nova-rootwrap does not wait() for the subprocess it executes to complete before
returning its return code. This often ends up in 0 being returned regardless of
failure/success and causing unforeseen problems in Nova.
Fixes bug #928566
Change-Id: I9b6d85c747513086d0e774cb92ba403886b3283c
Fix environment passing in DnsmasqFilter so that dnsmasq can
be run as root through nova-rootwrap. Fixes bug 919275.
Change-Id: I2e78d92b9af4ddea9c0f1c5ddbe2d55fb672310e
Alternative to using a sudoers file to limit which commands can be run as
root in Nova. This one makes use of command filters defined in Nova code
itself, which can be customized to deeply inspect command arguments before
allowing a command to be executed.
This change puts the infrastructure in place, together with command filters
that replicate the level of filtering provided by a sudoers file (no deep
argument inspection yet). An example of an advanced filter (RegExpFilter) is
also provided. This new root wrapper is not active by default (root_helper
still defaults to "sudo"). Implements blueprint nova-rootwrap.
Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425
Adam Gandelman