=False because if it is set to True, the

zun/conf/__init__.py

@@ -33,6 +33,7 @@ from zun.conf import profiler
 from zun.conf import scheduler
 from zun.conf import services
 from zun.conf import ssl
+from zun.conf import utils
 from zun.conf import volume
 from zun.conf import websocket_proxy
 from zun.conf import zun_client
@@ -61,3 +62,4 @@ pci.register_opts(CONF)
 volume.register_opts(CONF)
 cinder_client.register_opts(CONF)
 netconf.register_opts(CONF)
+utils.register_opts(CONF)

zun/conf/utils.py

@@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_config import cfg
+
+
+utils_opts = [
+    cfg.StrOpt('rootwrap_config',
+               default="/etc/zun/rootwrap.conf",
+               help='Path to the rootwrap configuration file to use for '
+                    'running commands as root.'),
+]
+
+
+def register_opts(conf):
+    conf.register_opts(utils_opts)
+
+
+def list_opts():
+    return {
+        "DEFAULT": utils_opts
+    }