Add os-brick rootwrap filter for privsep

This change adds the command required to start the os-brick privsep
privileged helper process.

This should be the last "routine" merge to rootwrap filters from
os-brick, since os-brick privileged operations will now go through the
privsep mechanism.  The now-obsolete os-brick rootwrap entries will be
removed in a followup change that also bumps the os-brick minimum
version appropriately.

Change-Id: I3b2e337321875cf4abc0ab9b44fe17cf9327d88b

diff --git a/etc/cinder/rootwrap.d/volume.filters b/etc/cinder/rootwrap.d/volume.filters
index ceee5c87ae384920b0058649ac984f463d001c0b..27971397209fa01f7be37c2bbf18137fc1f869f6 100644 (file)
--- a/etc/cinder/rootwrap.d/volume.filters
+++ b/etc/cinder/rootwrap.d/volume.filters
@@ -23,9 +23,13 @@ lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
 lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
 
 # os-brick library commands
-# TODO(smcginnis) This is a temporary fix. Need to pull in os-brick
-# os-brick.filters file instead and clean out stale brick values from
-# this file.
+# os_brick.privileged.run_as_root oslo.privsep context
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+# The following and any cinder/brick/* entries should all be obsoleted
+# by privsep, and may be removed once the os-brick version requirement
+# is updated appropriately.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
 drbdadm: CommandFilter, drbdadm, root