openstack team mailing list archive

[Joshua Harlow <harlowja@xxxxxxxxxxxxx>]

Why couldn't nova just escalate pythons privileges to the super user when writing a file (thus allowing it to use python file writing functions and such).

Then after it writes it could drop it back to down to some other user?

That might make sense, idk, instead of having the disk injection act like a shell script which basically just emits a bunch of [tee, mv, touch, mkdir, cp] commands.

I've done something like this for anvil, not sure if its useful here but who knows:

https://github.com/yahoo/Openstack-Anvil/blob/master/anvil/shell.py#L70

On 6/5/12 2:50 PM, "Russell Bryant" <rbryant@xxxxxxxxxx> wrote:

On 06/05/2012 05:42 PM, Joshua Harlow wrote:
> Hi all,
>
> Just some questions that I had about how nova is doing disk injection
> and such.
>
> I was noticing that it the main disk/api.py does a lot of tee, cat and
> similar commands. Is there any reason it couldn't just use the standard
> python open and write data and such.
>
> Is it because of sudo access (which is connected to rootwrap?), just
> wondering since it seems sort of odd that to write a file there a tee
> call has to be done with piped input, when python already has file
> operators and such...

Yes, if it is using run_as_root=True, then it has to be run with
nova-rootwrap.

--
Russell Bryant

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp