From a963aecb4ce91bbb2a2e1e6560e121bc295c36ff Mon Sep 17 00:00:00 2001
From: Jackie Truong <jacklyn.truong@jhuapl.edu>
Date: Wed, 3 May 2017 23:11:32 -0400
Subject: [PATCH] Add missing rootwrap filter for cryptsetup

This change restores the rootwrap filter for cryptsetup that was
recently removed by I37ffc90c0bd57029fced251b5cfd7cd4318a0292 from
compute.filters, as it is still needed by dmcrypt.  Without the rootwrap
filter, `cryptsetup` is not authorized to run with root permissions.

Change-Id: I5fe3e5d5e5a9694d0dbe5b59248e5eaf89858c62
Closes-Bug: #1688166
---
 etc/nova/rootwrap.d/compute.filters | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters
index f4a774c6b6..a6bc32c10f 100644
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@@ -225,6 +225,9 @@ privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-f
 # nova/storage/linuxscsi.py: sg_scan device
 sg_scan: CommandFilter, sg_scan, root
 
+# nova/virt/libvirt/storage/dmcrypt.py:
+cryptsetup: CommandFilter, cryptsetup, root
+
 # nova/virt/xenapi/vm_utils.py:
 xenstore-read: CommandFilter, xenstore-read, root