Astara rootwrap
We are still just shelling out directly to sudo. We need to adapt the oslo.rootwrap library, audit our codebase for sudo usage and define appropriate filters for each project. We'll likely run into trouble getting astara packaged and shipped in distros without these types of basic openstack security best practices in place.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- High
- Drafter:
- Adam Gandelman
- Direction:
- Approved
- Assignee:
- xiayu
- Definition:
- Approved
- Series goal:
- Accepted for mitaka
- Implementation:
- Implemented
- Milestone target:
- mitaka-3
- Started by
- Adam Gandelman
- Completed by
- Adam Gandelman
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Astara oslo.rootwrap Use oslo.rootwrap to replace the default root_helper sudo. Add network filer for ip, ovs-vsctl, ovs-ofctl command.
Addressed by: https:/
Astara appliance oslo.rootwrap
Work Items
Work items:
Implement in the orchestrator: DONE
Implement in the appliance: TODO