---- On Thu, 19 Mar 2020 10:45:23 -0500 Rodolfo Alonso <ralonsoh@redhat.com> wrote ----
Hello all:
With this mail I would like to propose the goal to move away from oslo.rootwrap and migrate to oslo.privsep. The last one offers a superior security model, faster and more secure. During the last cycles and since privsep was released, the Community has encouraged the usage of privsep and the deprecation of any existing code still using rootwrap.
For any developer willing to collaborate, there are plenty of code examples, as I’ll provide later, implementing and using privsep for new methods and migrations.
If this goal is approved, I'll open a Story (https://storyboard.openstack.org/) and any developer will be able to add a task for each patch or set of them related. This would be the tracker for this common effort.
Thanks Rodolfo for taking initiative on this effort, much appreciated. Just to be clear, In this ML, we are checking this as a possible goal candidate for V cycle[1]. I have mentioned this ML link in etherpad: https://etherpad.openstack.org/p/YVR-v-series-goals Once we get the heads up from ML and sort out the open questions, the next step will be to propose this as a goal in governance repo governance/tree/master/goals/proposed. After this goal and its definition are accepted then we select this for cycle goal [2]. On/after it is selected as a cycle goal, then you as goal champion can start the storyboard for tracking. [1] https://etherpad.openstack.org/p/YVR-v-series-goals [2] https://governance.openstack.org/tc/goals/#process-details -gmann
PROJECTS TO MIGRATE. -------------------- Projects that are still using rootwrap: http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos= neutron os-brick designate cinder ironic-inspector neutron-vpnaas nova solum glance_store ironic zun magnum manila networking-bagpipe sahara ceilometer cinderlib freezer ironic-lib monasca-agent tacker tripleo-common
USAGE DOCUMENTATION ABOUT PRIVSEP. ---------------------------------- How to create a privsep context, assign privileges and use it as a decorator: https://docs.openstack.org/oslo.privsep/latest/user/index.html
HOW TO MIGRATE FROM ROOTWRAP TO PRIVSEP. ---------------------------------------- From the same link provided previously, in the section “Converting from rootwrap to privsep”: https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-fr...
oslo.privsep provides a class, PrivContext, that can be used to create a decorator function. The instance created is a context of execution and has defined a list of capabilities, matching the Linux capabilities. The privsep context decorator should contain the minimum needed capabilities to execute the decorated function.
For example:
default = priv_context.PrivContext( __name__, cfg_section='privsep', pypath=__name__ + '.default', capabilities=[caps.CAP_SYS_ADMIN, caps.CAP_NET_ADMIN, caps.CAP_DAC_OVERRIDE, caps.CAP_DAC_READ_SEARCH, caps.CAP_SYS_PTRACE], )
The function “entrypoint” of this instance can be used as a decorator for another function:
@privileged.default.entrypoint def delete_interface(ifname, namespace, **kwargs): _run_iproute_link("del", ifname, namespace, **kwargs)
As commented in the given link, a straight 1:1 filter:function replacement generally results in functions that are still too broad for good security. It is better to replace each chmod rootwrap call with a narrow privsep function that will limit it to specific files.
MIGRATION EXAMPLES. ------------------- Nova: https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my... Neutron: https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branc... os-vif: https://review.opendev.org/#/c/287725/
Thank you and regards.