 f535e8bb99
			
		
	
	f535e8bb99
	
	
	
		
			
			I don't particularly care about this use case (although the localfs code should perhaps go away), but it was a nice contained example of a privsep user which wasn't just calling a command line. This patch also starts to layout what an API to the privsep'd code might look like. For now its modelled on python's os module, because that's where all the operations we perform are coming from. The rootwrap configuration is cleaned up as we remove users. Co-Authored-By: Tony Breeds <tony@bakeyournoodle.com> Change-Id: I911cc51a226d6af29d63a7a2c69253de870073e9
		
			
				
	
	
		
			10 lines
		
	
	
		
			455 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			10 lines
		
	
	
		
			455 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| security:
 | |
|     Privsep transitions. Nova is transitioning from using the older style
 | |
|     rootwrap privilege escalation path to the new style Oslo privsep path.
 | |
|     This should improve performance and security of Nova in the long term.
 | |
|   - |
 | |
|     privsep daemons are now started by nova when required. These daemons can
 | |
|     be started via rootwrap if required. rootwrap configs therefore need to
 | |
|     be updated to include new privsep daemon invocations.
 |