Browse code
nova.conf: Set privsep_osbrick.helper_command
When os-brick starts using privsep, it will need to know how to invoke
its privileged half. Amazingly the name of the rootwrap executable
isn't anywhere else in the config, so the privsep default uses just
"sudo" (no rootwrap).
We need to either:
1. set the privsep command line to use nova-rootwrap in nova.conf (and
similar in other configs), or
2. add the privsep-helper line to sudoers and bypass rootwrap entirely.
This change implements (1) for devstack (nova only for now, cinder to
follow shortly).
Change-Id: I90dc41bc77993bd83b80c92286e015e14f290b45
Angus Lees authored on 2016/02/09 14:56:55Showing 1 changed files
| ... | ... |
@@ -501,6 +501,8 @@ function create_nova_conf {
|
| 501 | 501 |
iniset $NOVA_CONF DEFAULT bindir "/usr/bin" |
| 502 | 502 |
fi |
| 503 | 503 |
|
| 504 |
+ iniset $NOVA_CONF privsep_osbrick helper_command "sudo nova-rootwrap \$rootwrap_config privsep-helper --config-file $NOVA_CONF" |
|
| 505 |
+ |
|
| 504 | 506 |
if is_service_enabled n-api; then |
| 505 | 507 |
if is_service_enabled n-api-meta; then |
| 506 | 508 |
# If running n-api-meta as a separate service |