<div dir="ltr"><div>Hi Rodolfo,</div><div><br></div><div>Thanks for raising this topic. I like the idea and I can work in the ironic part.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qui., 19 de mar. de 2020 às 16:47, Rodolfo Alonso <<a href="mailto:ralonsoh@redhat.com">ralonsoh@redhat.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello all:<br>
<br>
With this mail I would like to propose the goal to move away from oslo.rootwrap and migrate to<br>
oslo.privsep. The last one offers a superior security model, faster and more secure. During the last<br>
cycles and since privsep was released, the Community has encouraged the usage of privsep and the<br>
deprecation of any existing code still using rootwrap.<br>
<br>
For any developer willing to collaborate, there are plenty of code examples, as I’ll provide later,<br>
implementing and using privsep for new methods and migrations.<br>
<br>
If this goal is approved, I'll open a Story (<a href="https://storyboard.openstack.org/" rel="noreferrer" target="_blank">https://storyboard.openstack.org/</a>) and any developer<br>
will be able to add a task for each patch or set of them related. This would be the tracker for this<br>
common effort.<br>
<br>
<br>
PROJECTS TO MIGRATE.<br>
--------------------<br>
Projects that are still using rootwrap:<br>
<a href="http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos=" rel="noreferrer" target="_blank">http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos=</a><br>
neutron<br>
os-brick<br>
designate<br>
cinder<br>
ironic-inspector<br>
neutron-vpnaas<br>
nova<br>
solum<br>
glance_store<br>
ironic<br>
zun<br>
magnum<br>
manila<br>
networking-bagpipe<br>
sahara<br>
ceilometer<br>
cinderlib<br>
freezer<br>
ironic-lib<br>
monasca-agent<br>
tacker<br>
tripleo-common<br>
<br>
<br>
USAGE DOCUMENTATION ABOUT PRIVSEP.<br>
----------------------------------<br>
How to create a privsep context, assign privileges and use it as a decorator: <br>
<a href="https://docs.openstack.org/oslo.privsep/latest/user/index.html" rel="noreferrer" target="_blank">https://docs.openstack.org/oslo.privsep/latest/user/index.html</a><br>
<br>
<br>
HOW TO MIGRATE FROM ROOTWRAP TO PRIVSEP.<br>
----------------------------------------<br>
>From the same link provided previously, in the section “Converting from rootwrap to privsep”: <br>
<a href="https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep" rel="noreferrer" target="_blank">https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep</a><br>
<br>
oslo.privsep provides a class, PrivContext, that can be used to create a decorator function. The<br>
instance created is a context of execution and has defined a list of capabilities, matching the<br>
Linux capabilities. The privsep context decorator should contain the minimum needed capabilities to<br>
execute the decorated function.<br>
<br>
For example:<br>
<br>
default = priv_context.PrivContext(<br>
__name__,<br>
cfg_section='privsep',<br>
pypath=__name__ + '.default',<br>
capabilities=[caps.CAP_SYS_ADMIN,<br>
caps.CAP_NET_ADMIN,<br>
caps.CAP_DAC_OVERRIDE,<br>
caps.CAP_DAC_READ_SEARCH,<br>
caps.CAP_SYS_PTRACE],<br>
)<br>
<br>
<br>
The function “entrypoint” of this instance can be used as a decorator for another function:<br>
<br>
@privileged.default.entrypoint<br>
def delete_interface(ifname, namespace, **kwargs):<br>
_run_iproute_link("del", ifname, namespace, **kwargs)<br>
<br>
<br>
As commented in the given link, a straight 1:1 filter:function replacement generally results in<br>
functions that are still too broad for good security. It is better to replace each chmod rootwrap<br>
call with a narrow privsep function that will limit it to specific files.<br>
<br>
<br>
MIGRATION EXAMPLES.<br>
-------------------<br>
Nova: <br>
<a href="https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe" rel="noreferrer" target="_blank">https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe</a><br>
Neutron: <br>
<a href="https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714os-vif" rel="noreferrer" target="_blank">https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714<br>
os-vif</a>: <a href="https://review.opendev.org/#/c/287725/" rel="noreferrer" target="_blank">https://review.opendev.org/#/c/287725/</a><br>
<br>
<br>
Thank you and regards.<br>
<br>
<br>
<br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span style="background-color:rgb(255,255,255)"><font style="background-color:transparent"><div><div dir="ltr"><div><div style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:12.8px"><i style="font-size:13px"><font style="color:rgb(0,0,0)">Att[]'s</font><br><font color="#500050"><span style="color:rgb(0,0,0)">Iury Gregory Melo Ferreira</span> </font><br></i><i><font color="#000000">MSc in Computer Science at UFCG<br></font></i></div><div style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:12.8px"><i><font color="#000000">Part of the puppet-manager-core team in OpenStack</font></i><br><i><font color="#000000"><span style="background-color:rgb(255,255,255)"><font style="background-color:transparent"><i><font color="#000000">Software Engineer at Red Hat Czech</font></i></font></span></font></i></div><div><font style="font-family:arial,sans-serif;font-size:12.8px" color="#000000"><i>Social</i>:</font><font style="font-family:arial,sans-serif;font-size:12.8px"><font color="#888888"> </font><a href="https://www.linkedin.com/in/iurygregory" target="_blank"><font color="#0b5394">https://www.linkedin.com/in/iurygregory</font></a></font></div><div><i style="color:rgb(136,136,136);background-color:transparent;font-size:13px"><font color="#500050"><span style="color:rgb(0,0,0)">E-mail: </span> </font><a href="mailto:iurygregory@gmail.com" style="color:rgb(0,84,136)" target="_blank">iurygregory@gmail.com</a></i></div></div></div></div></font></span></div></div></div></div></div></div></div></div></div></div>