[all][privsep] Migrate from oslo.rootwrap to oslo.privsep

Rodolfo Alonso ralonsoh at redhat.com
Thu Mar 19 15:45:23 UTC 2020 

Hello all:

With this mail I would like to propose the goal to move away from oslo.rootwrap and migrate to
oslo.privsep. The last one offers a superior security model, faster and more secure. During the last
cycles and since privsep was released, the Community has encouraged the usage of privsep and the
deprecation of any existing code still using rootwrap.

For any developer willing to collaborate, there are plenty of code examples, as I’ll provide later,
implementing and using privsep for new methods and migrations.

If this goal is approved, I'll open a Story (https://storyboard.openstack.org/) and any developer
will be able to add a task for each patch or set of them related. This would be the tracker for this
common effort.


PROJECTS TO MIGRATE.
--------------------
Projects that are still using rootwrap:
http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos=
neutron
os-brick
designate
cinder
ironic-inspector
neutron-vpnaas
nova
solum
glance_store
ironic
zun
magnum
manila
networking-bagpipe
sahara
ceilometer
cinderlib
freezer
ironic-lib
monasca-agent
tacker
tripleo-common


USAGE DOCUMENTATION ABOUT PRIVSEP.
----------------------------------
How to create a privsep context, assign privileges and use it as a decorator: 
https://docs.openstack.org/oslo.privsep/latest/user/index.html


HOW TO MIGRATE FROM ROOTWRAP TO PRIVSEP.
----------------------------------------
>From the same link provided previously, in the section “Converting from rootwrap to privsep”: 
https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep

oslo.privsep provides a class, PrivContext, that can be used to create a decorator function. The
instance created is a context of execution and has defined a list of capabilities, matching the
Linux capabilities. The privsep context decorator should contain the minimum needed capabilities to
execute the decorated function.

For example:

   default = priv_context.PrivContext(
      __name__,
      cfg_section='privsep',
      pypath=__name__ + '.default',
      capabilities=[caps.CAP_SYS_ADMIN,
                    caps.CAP_NET_ADMIN,
                    caps.CAP_DAC_OVERRIDE,
                    caps.CAP_DAC_READ_SEARCH,
                    caps.CAP_SYS_PTRACE],
   )


The function “entrypoint” of this instance can be used as a decorator for another function:

   @privileged.default.entrypoint
   def delete_interface(ifname, namespace, **kwargs):
       _run_iproute_link("del", ifname, namespace, **kwargs)


As commented in the given link, a straight 1:1 filter:function replacement generally results in
functions that are still too broad for good security. It is better to replace each chmod rootwrap
call with a narrow privsep function that will limit it to specific files.


MIGRATION EXAMPLES.
-------------------
Nova: 
https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe
Neutron: 
https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714
os-vif: https://review.opendev.org/#/c/287725/


Thank you and regards.

More information about the openstack-discuss mailing list