Use commit eaab5fae2502198e9fa57d0d90a7204a2bd83b16:
Merge "sort options to make --help output prettier"
(Wed Feb 13 12:52:14 2013 +0000).
Changes:
9669767 Fix PEP8 error in oslo-rootwrap
e3e5e0e Fixes "is not", "not in" syntax usage
d156150 Implements import_group
0ce65aa sort options to make --help output prettier
580c259 Make tox run doctests
d8c4e0c Change Exception MissingArgs's string
6d102bc Provide i18n to those messages without _()
cf705c5 Make project pyflakes clean
9e5912f Fix pep8 E125 errors
4a1ec21 Support testing args for LocalhostMatchMaker
9fd6437 Exchanges should return directed topics
a4b6c31 Allow running test in uninstalled source tree
1461135 timeutils: considers that now is soon
a956f7a Import timeutils.is_soon from keystoneclient
a4b6c31 Allow running test in uninstalled source tree
076e9e5 Add support for directly stringifying VersionInfo
Change-Id: I427508f0882a528d040c89290ff9ca68a1e91bcd
Fixes: bug #1124213
Add syslogging capabilities to nova-rootwrap, if you set parameter
use_syslog to True. You can specify a facility (syslog_log_facility)
and level (syslog_log_level) to use. Finalizes bp nova-rootwrap-options.
In doing so, it moves rootwrap config parsing to a nova.rootwrap.wrapper
object (and adds unit testing for it). It also improves log messages
content (including the name of the matching filter and the escalation
path used). Incidentally fixes bug 1084766.
Change-Id: Idb8cd9c9febd6263dafab4bc2bff817f00c53dc0
Adds support for a configurable set of trusted directories to search
executables in (exec_dirs), which defaults to system PATH. If your
filter specifies an exec_path that doesn't start with '/', then it
will be searched in exec_dirs. Avoids having to write multiple
filters to care for distro differences. Fixes bug 1079723.
Also returns a specific error rather than try to run absent executables.
Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9
Python ignores SIGPIPE on startup, because it prefers to check every
write and raise an IOError exception rather than taking the signal. Most
Unix subprocesses don't expect to work this way. This patch (adapted
from Colin Watson's post at http://tinyurl.com/2a7mzh5) sets SIGPIPE
back to the default action for nova.utils.execute and nova-rootwrap
created subprocesses.
Fixes bug 1053364
Change-Id: I17e1629bb4ef4268515c6734ddb6e12746739c52
Mark the root_helper option deprecated and introduce usage of
the rootwrap_config option instead. The root_helper option will
still fully be supported in Folsom, but will be removed in Grizzly.
Transition notes: you should replace:
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
by:
rootwrap_config=/etc/nova/rootwrap.conf
Implements bp deprecate-root-helper
Change-Id: I8dfc94e9b91f7ffc82d393b345f09409da347e78
Move rootwrap filters definition from being defined within Nova
code to being defined in configuration files to facilitate pluging-in
new rootwrap commands.
Transition notes:
* nova-rootwrap now requires an additional (first) parameter pointing
to the root-owned rootwrap.conf file, sudoers needs to be updated
to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *")
* Packagers should ship {compute,network,volume}.filters inside a
directory listed in rootwrap.conf rather than shipping
nova/rootwrap/{compute,network,volume}.py
* Filter definitions now only support strings. The KillFilter (which was
using arrays as parameters) was modified and the tests updated.
Implements bp nova-rootwrap-pluggable-filters
Corresponding devstack change needs to land first, so that tests pass:
https://review.openstack.org/8842
Change-Id: I2350154cd8057bd57926ed542de035626f7de37d
nova-rootwrap does not wait() for the subprocess it executes to complete before
returning its return code. This often ends up in 0 being returned regardless of
failure/success and causing unforeseen problems in Nova.
Fixes bug #928566
Change-Id: I9b6d85c747513086d0e774cb92ba403886b3283c
Fix environment passing in DnsmasqFilter so that dnsmasq can
be run as root through nova-rootwrap. Fixes bug 919275.
Change-Id: I2e78d92b9af4ddea9c0f1c5ddbe2d55fb672310e
Alternative to using a sudoers file to limit which commands can be run as
root in Nova. This one makes use of command filters defined in Nova code
itself, which can be customized to deeply inspect command arguments before
allowing a command to be executed.
This change puts the infrastructure in place, together with command filters
that replicate the level of filtering provided by a sudoers file (no deep
argument inspection yet). An example of an advanced filter (RegExpFilter) is
also provided. This new root wrapper is not active by default (root_helper
still defaults to "sudo"). Implements blueprint nova-rootwrap.
Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425
Kurt Taylor