[Openstack] Nova root wrapper understanding
Thierry Carrez
thierry at openstack.org
Mon Jan 14 10:21:44 UTC 2013
Kun Huang wrote:
> Thanks, Thierry Carrez. Your explanation is easy to understand. I have
> got why we need such a mechanism.
>
> BTW, is root-wrap a general or popular way to keep security? I have no
> experience on security, but I have heard the /root /should be banned
> because of security. Ideally, should we ban /root /in nodes and just use
> root wrapped /nova /user for tasks in need?
Ideally, we should run all services as an unprivileged user ("nova"). In
reality, given the low-level tasks generally needed to bootstrap
infrastructure resources, it's difficult to achieve. So we should strive
to only escalate when really needed, and filter properly to ensure
escalation is limited. Rootwrap provides a framework for that filtering.
--
Thierry Carrez (ttx)
Release Manager, OpenStack
More information about the Openstack
mailing list