yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1996213] [NEW] [rfe] modify our usage of privsep in nova

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sylvain Bauza <1996213@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Nov 2022 16:24:02 -0000
Reply-to: Bug 1996213 <1996213@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Nova compute services use the privsep library [1] for specific 'root'
privilege usage for a command or a direct call to the system.

Unfortunately, our current usage we do from this library is not really a
good recommendation : instead of using a sysadmin context that uses
*all* privileged caps for any caller we have [2], we should rather
define a per-call context with specific caps.

[1] https://docs.openstack.org/oslo.privsep/latest/user/index.html
[2] https://github.com/openstack/nova/blob/c97507dfcd57cce9d76670d3b0d48538900c00e9/nova/privsep/__init__.py#L21-L31

** Affects: nova
     Importance: Wishlist
         Status: Triaged


** Tags: low-hanging-fruit rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1996213

Title:
  [rfe] modify our usage of privsep in nova

Status in OpenStack Compute (nova):
  Triaged

Bug description:
  Nova compute services use the privsep library [1] for specific 'root'
  privilege usage for a command or a direct call to the system.

  Unfortunately, our current usage we do from this library is not really
  a good recommendation : instead of using a sysadmin context that uses
  *all* privileged caps for any caller we have [2], we should rather
  define a per-call context with specific caps.

  [1] https://docs.openstack.org/oslo.privsep/latest/user/index.html
  [2] https://github.com/openstack/nova/blob/c97507dfcd57cce9d76670d3b0d48538900c00e9/nova/privsep/__init__.py#L21-L31

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1996213/+subscriptions