Python ignores SIGPIPE on startup, because it prefers to check every
write and raise an IOError exception rather than taking the signal. Most
Unix subprocesses don't expect to work this way. This patch (adapted
from Colin Watson's post at http://tinyurl.com/2a7mzh5) sets SIGPIPE
back to the default action for nova.utils.execute and nova-rootwrap
created subprocesses.
Fixes bug 1053364
Change-Id: I17e1629bb4ef4268515c6734ddb6e12746739c52
Mark the root_helper option deprecated and introduce usage of
the rootwrap_config option instead. The root_helper option will
still fully be supported in Folsom, but will be removed in Grizzly.
Transition notes: you should replace:
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
by:
rootwrap_config=/etc/nova/rootwrap.conf
Implements bp deprecate-root-helper
Change-Id: I8dfc94e9b91f7ffc82d393b345f09409da347e78
Move rootwrap filters definition from being defined within Nova
code to being defined in configuration files to facilitate pluging-in
new rootwrap commands.
Transition notes:
* nova-rootwrap now requires an additional (first) parameter pointing
to the root-owned rootwrap.conf file, sudoers needs to be updated
to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *")
* Packagers should ship {compute,network,volume}.filters inside a
directory listed in rootwrap.conf rather than shipping
nova/rootwrap/{compute,network,volume}.py
* Filter definitions now only support strings. The KillFilter (which was
using arrays as parameters) was modified and the tests updated.
Implements bp nova-rootwrap-pluggable-filters
Corresponding devstack change needs to land first, so that tests pass:
https://review.openstack.org/8842
Change-Id: I2350154cd8057bd57926ed542de035626f7de37d
nova-rootwrap does not wait() for the subprocess it executes to complete before
returning its return code. This often ends up in 0 being returned regardless of
failure/success and causing unforeseen problems in Nova.
Fixes bug #928566
Change-Id: I9b6d85c747513086d0e774cb92ba403886b3283c
Fix environment passing in DnsmasqFilter so that dnsmasq can
be run as root through nova-rootwrap. Fixes bug 919275.
Change-Id: I2e78d92b9af4ddea9c0f1c5ddbe2d55fb672310e
Alternative to using a sudoers file to limit which commands can be run as
root in Nova. This one makes use of command filters defined in Nova code
itself, which can be customized to deeply inspect command arguments before
allowing a command to be executed.
This change puts the infrastructure in place, together with command filters
that replicate the level of filtering provided by a sudoers file (no deep
argument inspection yet). An example of an advanced filter (RegExpFilter) is
also provided. This new root wrapper is not active by default (root_helper
still defaults to "sudo"). Implements blueprint nova-rootwrap.
Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425
Thierry Carrez