Bug#887188: [PKG-Openstack-devel] Bug#887188: nova-compute should depend on e2fsprogs explicitly
On 01/24/2018 11:46 PM, Andreas Henriksson wrote: > Hello Thomas Goirand, > > On Wed, Jan 24, 2018 at 01:38:01PM +0100, Thomas Goirand wrote: >> Andreas, >> >> rootwrap is just a wrapper around sudo to improve security. So in this >> case, nova-compute really *is* using the above tools, and should depend >> on e2fsprogs. I'll push a change with nova-common depending on it. > > As mentioned I spent very little time on trying to understand what > rootwrap is, but it seemed to me like a rootwrap filter would be > similar to having a /etc/sudoers rule that included eg. mke2fs. > Ff that was the case the sudo package still would not depend on > e2fsprogs (It would still be the program actually executing > the command that sudoers gives you permission to run that needs the > dependency.) but apparently spending 2 seconds is not enough to > correctly understand rootwrap for me. :P > > I fully trust you have a much better understanding of this than me, > so thanks for your swift feedback. Looking forward to seeing this fixed > soon! > > Regards, > Andreas Henriksson Just let me explain then. The nova-common package ships a sudoers.d file with this content: nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf * As you see, only nova-rootwrap can be called. rootwrap then has some filters in rootwrap.conf to restrict the usage of itself in nova. So indeed, everything which is listed in /etc/nova/rootwrap.conf is actually used by nova. Yes, rootwrap is a band-aid thing, and it's far from perfect. This is the reason why we now have oslo.privsep, which uses a much nicer mechanism. Hopefully, Nova will switch to that "soon". Cheers, Thomas Goirand (zigo)
Bug#887188: [PKG-Openstack-devel] Bug#887188: nova-compute should depend on e2fsprogs explicitly
Hello Thomas Goirand, On Wed, Jan 24, 2018 at 01:38:01PM +0100, Thomas Goirand wrote: > Andreas, > > rootwrap is just a wrapper around sudo to improve security. So in this > case, nova-compute really *is* using the above tools, and should depend > on e2fsprogs. I'll push a change with nova-common depending on it. As mentioned I spent very little time on trying to understand what rootwrap is, but it seemed to me like a rootwrap filter would be similar to having a /etc/sudoers rule that included eg. mke2fs. Ff that was the case the sudo package still would not depend on e2fsprogs (It would still be the program actually executing the command that sudoers gives you permission to run that needs the dependency.) but apparently spending 2 seconds is not enough to correctly understand rootwrap for me. :P I fully trust you have a much better understanding of this than me, so thanks for your swift feedback. Looking forward to seeing this fixed soon! Regards, Andreas Henriksson
Bug#887188: [PKG-Openstack-devel] Bug#887188: nova-compute should depend on e2fsprogs explicitly
On 01/23/2018 09:28 AM, Andreas Henriksson wrote: > On Sun, Jan 14, 2018 at 08:08:22PM +0100, Helmut Grohne wrote: >> Package: nova-compute > [...] >> /etc/nova/rootwrap.d/compute.filters contains e2fsck, mkfs.ext3, mkfs.ext4, >> resize2fs and tune2fs. According to file it is a ASCII text > [...] > > My understanding after spending about 2 seconds looking at the initial > part of https://wiki.openstack.org/wiki/Rootwrap is that nova-compute > likely doesn't execute these commands itself. I would thus assume > neither of Depends, Recommends or Suggests is suitable in this case and > the bug report should simply be closed. > > Would be great to hear maintainers view on this. > > Regards, > Andreas Henriksson Andreas, rootwrap is just a wrapper around sudo to improve security. So in this case, nova-compute really *is* using the above tools, and should depend on e2fsprogs. I'll push a change with nova-common depending on it. Cheers, Thomas Goirand (zigo)