OpenStack Compute (nova)

Generate rootwrap filters from code annotations

Registered by Thierry Carrez on 2012-06-21

Currently rootwrap filters are defined separately from the code that requires them. The link is somehow documented in comments in the filter files but this is clearly suboptimal, and can for example lead in keeping extra filters for commands that are no longer needed.

Almost quoting Dan Berrange:
It would be possible to auto-generate this entire config file, by adding some simple source code annotations or magic comments, at the place where the commands are actually used:

    @nova.rootwrap(['compute'], 'kpartx', 'CommandFilter, /sbin/kpartx, root')
    def map_dev(self):
        """Map partitions of the device to the file system namespace."""
          ....snip....
            _out, err = utils.trycmd('kpartx', '-a', self.device,
                                     run_as_root=True, discard_warnings=True)

and then have a script that reads the source annotations to generate this compute.filters.

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: Thierry Carrez

Direction:: Needs approval

Assignee:: None

Definition:: Obsolete

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Completed by: John Garbutt on 2014-03-20

Related branches

Related bugs

Sprints

Whiteboard

This blueprint is not complete after a good year or so, marking as Obsolete to tidy up the Nova backlog. --johnthetubaguy (20th April 2014)

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Daniel Berrange