oslo.privsep
是用于特权分离的 OpenStack
库,是 oslo.rootwrap
的替代实现。
安装
pip install oslo.privsep
使用
- 在
privsep/__init__.py
中定义 Contexts
from oslo_privsep import capabilities
from oslo_privsep import priv_context
sys_admin_pctxt = priv_context.PrivContext(
'nova',
cfg_section='nova_sys_admin',
pypath=__name__ + '.sys_admin_pctxt',
capabilities=[capabilities.CAP_CHOWN,
capabilities.CAP_DAC_OVERRIDE,
capabilities.CAP_DAC_READ_SEARCH,
capabilities.CAP_FOWNER,
capabilities.CAP_NET_ADMIN,
capabilities.CAP_SYS_ADMIN],
)
import nova.privsep
@nova.privsep.sys_admin_pctxt.entrypoint
def update_motd(message):
with open('/etc/motd', 'w') as f:
f.write(message)
超时示例:
from oslo_privsep import daemon
from neutron import privileged
@privileged.default.entrypoint_with_timeout(timeout=5)
def get_link_devices(namespace, **kwargs):
try:
with get_iproute(namespace) as ip:
return make_serializable(ip.get_links(**kwargs))
except OSError as e:
if e.errno == errno.ENOENT:
raise NetworkNamespaceNotFound(netns_name=namespace)
raise
except daemon.FailedToDropPrivileges:
raise
except daemon.PrivsepTimeout:
raise
import nova.privsep.motd # 全路径导入
...
nova.privsep.motd.update_motd('This node is currently idle')
$ cat /etc/sudoers.d/nova
Defaults:nova !requiretty
nova ALL = (root) NOPASSWD: /usr/bin/privsep-helper *
说明:
/usr/bin/privsep-helper
必须是这个路径,否则不生效
- 可以对以命令或 lib 执行特权