[openstack-dev] [nova] [quantum] [cinder] Deprecating usage of root_helper="sudo"

Thomas, Duncan duncan.thomas at hp.com
Thu Aug 2 11:40:31 UTC 2012


The nice thing about switching back to "root_wrapper=sudo" is it allows me to hack code quickly, then get the details right later. If we are forcing the use of root_helper, then can we have some sort of permissive mode that I can turn on while I'm developing? I don't mind it coming with big, scary warnings, but having to figure out what commands I need in advance, or keep tweaking rules is a barrier to explorative coding...

-- 
Duncan Thomas
HP Cloud Services, Galway

> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange at redhat.com]
> Sent: 27 July 2012 14:19
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [nova] [quantum] [cinder] Deprecating
> usage of root_helper="sudo"
> 
> On Fri, Jul 27, 2012 at 03:08:25PM +0200, Thierry Carrez wrote:
> > Hi everyone,
> >
> > Originally introduced in Essex, the rootwrap is now used in 3 core
> > projects (it will soon be proposed to openstack-common to avoid this
> > code duplication). But now that its usage is widespread it might be
> time
> > to deprecate the possibility to just run "sudo" instead.
> >
> > Currently you can use root_helper=sudo, together with a proper
> sudoers
> > file allowing all necessary commands, as an alternative to using the
> > rootwrap. Since the root_helper is called with the shell command to
> > execute as root, it just works.
> >
> > However this prevents rootwrap to grow smarter features, like the
> > ability to run snippets of Python code instead of shelling out. To
> > support that, we need to stop supporting running pure "sudo" as the
> > root_helper.
> >
> > For Folsom, we could mark usage of root_helper as deprecated (but
> > obviously still support it) so that we can get rid of it during
> Grizzly.
> > It would be replaced with rootwrap_path and rootwrap_conf options.
> For
> > Grizzly, you would *have to* use those new rootwrap_* options.
> >
> > All distributions I know of are using rootwrap, but I may have missed
> > some. There may also be lovers of the flexibility the root_helper
> config
> > option provided and who would prefer to accept the limitations it
> > imposes on further rootwrap development.
> >
> > Thoughts ?
> 
> IMHO the only valid reason for specifying a different root_helper
> would be if you had figured out a way to make the system more
> secure than rootwrap allows for. If there are such cases, then
> it is better for the project as a whole to have rootwrap improved
> to address them, than leave the option of switching root_helper
> which only helps the individual. Removing it is even more compelling
> given the reason you cite of wanting to be able to do snippets of
> code. So I'm in favour of your suggestion to remove this config
> param and mandate rootwrap for Grizzly.
> 
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-
> http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-
> manager.org :|
> |: http://autobuild.org       -o-
> http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-
> vnc :|
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list