Filters which commands cinder is allowed to run as another user.
To use this, you should set the following in cinder.conf:
- root_helper=sudo cinder-rootwrap /etc/cinder/rootwrap.conf
+ rootwrap_config=/etc/cinder/rootwrap.conf
You also need to let the cinder user run cinder-rootwrap as root in sudoers:
cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap
'formatted with on creation.'),
cfg.StrOpt('root_helper',
default='sudo',
- help='Command prefix to use for running commands as root'),
+ help='Deprecated: command to use for running commands as root'),
+ cfg.StrOpt('rootwrap_config',
+ default=None,
+ help='Path to the rootwrap configuration file to use for '
+ 'running commands as root'),
cfg.BoolOpt('use_ipv6',
default=False,
help='use ipv6'),
PERFECT_TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%f"
FLAGS = flags.FLAGS
+if FLAGS.rootwrap_config is None or FLAGS.root_helper != 'sudo':
+ LOG.warn(_('The root_helper option (which lets you specify a root '
+ 'wrapper different from cinder-rootwrap, and defaults to '
+ 'using sudo) is now deprecated. You should use the '
+ 'rootwrap_config option instead.'))
+
def find_config(config_path):
"""Find a configuration file using the given hint.
"""Helper method to execute command with optional retry.
If you add a run_as_root=True command, don't forget to add the
- corresponding filter to cinder.rootwrap !
+ corresponding filter to etc/cinder/rootwrap.d !
:param cmd: Passed to subprocess.Popen.
:param process_input: Send to opened process.
'to utils.execute: %r') % kwargs)
if run_as_root:
- cmd = shlex.split(FLAGS.root_helper) + list(cmd)
+ if (FLAGS.rootwrap_config is not None):
+ cmd = ['sudo', 'cinder-rootwrap',
+ FLAGS.rootwrap_config] + list(cmd)
+ else:
+ cmd = shlex.split(FLAGS.root_helper) + list(cmd)
cmd = map(str, cmd)
while attempts > 0:
Code Review / openstack-build / cinder-build.git / commitdiff