Open Stack

On Thu, 2020-03-19 at 16:50 +0100, Iury Gregory wrote:
> Hi Rodolfo,
> 
> Thanks for raising this topic. I like the idea and I can work in the ironic
> part.
> 
> Em qui., 19 de mar. de 2020 às 16:47, Rodolfo Alonso <ralonsoh at redhat.com>
> escreveu:
> 
> > Hello all:
> > 
> > With this mail I would like to propose the goal to move away from
> > oslo.rootwrap and migrate to
> > oslo.privsep. The last one offers a superior security model, faster and
> > more secure. During the last
> > cycles and since privsep was released, the Community has encouraged the
> > usage of privsep and the
> > deprecation of any existing code still using rootwrap.
> > 
> > For any developer willing to collaborate, there are plenty of code
> > examples, as I’ll provide later,
> > implementing and using privsep for new methods and migrations.
> > 
> > If this goal is approved, I'll open a Story (
> > https://storyboard.openstack.org/) and any developer
> > will be able to add a task for each patch or set of them related. This
> > would be the tracker for this
> > common effort.
> > 
> > 
> > PROJECTS TO MIGRATE.
> > --------------------
> > Projects that are still using rootwrap:
> > http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos=
> > neutron
> > os-brick
> > designate
> > cinder
> > ironic-inspector
> > neutron-vpnaas
> > nova
nova does not use rootwarp anymore.
> > solum
> > glance_store
> > ironic
> > zun
> > magnum
> > manila
> > networking-bagpipe
> > sahara
> > ceilometer
> > cinderlib
> > freezer
> > ironic-lib
> > monasca-agent
> > tacker
> > tripleo-common
> > 
> > 
> > USAGE DOCUMENTATION ABOUT PRIVSEP.
> > ----------------------------------
> > How to create a privsep context, assign privileges and use it as a
> > decorator:
> > https://docs.openstack.org/oslo.privsep/latest/user/index.html
> > 
> > 
> > HOW TO MIGRATE FROM ROOTWRAP TO PRIVSEP.
> > ----------------------------------------
> > From the same link provided previously, in the section “Converting from
> > rootwrap to privsep”:
> > 
> > https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep
> > 
> > oslo.privsep provides a class, PrivContext, that can be used to create a
> > decorator function. The
> > instance created is a context of execution and has defined a list of
> > capabilities, matching the
> > Linux capabilities. The privsep context decorator should contain the
> > minimum needed capabilities to
> > execute the decorated function.
> > 
> > For example:
> > 
> >    default = priv_context.PrivContext(
> >       __name__,
> >       cfg_section='privsep',
> >       pypath=__name__ + '.default',
> >       capabilities=[caps.CAP_SYS_ADMIN,
> >                     caps.CAP_NET_ADMIN,
> >                     caps.CAP_DAC_OVERRIDE,
> >                     caps.CAP_DAC_READ_SEARCH,
> >                     caps.CAP_SYS_PTRACE],
> >    )
> > 
> > 
> > The function “entrypoint” of this instance can be used as a decorator for
> > another function:
> > 
> >    @privileged.default.entrypoint
> >    def delete_interface(ifname, namespace, **kwargs):
> >        _run_iproute_link("del", ifname, namespace, **kwargs)
> > 
> > 
> > As commented in the given link, a straight 1:1 filter:function replacement
> > generally results in
> > functions that are still too broad for good security. It is better to
> > replace each chmod rootwrap
> > call with a narrow privsep function that will limit it to specific files.
> > 
> > 
> > MIGRATION EXAMPLES.
> > -------------------
> > Nova:
> > 
> > https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe
> > Neutron:
> > 
> > https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714
> > os-vif
> > <https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714os-vif>:
> > https://review.opendev.org/#/c/287725/
> > 
> > 
> > Thank you and regards.
> > 
> > 
> > 
> > 
> 
>