On 01/24/2018 11:46 PM, Andreas Henriksson wrote: > Hello Thomas Goirand, > > On Wed, Jan 24, 2018 at 01:38:01PM +0100, Thomas Goirand wrote: >> Andreas, >> >> rootwrap is just a wrapper around sudo to improve security. So in this >> case, nova-compute really *is* using the above tools, and should depend >> on e2fsprogs. I'll push a change with nova-common depending on it. > > As mentioned I spent very little time on trying to understand what > rootwrap is, but it seemed to me like a rootwrap filter would be > similar to having a /etc/sudoers rule that included eg. mke2fs. > Ff that was the case the sudo package still would not depend on > e2fsprogs.... (It would still be the program actually executing > the command that sudoers gives you permission to run that needs the > dependency.) .... but apparently spending 2 seconds is not enough to > correctly understand rootwrap for me. :P > > I fully trust you have a much better understanding of this than me, > so thanks for your swift feedback. Looking forward to seeing this fixed > soon! > > Regards, > Andreas Henriksson
Just let me explain then. The nova-common package ships a sudoers.d file with this content: nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf * As you see, only nova-rootwrap can be called. rootwrap then has some filters in rootwrap.conf to restrict the usage of itself in nova. So indeed, everything which is listed in /etc/nova/rootwrap.conf is actually used by nova. Yes, rootwrap is a band-aid thing, and it's far from perfect. This is the reason why we now have oslo.privsep, which uses a much nicer mechanism. Hopefully, Nova will switch to that "soon". Cheers, Thomas Goirand (zigo)

