[openstack-dev] [nova] [quantum] [cinder] Deprecating usage of root_helper="sudo"
Daniel P. Berrange
berrange at redhat.com
Fri Jul 27 13:18:34 UTC 2012
On Fri, Jul 27, 2012 at 03:08:25PM +0200, Thierry Carrez wrote:
> Hi everyone,
>
> Originally introduced in Essex, the rootwrap is now used in 3 core
> projects (it will soon be proposed to openstack-common to avoid this
> code duplication). But now that its usage is widespread it might be time
> to deprecate the possibility to just run "sudo" instead.
>
> Currently you can use root_helper=sudo, together with a proper sudoers
> file allowing all necessary commands, as an alternative to using the
> rootwrap. Since the root_helper is called with the shell command to
> execute as root, it just works.
>
> However this prevents rootwrap to grow smarter features, like the
> ability to run snippets of Python code instead of shelling out. To
> support that, we need to stop supporting running pure "sudo" as the
> root_helper.
>
> For Folsom, we could mark usage of root_helper as deprecated (but
> obviously still support it) so that we can get rid of it during Grizzly.
> It would be replaced with rootwrap_path and rootwrap_conf options. For
> Grizzly, you would *have to* use those new rootwrap_* options.
>
> All distributions I know of are using rootwrap, but I may have missed
> some. There may also be lovers of the flexibility the root_helper config
> option provided and who would prefer to accept the limitations it
> imposes on further rootwrap development.
>
> Thoughts ?
IMHO the only valid reason for specifying a different root_helper
would be if you had figured out a way to make the system more
secure than rootwrap allows for. If there are such cases, then
it is better for the project as a whole to have rootwrap improved
to address them, than leave the option of switching root_helper
which only helps the individual. Removing it is even more compelling
given the reason you cite of wanting to be able to do snippets of
code. So I'm in favour of your suggestion to remove this config
param and mandate rootwrap for Grizzly.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the OpenStack-dev
mailing list