d9098aab26
If the zun-compute process is owned by a user who doesn't have
passwordless sudo privilege, zun-compute will fail to run
privileged command (e.g. sudo privsep-helper ...).
A native solution is to grant passwordless sudo to the user
who owns the zun process, but the best practice is to leverage
Rootwrap [1], which can restrict the privilege escalation.
This patch make Zun leverage Rootwrap. In particular, it does
the following:
* Setup Rootwrap in the Zun devstack plugin
* Introduce a sample rootwrap config file
* Introduce sample rootwrap filters for executing privsep-helper
* Introduce a root helper which basically adds "sudo zun-rootwrap"
to the beginning of the command to be execute.
* Initialize privsep to use the Zun's root helper
[1] https://wiki.openstack.org/wiki/Rootwrap
Closes-Bug: #1749342
Needed-By: I69c47d25fa53f8e08efad9daa71d2f550425a5e7
Change-Id: I3ca5d853588b3705cb6cb2410df16e16a621c030
(cherry picked from commit
|
||
---|---|---|
api-ref/source | ||
contrib | ||
devstack | ||
doc/source | ||
etc | ||
playbooks | ||
releasenotes | ||
specs | ||
template/capsule | ||
tools | ||
zun | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.testr.conf | ||
.zuul.yaml | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
Zun
OpenStack Containers service
Zun (ex. Higgins) is the OpenStack Containers service. It aims to provide an API service for running application containers without the need to manage servers or clusters.
- Free software: Apache license
- Get Started: https://docs.openstack.org/zun/latest/contributor/quickstart.html
- Documentation: https://docs.openstack.org/zun/latest/
- Source: https://git.openstack.org/cgit/openstack/zun
- Bugs: https://bugs.launchpad.net/zun
- Blueprints: https://blueprints.launchpad.net/zun
- REST Client: https://git.openstack.org/cgit/openstack/python-zunclient
Features
- TODO