← Back to team overview

openstack team mailing list archive

Re: Nova root wrapper understanding

 

Kun Huang wrote:
> Thanks, Thierry Carrez. Your explanation is easy to understand. I have
> got why we need such a mechanism.
> 
> BTW, is root-wrap a general or popular way to keep security? I have no
> experience on security, but I have heard the /root /should be banned
> because of security. Ideally, should we ban /root /in nodes and just use
> root wrapped /nova /user for tasks in need?

Ideally, we should run all services as an unprivileged user ("nova"). In
reality, given the low-level tasks generally needed to bootstrap
infrastructure resources, it's difficult to achieve. So we should strive
to only escalate when really needed, and filter properly to ensure
escalation is limited. Rootwrap provides a framework for that filtering.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack


References