openstack team mailing list archive

Thread
Date

Re: Nova root wrapper understanding

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Mon, 14 Jan 2013 11:21:44 +0100
In-reply-to: <CAMcPiroGO-Q_j3=CPOuBbB=Lq-D6VbmKS1xrqfaHms5Ok+8xiA@mail.gmail.com>
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2

Kun Huang wrote:
> Thanks, Thierry Carrez. Your explanation is easy to understand. I have
> got why we need such a mechanism.
> 
> BTW, is root-wrap a general or popular way to keep security? I have no
> experience on security, but I have heard the /root /should be banned
> because of security. Ideally, should we ban /root /in nodes and just use
> root wrapped /nova /user for tasks in need?

Ideally, we should run all services as an unprivileged user ("nova"). In
reality, given the low-level tasks generally needed to bootstrap
infrastructure resources, it's difficult to achieve. So we should strive
to only escalate when really needed, and filter properly to ensure
escalation is limited. Rootwrap provides a framework for that filtering.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack

References

Nova root wrapper understanding
From: Kun Huang, 2013-01-11
Re: Nova root wrapper understanding
From: Thierry Carrez, 2013-01-11
Re: Nova root wrapper understanding
From: Daniel P. Berrange, 2013-01-11
Re: Nova root wrapper understanding
From: Thierry Carrez, 2013-01-11
Re: Nova root wrapper understanding
From: Kun Huang, 2013-01-11