diff -pruN 1.6.0-1/AUTHORS 1.6.0-0ubuntu1/AUTHORS --- 1.6.0-1/AUTHORS 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/AUTHORS 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1,27 @@ +Bogdan Dobrelya +Cedric Brandily +ChangBo Guo(gcb) +Christian Berendt +Cyril Roelandt +Davanum Srinivas +Dina Belova +Dirk Mueller +Doug Hellmann +Doug Hellmann +Jakub Libosvar +James Carey +Jeremy Stanley +Julien Danjou +Mark McClain +Mark McLoughlin +Maru Newby +Monty Taylor +Roman Podolyaka +Sergey Kraynev +Sergey Lukjanov +Stanislav Kudriashev +Thierry Carrez +Tomoki Sekiyama +Yufang Zhang +Yuriy Taraday +Zhongyue Luo diff -pruN 1.6.0-1/ChangeLog 1.6.0-0ubuntu1/ChangeLog --- 1.6.0-1/ChangeLog 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/ChangeLog 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1,122 @@ +CHANGES +======= + +1.6.0 +----- + +* Remove env changing support in daemon mode +* Updated from global requirements +* Updated from global requirements +* Add bug link to README + +1.5.0 +----- + +* Add cross-testing script +* Updated from global requirements +* Move files out of the namespace package +* Activate pep8 check that _ is imported +* Workflow documentation is now in infra-manual + +1.4.0 +----- + +* Updated from global requirements +* Updated from global requirements +* Correct filters examples in README.rst +* Updated from global requirements +* Fix exit of subprocess in case it was terminated by signal +* Updated from global requirements +* Support building wheels (PEP-427) +* Updated from global requirements + +1.3.0 +----- + +* Clean up title on main doc page +* Initial cut of documentation for oslo.rootwrap +* Add a short doc to README on how to use daemon mode +* Fix the bug tracker URL in CONTRIBUTING.rst +* warn against sorting requirements +* Updated from global requirements + +1.3.0.0a2 +--------- + +* Add daemon mode to benchmark +* Add an option to run rootwrap as a daemon +* Refactor common parts from cmd to wrapper +* Add basic benchmark +* Remove sys.path modification +* Move test requirement coverage into tox.ini +* Enabled hacking check H305 +* Continue on failure of leaf filters of chaining filters + +1.3.0.0a1 +--------- + +* Let tests pass on distros where "ip" is in /bin +* Bump hacking to 0.9.x series +* Avoid usage of mutables as default args +* Simplify the flow in RegExpFilter +* Add ChainingRegExpFilter for prefix utilities +* Fix Python 3 support, add functional test +* Fix import grouping +* Remove unused variable 'command' +* Run py33 test env before others + +1.2.0 +----- + +* Avoid matching ip -s netns exec in IpFilter +* Don't use system pip things in tox +* Add Python 3 trove classifiers +* To honor RFC5424 add use_syslog_rfc_format config option +* Trivial changes from oslo-incubator + +1.1.0 +----- + +* Discontinue usage of oslo-rootwrap +* Add missing oslo/__init__.py +* Fix spelling errors in comments + +1.0.0 +----- + +* Use oslo-rootwrap in config directory names +* Ship with etc/oslo.rootwrap instead of etc/oslo +* Add a complete README.rst +* Add .gitreview for oslo.rootwrap +* Add standalone project packaging support files +* Make Rootwrap python3-compatible +* Make tests not depend on openstack.common stuff +* Move files to new locations for oslo-config +* Skip hidden files while traversion rootwrap filters +* Fix os.getlogin() problem with no tty +* Send rootwrap exit error message to stderr +* rootwrap: improve Python 3 compatibility +* Replace using tests.utils part2 +* Fixes files with wrong bitmode +* Remove DnsmasqFilter and DeprecatedDnsmasqFilter +* Handle empty arglists in Filters +* Handle empty PATH environment variable +* Add IpFilter, IPNetnsExecFilter and EnvFilter +* Handle relative path arguments in Killfilter +* Enable hacking H404 test +* Enable hacking H402 test +* Update KillFilter to stop at '\0' for readlink() function +* Stylistic improvements from quantum-rootwrap +* Use print_function __future__ import +* Revert common logging use in rootwrap +* Improve Python 3.x compatibility +* Replaces standard logging with common logging +* Move bin/ scripts to entrypoints +* Add PathFilter to rootwrap +* update OpenStack, LLC to OpenStack Foundation +* Fix Copyright Headers - Rename LLC to Foundation +* Replaced direct usage of stubout with BaseTestCase +* Use testtools as test base class +* Remove unused etc/openstack-common.conf.test +* Fix pep8 E125 errors +* Move rootwrap code to openstack.common diff -pruN 1.6.0-1/debian/changelog 1.6.0-0ubuntu1/debian/changelog --- 1.6.0-1/debian/changelog 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/changelog 2015-03-12 13:37:25.000000000 +0000 @@ -1,53 +1,79 @@ -oslo.rootwrap (1.6.0-1) unstable; urgency=medium +oslo.rootwrap (1.6.0-0ubuntu1) vivid; urgency=medium * New upstream release. - * Uploading to unstable. + * debian/control: Update dependencies. - -- Thomas Goirand Sun, 08 Feb 2015 12:03:20 +0100 + -- Chuck Short Thu, 12 Mar 2015 09:37:01 -0400 -oslo.rootwrap (1.3.0.0-1) experimental; urgency=medium +oslo.rootwrap (1.5.0-0ubuntu3) vivid; urgency=medium + + * d/control: Bumped Standards-Version to 3.9.6, no changes. + * d/copyright: Tidy for lintian warnings. + * d/python-oslo-rootwrap.install: Add explicit install of rootwrap package. + * d/t/control: Add python-oslotest to dependencies. + * d/t/python-oslo.rootwrap: Purge .testrepository prior to test execution. + + -- James Page Mon, 16 Feb 2015 09:35:28 +0000 + +oslo.rootwrap (1.5.0-0ubuntu2) vivid; urgency=medium + + * debian/control: Fix broken Breaks/Replaces. + + -- Chuck Short Tue, 10 Feb 2015 08:46:54 -0500 + +oslo.rootwrap (1.5.0-0ubuntu1) vivid; urgency=medium * New upstream release. + * Transition to new namespace. + * debian/control: Add python-oslotest as a build dependency. - -- Thomas Goirand Thu, 02 Oct 2014 12:22:40 +0000 + -- Chuck Short Mon, 09 Feb 2015 11:03:19 -0500 -oslo.rootwrap (1.3.0.0~a3-1) experimental; urgency=medium +oslo.rootwrap (1.4.0-0ubuntu1) vivid; urgency=medium * New upstream release. - * Uploading to experimental just right before the Jessie freeze. - * Fixed (build-)depends. - * Do not run the unit tests using Python 2.6. - -- Thomas Goirand Wed, 17 Sep 2014 00:14:28 +0800 + -- Chuck Short Wed, 03 Dec 2014 09:54:17 -0500 -oslo.rootwrap (1.2.0-2) unstable; urgency=medium +oslo.rootwrap (1.3.0.0-0ubuntu1) utopic; urgency=medium - * Fixed wrong VCS URLs. - * Added Python 3 support. - * Runs unit tests on build, build-conflicts with other python-osolo.* - packages which are on the same namespace, and then preventing from doing - "import oslo.rootwrap" from the current dir. + * New upstream final release (1.3.0 uploaded as 1.3.0.0 due to pre-release + versioning), fixing internal version check issues in other OpenStack + components. - -- Thomas Goirand Sun, 03 Aug 2014 14:45:45 +0000 + -- James Page Wed, 01 Oct 2014 14:07:16 +0100 -oslo.rootwrap (1.2.0-1) unstable; urgency=medium +oslo.rootwrap (1.3.0.0~a3-0ubuntu1) utopic; urgency=medium - * New upstream release. - * Using testr / subunit correctly. - * Removed Debian patch (applied upstream). - * Now depends on sudo (Closes: #746501). Thanks to Benedikt Trefzer - for the bug report. + * New upstream milestone release for OpenStack Juno: + - d/control: Bump six versioning to >= 1.7.0. + * d/watch: Update upstream watch location. + * Enable test suite execution during package build: + - d/control: Add BD on subunit. + - d/rules: Execute unit tests. + + -- James Page Fri, 26 Sep 2014 17:54:01 +0100 + +oslo.rootwrap (1.3.0.0~a2-0ubuntu1) utopic; urgency=medium + + * New upstream release. + + -- Chuck Short Wed, 10 Sep 2014 09:00:34 -0400 + +oslo.rootwrap (1.2.0-0ubuntu1) trusty; urgency=medium + + * New upstream version. (LP: #1297446) - -- Thomas Goirand Thu, 01 May 2014 16:35:22 +0800 + -- Chuck Short Tue, 25 Mar 2014 14:25:13 -0400 -oslo.rootwrap (1.0.0-2) unstable; urgency=medium +oslo.rootwrap (1.0.0-0ubuntu2) trusty; urgency=medium - * Fixes unit tests by cherry-picking a commit upstream. + * Rebuild to drop files installed into /usr/share/pyshared. - -- Thomas Goirand Fri, 24 Jan 2014 14:30:17 +0000 + -- Matthias Klose Sun, 23 Feb 2014 13:49:31 +0000 -oslo.rootwrap (1.0.0-1) unstable; urgency=low +oslo.rootwrap (1.0.0-0ubuntu1) trusty; urgency=low - * Initial release. (Closes: #736485) + * Initial release. - -- Thomas Goirand Mon, 30 Dec 2013 15:46:09 +0800 + -- Chuck Short Mon, 09 Dec 2013 10:59:58 -0500 diff -pruN 1.6.0-1/debian/control 1.6.0-0ubuntu1/debian/control --- 1.6.0-1/debian/control 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/control 2015-03-12 13:37:37.000000000 +0000 @@ -1,70 +1,37 @@ Source: oslo.rootwrap Section: python Priority: optional -Maintainer: PKG OpenStack -Uploaders: Thomas Goirand , -Build-Depends: debhelper (>= 9), - dh-python, - openstack-pkg-tools, - python-all, - python-pbr, - python-setuptools, - python-sphinx, - python3-all, - python3-pbr, - python3-setuptools, -Build-Depends-Indep: iproute2, - python-eventlet (>= 0.16.1), - python-fixtures, - python-hacking, - python-mock, - python-oslosphinx (>= 2.2.0.0), - python-oslotest (>= 1.2.0), - python-six (>= 1.9.0), - python-testscenarios, - python-testtools, - python3-fixtures, - python3-mock, - python3-oslotest (>= 1.2.0), - python3-six (>= 1.9.0), - python3-subunit, - python3-testscenarios, - python3-testtools, - subunit, - testrepository, +Maintainer: Chuck Short +Build-Depends: + debhelper (>= 9.0.0), + python-all (>= 2.6.6-3~), + python-fixtures, + python-mock, + python-oslotest, + python-pbr, + python-setuptools, + python-six (>= 1.9.0), + python-testscenarios, + python-testtools, + subunit, + testrepository Standards-Version: 3.9.6 -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=openstack/oslo.rootwrap.git -Vcs-Git: git://anonscm.debian.org/openstack/oslo.rootwrap.git -Homepage: https://launchpad.net/oslo +XS-Testsuite: autopkgtest -Package: python-oslo.rootwrap +Package: python-oslo-rootwrap Architecture: all -Depends: python-six (>= 1.9.0), - sudo, - ${misc:Depends}, - ${python:Depends}, -Provides: python-oslo-rootwrap, -Description: allows fine filtering of shell commands to run as root - Python 2.x - The Oslo Rootwrap allows fine filtering of shell commands to run as root from - OpenStack services. - . - Unlike other Oslo deliverables, it should not be used as a Python library, but - called as a separate process through the oslo-rootwrap command. - . - This package provides the Python 2.x module. +Breaks: python-oslo.rootwrap (<< 1.5.0-0ubuntu1~) +Replaces: python-oslo.rootwrap (<< 1.5.0-0ubuntu1~) +Depends: ${misc:Depends}, ${python:Depends} +Suggests: sudo +Description: Fine filtering of shell commands as 'root' + The Oslo Rootwrap allows fine filtering of shell commands to run as `root` + from OpenStack services. -Package: python3-oslo.rootwrap +Package: python-oslo.rootwrap +Section: oldlibs Architecture: all -Depends: python3-six (>= 1.9.0), - sudo, - ${misc:Depends}, - ${python3:Depends}, -Provides: python3-oslo-rootwrap, -Description: allows fine filtering of shell commands to run as root - Python 3.x - The Oslo Rootwrap allows fine filtering of shell commands to run as root from - OpenStack services. - . - Unlike other Oslo deliverables, it should not be used as a Python library, but - called as a separate process through the oslo-rootwrap command. - . - This package provides the Python 3.x module. +Depends: ${misc:Depends}, python-oslo-rootwrap +Description: transitional dummy package for python-oslo.rootwrap + This transtional package is safe to remove. + diff -pruN 1.6.0-1/debian/copyright 1.6.0-0ubuntu1/debian/copyright --- 1.6.0-1/debian/copyright 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/copyright 2015-02-16 08:42:13.000000000 +0000 @@ -1,16 +1,17 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: oslo.rootwrap -Source: https://launchpad.net/oslo - -Files: debian/* -Copyright: (c) 2013, Thomas Goirand -License: Apache-2 +Source: https://github.com/openstack/oslo.rootwrap Files: * -Copyright: (c) 2013, OpenStack foundation -License: Apache-2 +Copyright: (c) 2011-2013 OpenStack Foundation. + (c) 2013 Hewlett-Packard Development Company, L.P. +License: Apache-2.0 + +Files: debian/* +Copyright: 2013 Canonical Ltd +License: Apache-2.0 -License: Apache-2 +License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at @@ -24,4 +25,4 @@ License: Apache-2 limitations under the License. . On Debian-based systems the full text of the Apache version 2.0 license - can be found in /usr/share/common-licenses/Apache-2.0. + can be found in `/usr/share/common-licenses/Apache-2.0'. diff -pruN 1.6.0-1/debian/dirs 1.6.0-0ubuntu1/debian/dirs --- 1.6.0-1/debian/dirs 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/dirs 2015-02-16 08:35:27.000000000 +0000 @@ -0,0 +1 @@ +usr/share/python-oslo.rootwrap diff -pruN 1.6.0-1/debian/docs 1.6.0-0ubuntu1/debian/docs --- 1.6.0-1/debian/docs 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/docs 2015-02-16 08:35:27.000000000 +0000 @@ -0,0 +1,3 @@ +README.rst +requirements.txt +test-requirements.txt diff -pruN 1.6.0-1/debian/gbp.conf 1.6.0-0ubuntu1/debian/gbp.conf --- 1.6.0-1/debian/gbp.conf 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -[DEFAULT] -upstream-branch = master -debian-branch = debian/kilo -upstream-tag = %(version)s -compression = xz - -[git-buildpackage] -export-dir = ../build-area/ - diff -pruN 1.6.0-1/debian/patches/do-not-run-toplevel-tests.patch 1.6.0-0ubuntu1/debian/patches/do-not-run-toplevel-tests.patch --- 1.6.0-1/debian/patches/do-not-run-toplevel-tests.patch 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/patches/do-not-run-toplevel-tests.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Do not run toplevel tests - We only want to run new tests in the oslo_rootwrap without namespace, as the - others are failing to work with Python 3. -Author: Thomas Goirand -Forwarded: not-needed -Last-Update: 2015-04-09 - ---- oslo.rootwrap-1.6.0.orig/.testr.conf -+++ oslo.rootwrap-1.6.0/.testr.conf -@@ -1,4 +1,4 @@ - [DEFAULT] --test_command=OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 ${PYTHON:-python} -m subunit.run discover -t ./ . $LISTOPT $IDOPTION -+test_command=OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 ${PYTHON:-python} -m subunit.run discover -t ./ ./oslo_rootwrap $LISTOPT $IDOPTION - test_id_option=--load-list $IDFILE - test_list_option=--list diff -pruN 1.6.0-1/debian/patches/series 1.6.0-0ubuntu1/debian/patches/series --- 1.6.0-1/debian/patches/series 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -do-not-run-toplevel-tests.patch diff -pruN 1.6.0-1/debian/python-oslo-rootwrap.install 1.6.0-0ubuntu1/debian/python-oslo-rootwrap.install --- 1.6.0-1/debian/python-oslo-rootwrap.install 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/python-oslo-rootwrap.install 2015-02-16 08:39:14.000000000 +0000 @@ -0,0 +1 @@ +usr/lib/python* diff -pruN 1.6.0-1/debian/rules 1.6.0-0ubuntu1/debian/rules --- 1.6.0-1/debian/rules 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/rules 2015-02-16 08:35:27.000000000 +0000 @@ -1,43 +1,28 @@ #!/usr/bin/make -f -PYTHONS:=$(shell pyversions -vr) -PYTHON3S:=$(shell py3versions -vr) - -UPSTREAM_GIT = git://github.com/openstack/oslo.rootwrap.git --include /usr/share/openstack-pkg-tools/pkgos.make +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 -export OSLO_PACKAGE_VERSION=$(VERSION) +PYTHONS:=$(shell pyversions -vr) %: - dh $@ --buildsystem=python_distutils --with python2,python3 - -override_dh_install: - set -e && for pyvers in $(PYTHONS); do \ - python$$pyvers setup.py install --install-layout=deb \ - --root $(CURDIR)/debian/python-oslo.rootwrap; \ - done - set -e && for pyvers in $(PYTHON3S); do \ - python$$pyvers setup.py install --install-layout=deb \ - --root $(CURDIR)/debian/python3-oslo.rootwrap; \ - done - rm -f $(CURDIR)/debian/python*-oslo.rootwrap/usr/lib/python*/dist-packages/*.pth - -override_dh_clean: - dh_clean -O--buildsystem=python_distutils - rm -rf .testrepository build + dh $@ --with python2 override_dh_auto_test: ifeq (,$(findstring nocheck, $(DEB_BUILD_OPTIONS))) - @echo "===> Running tests" - set -ex && for i in 2.7 $(PYTHON3S) ; do \ - PYMAJOR=`echo $$i | cut -d'.' -f1` ; \ - echo "===> Testing with python$$i (python$$PYMAJOR)" ; \ + set -e && set -x && \ + for i in $(PYTHONS) ; do \ + echo "===> Testing for python$$i" ; \ rm -rf .testrepository ; \ - testr-python$$PYMAJOR init ; \ + testr init ; \ TEMP_REZ=`mktemp -t` && \ - PYTHONPATH=$(CURDIR) PYTHON=python$$i testr run --subunit 'tests\.(?!.*test_RootwrapConfig.*|.*RootwrapDaemonTest.*)' | tee $$TEMP_REZ | subunit2pyunit ; \ + PYTHON=python$$i PYTHONPATH=$(CURDIR) testr run --subunit | tee $$TEMP_REZ | subunit2pyunit ; \ cat $$TEMP_REZ | subunit-filter -s --no-passthrough | subunit-stats ; \ rm -f $$TEMP_REZ ; \ testr slowest ; \ done endif + + +get-orig-source: + uscan --verbose --force-download --rename --repack --download-current-version --destdir=../build-area diff -pruN 1.6.0-1/debian/tests/control 1.6.0-0ubuntu1/debian/tests/control --- 1.6.0-1/debian/tests/control 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/tests/control 2015-02-16 08:37:38.000000000 +0000 @@ -0,0 +1,2 @@ +Tests: python-oslo.rootwrap +Depends: @, python-all, testrepository, python-testscenarios, python-testtools, python-mock, python-oslotest diff -pruN 1.6.0-1/debian/tests/python-oslo.rootwrap 1.6.0-0ubuntu1/debian/tests/python-oslo.rootwrap --- 1.6.0-1/debian/tests/python-oslo.rootwrap 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/tests/python-oslo.rootwrap 2015-02-16 09:32:24.000000000 +0000 @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e -u +rm -rf .testrepository +testr init && testr run diff -pruN 1.6.0-1/debian/watch 1.6.0-0ubuntu1/debian/watch --- 1.6.0-1/debian/watch 2015-04-27 21:06:38.000000000 +0000 +++ 1.6.0-0ubuntu1/debian/watch 2015-02-16 08:35:27.000000000 +0000 @@ -1,3 +1,3 @@ version=3 -http://pypi.python.org/packages/source/o/oslo.rootwrap oslo.rootwrap-(.*).tar.gz - +opts="uversionmangle=s/([a-zA-Z])/~$1/;s/%7E/~/" \ + http://tarballs.openstack.org/oslo.rootwrap/oslo.rootwrap-(.*)\.tar\.gz diff -pruN 1.6.0-1/.gitignore 1.6.0-0ubuntu1/.gitignore --- 1.6.0-1/.gitignore 2015-03-04 11:50:25.000000000 +0000 +++ 1.6.0-0ubuntu1/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -AUTHORS -ChangeLog -*~ -*.swp -*.pyc -*.log -.tox -.coverage -oslo.rootwrap.egg-info/ -build/ -doc/build/ -doc/source/api/ -dist/ -.testrepository/ -.project -.pydevproject diff -pruN 1.6.0-1/.gitreview 1.6.0-0ubuntu1/.gitreview --- 1.6.0-1/.gitreview 2015-03-04 11:50:25.000000000 +0000 +++ 1.6.0-0ubuntu1/.gitreview 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -[gerrit] -host=review.openstack.org -port=29418 -project=openstack/oslo.rootwrap.git diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/dependency_links.txt 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/dependency_links.txt --- 1.6.0-1/oslo.rootwrap.egg-info/dependency_links.txt 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/dependency_links.txt 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1 @@ + diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/namespace_packages.txt 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/namespace_packages.txt --- 1.6.0-1/oslo.rootwrap.egg-info/namespace_packages.txt 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/namespace_packages.txt 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1 @@ +oslo diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/not-zip-safe 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/not-zip-safe --- 1.6.0-1/oslo.rootwrap.egg-info/not-zip-safe 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/not-zip-safe 2015-03-09 14:32:56.000000000 +0000 @@ -0,0 +1 @@ + diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/pbr.json 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/pbr.json --- 1.6.0-1/oslo.rootwrap.egg-info/pbr.json 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/pbr.json 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1 @@ +{"git_version": "f485b93", "is_release": true} \ No newline at end of file diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/PKG-INFO 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/PKG-INFO --- 1.6.0-1/oslo.rootwrap.egg-info/PKG-INFO 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/PKG-INFO 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1,373 @@ +Metadata-Version: 1.1 +Name: oslo.rootwrap +Version: 1.6.0 +Summary: Oslo Rootwrap +Home-page: https://launchpad.net/oslo +Author: OpenStack +Author-email: openstack-dev@lists.openstack.org +License: UNKNOWN +Description: ------------- + Oslo Rootwrap + ------------- + + The Oslo Rootwrap allows fine filtering of shell commands to run as `root` + from OpenStack services. + + * License: Apache License, Version 2.0 + * Documentation: http://docs.openstack.org/developer/oslo.rootwrap + * Source: http://git.openstack.org/cgit/openstack/oslo.rootwrap + * Bugs: http://bugs.launchpad.net/oslo.rootwrap + + Using + ===== + + Rootwrap should be used as a separate Python process calling the + ``oslo_rootwrap.cmd:main`` function. You can set up a specific console_script + calling into ``oslo_rootwrap.cmd:main``, called for example `nova-rootwrap`. + To keep things simple, this document will consider that your console_script + is called `/usr/bin/nova-rootwrap`. + + The rootwrap command line should be called under `sudo`. It's first parameter + is the configuration file to use, and the remainder of the parameters are the + command line to execute: + + `sudo nova-rootwrap ROOTWRAP_CONFIG COMMAND_LINE` + + + How rootwrap works + ================== + + OpenStack services generally run under a specific, unprivileged user. However, + sometimes they need to run a command as `root`. Instead of just calling + `sudo make me a sandwich` and have a blanket `sudoers` permission to always + escalate rights from their unprivileged users to `root`, those services can + call `sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich`. + + A sudoers entry lets the unprivileged user run `nova-rootwrap` as `root`. + `nova-rootwrap` looks for filter definition directories in its configuration + file, and loads command filters from them. Then it checks if the command + requested by the OpenStack service matches one of those filters, in which + case it executes the command (as `root`). If no filter matches, it denies + the request. This allows for complex filtering of allowed commands, as well + as shipping filter definitions together with the OpenStack code that needs + them. + + Security model + ============== + + The escalation path is fully controlled by the `root` user. A `sudoers` entry + (owned by `root`) allows the unprivileged user to run (as `root`) a specific + rootwrap executable, and only with a specific configuration file (which should + be owned by `root`) as its first parameter. + + `nova-rootwrap` imports the Python modules it needs from a cleaned (and + system-default) `PYTHONPATH`. The configuration file points to root-owned + filter definition directories, which contain root-owned filters definition + files. This chain ensures that the unprivileged user itself is never in + control of the configuration or modules used by the `nova-rootwrap` executable. + + Installation + ============ + + All nodes wishing to run `nova-rootwrap` should contain a `sudoers` entry that + lets the unprivileged user run `nova-rootwrap` as `root`, pointing to the + root-owned `rootwrap.conf` configuration file and allowing any parameter + after that. For example, Nova nodes should have this line in their `sudoers` + file, to allow the `nova` user to call `sudo nova-rootwrap`: + + ``nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *`` + + Then the node also should ship the filter definitions corresponding to its + usage of `nova-rootwrap`. You should not install any other filters file on + that node, otherwise you would allow extra unneeded commands to be run as + `root`. + + The filter file(s) corresponding to the node must be installed in one of the + filters_path directories. For example, on Nova compute nodes, you should only + have `compute.filters` installed. The file should be owned and writeable only + by the `root` user. + + Rootwrap configuration + ====================== + + The `rootwrap.conf` file is used to influence how `nova-rootwrap` works. Since + it's in the trusted security path, it needs to be owned and writeable only by + the `root` user. Its location is specified in the `sudoers` entry, and must be + provided on `nova-rootwrap` command line as its first argument. + + `rootwrap.conf` uses an *INI* file format with the following sections and + parameters: + + [DEFAULT] section + ----------------- + + filters_path + Comma-separated list of directories containing filter definition files. + All directories listed must be owned and only writeable by `root`. + This is the only mandatory parameter. + Example: + ``filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap`` + + exec_dirs + Comma-separated list of directories to search executables in, in case + filters do not explicitely specify a full path. If not specified, defaults + to the system `PATH` environment variable. All directories listed must be + owned and only writeable by `root`. Example: + ``exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin`` + + use_syslog + Enable logging to syslog. Default value is False. Example: + ``use_syslog=True`` + + use_syslog_rfc_format + Enable RFC5424 compliant format for syslog (add APP-NAME before MSG part). + Default value is False. Example: + ``use_syslog_rfc_format=True`` + + syslog_log_facility + Which syslog facility to use for syslog logging. Valid values include + `auth`, `authpriv`, `syslog`, `user0`, `user1`... + Default value is `syslog`. Example: + ``syslog_log_facility=syslog`` + + syslog_log_level + Which messages to log. `INFO` means log all usage, `ERROR` means only log + unsuccessful attempts. Example: + ``syslog_log_level=ERROR`` + + .filters files + ============== + + Filters definition files contain lists of filters that `nova-rootwrap` will + use to allow or deny a specific command. They are generally suffixed by + `.filters`. Since they are in the trusted security path, they need to be + owned and writeable only by the `root` user. Their location is specified + in the `rootwrap.conf` file. + + It uses an *INI* file format with a `[Filters]` section and several lines, + each with a unique parameter name (different for each filter you define): + + [Filters] section + ----------------- + + filter_name (different for each filter) + Comma-separated list containing first the Filter class to use, followed + by that Filter arguments (which vary depending on the Filter class + selected). Example: + ``kpartx: CommandFilter, /sbin/kpartx, root`` + + + Available filter classes + ======================== + + CommandFilter + ------------- + + Basic filter that only checks the executable called. Parameters are: + + 1. Executable allowed + 2. User to run the command under + + Example: allow to run kpartx as the root user, with any parameters: + + ``kpartx: CommandFilter, kpartx, root`` + + RegExpFilter + ------------ + + Generic filter that checks the executable called, then uses a list of regular + expressions to check all subsequent arguments. Parameters are: + + 1. Executable allowed + 2. User to run the command under + 3. (and following) Regular expressions to use to match first (and subsequent) + command arguments + + Example: allow to run `/usr/sbin/tunctl`, but only with three parameters with + the first two being -b and -t: + + ``tunctl: RegExpFilter, /usr/sbin/tunctl, root, tunctl, -b, -t, .*`` + + PathFilter + ---------- + + Generic filter that lets you check that paths provided as parameters fall + under a given directory. Parameters are: + + 1. Executable allowed + 2. User to run the command under + 3. (and following) Command arguments. + + There are three types of command arguments: `pass` will accept any parameter + value, a string will only accept the corresponding string as a parameter, + except if the string starts with '/' in which case it will accept any path + that resolves under the corresponding directory. + + Example: allow to chown to the 'nova' user any file under /var/lib/images: + + ``chown: PathFilter, /bin/chown, root, nova, /var/lib/images`` + + EnvFilter + --------- + + Filter allowing extra environment variables to be set by the calling code. + Parameters are: + + 1. `env` + 2. User to run the command under + 3. (and following) name of the environment variables that can be set, + suffixed by `=` + 4. Executable allowed + + Example: allow to run `CONFIG_FILE=foo NETWORK_ID=bar dnsmasq ...` as root: + + ``dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq`` + + ReadFileFilter + -------------- + + Specific filter that lets you read files as `root` using `cat`. + Parameters are: + + 1. Path to the file that you want to read as the `root` user. + + Example: allow to run `cat /etc/iscsi/initiatorname.iscsi` as `root`: + + ``read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi`` + + KillFilter + ---------- + + Kill-specific filter that checks the affected process and the signal sent + before allowing the command. Parameters are: + + 1. User to run `kill` under + 2. Only affect processes running that executable + 3. (and following) Signals you're allowed to send + + Example: allow to send `-9` or `-HUP` signals to `/usr/sbin/dnsmasq` processes: + + ``kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP`` + + IpFilter + -------- + + ip-specific filter that allows to run any `ip` command, except for `ip netns` + (in which case it only allows the list, add and delete subcommands). + Parameters are: + + 1. `ip` + 2. User to run `ip` under + + Example: allow to run any `ip` command except `ip netns exec` and + `ip netns monitor`: + + ``ip: IpFilter, ip, root`` + + IpNetnsExecFilter + ----------------- + + ip-specific filter that allows to run any otherwise-allowed command under + `ip netns exec`. The command specified to `ip netns exec` must match another + filter for this filter to accept it. Parameters are: + + 1. `ip` + 2. User to run `ip` under + + Example: allow to run `ip netns exec ` as long as + `` matches another filter: + + ``ip: IpNetnsExecFilter, ip, root`` + + ChainingRegExpFilter + -------------------- + + Filter that allows to run the prefix command, if the beginning of its arguments + match to a list of regular expressions, and if remaining arguments are any + otherwise-allowed command. Parameters are: + + 1. Executable allowed + 2. User to run the command under + 3. (and following) Regular expressions to use to match first (and subsequent) + command arguments. + + This filter regards the length of the regular expressions list as the number of + arguments to be checked, and remaining parts are checked by other filters. + + Example: allow to run `/usr/bin/nice`, but only with first two parameters being + -n and integer, and followed by any allowed command by the other filters: + + ``nice: ChainingRegExpFilter, /usr/bin/nice, root, nice, -n, -?\d+`` + + Note: this filter can't be used to impose that the subcommand is always run + under the prefix command. In particular, it can't enforce that a particular + command is only run under "nice", since the subcommand can explicitly be + called directly. + + + Calling rootwrap from OpenStack services + ============================================= + + Standalone mode (``sudo`` way) + -------------------------- + + The `oslo.processutils` library ships with a convenience `execute()` function + that can be used to call shell commands as `root`, if you call it with the + following parameters: + + ``run_as_root=True`` + + ``root_helper='sudo nova-rootwrap /etc/nova/rootwrap.conf`` + + NB: Some services ship with a `utils.execute()` convenience function that + automatically sets `root_helper` based on the value of a `rootwrap_config` + parameter, so only `run_as_root=True` needs to be set. + + If you want to call as `root` a previously-unauthorized command, you will also + need to modify the filters (generally shipped in the source tree under + `etc/rootwrap.d` so that the command you want to run as `root` will actually + be allowed by `nova-rootwrap`. + + Daemon mode + ----------- + + Since 1.3.0 version ``oslo.rootwrap`` supports "daemon mode". In this mode + rootwrap would start, read config file and wait for commands to be run with + root priviledges. All communications with the daemon should go through + ``Client`` class that resides in ``oslo_rootwrap.client`` module. + + Its constructor expects one argument - a list that can be passed to ``Popen`` + to create rootwrap daemon process. For ``root_helper`` above it will be + ``["sudo", "nova-rootwrap-daemon", "/etc/neutron/rootwrap.conf"]``, + for example. Note that it uses a separate script that points to + ``oslo_rootwrap.cmd:daemon`` endpoint (instead of ``:main``). + + The class provides one method ``execute`` with following arguments: + + * ``userargs`` - list of command line arguments that are to be used to run the + command; + * ``stdin`` - string to be passed to standard input of child process. + + The method returns 3-tuple containing: + + * return code of child process; + * string containing everything captured from its stdout stream; + * string containing everything captured from its stderr stream. + + The class lazily creates an instance of the daemon, connects to it and passes + arguments. This daemon can die or be killed, ``Client`` will respawn it and/or + reconnect to it as necessary. + + +Platform: UNKNOWN +Classifier: Development Status :: 4 - Beta +Classifier: Environment :: OpenStack +Classifier: Intended Audience :: Developers +Classifier: Intended Audience :: Information Technology +Classifier: License :: OSI Approved :: Apache Software License +Classifier: Operating System :: OS Independent +Classifier: Programming Language :: Python +Classifier: Programming Language :: Python :: 2.6 +Classifier: Programming Language :: Python :: 2.7 +Classifier: Programming Language :: Python :: 3 +Classifier: Programming Language :: Python :: 3.3 diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/requires.txt 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/requires.txt --- 1.6.0-1/oslo.rootwrap.egg-info/requires.txt 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/requires.txt 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1 @@ +six>=1.9.0 diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/SOURCES.txt 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/SOURCES.txt --- 1.6.0-1/oslo.rootwrap.egg-info/SOURCES.txt 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/SOURCES.txt 2015-03-09 14:32:58.000000000 +0000 @@ -0,0 +1,59 @@ +.testr.conf +AUTHORS +CONTRIBUTING.rst +ChangeLog +LICENSE +MANIFEST.in +README.rst +openstack-common.conf +requirements.txt +setup.cfg +setup.py +test-requirements-py3.txt +test-requirements.txt +tox.ini +benchmark/benchmark.py +benchmark/rootwrap.conf +benchmark/filters.d/ip.filters +doc/source/conf.py +doc/source/contributing.rst +doc/source/index.rst +doc/source/installation.rst +doc/source/readme.rst +doc/source/usage.rst +etc/rootwrap.conf.sample +oslo/__init__.py +oslo.rootwrap.egg-info/PKG-INFO +oslo.rootwrap.egg-info/SOURCES.txt +oslo.rootwrap.egg-info/dependency_links.txt +oslo.rootwrap.egg-info/namespace_packages.txt +oslo.rootwrap.egg-info/not-zip-safe +oslo.rootwrap.egg-info/pbr.json +oslo.rootwrap.egg-info/requires.txt +oslo.rootwrap.egg-info/top_level.txt +oslo/rootwrap/__init__.py +oslo/rootwrap/client.py +oslo/rootwrap/cmd.py +oslo/rootwrap/daemon.py +oslo/rootwrap/filters.py +oslo/rootwrap/jsonrpc.py +oslo/rootwrap/wrapper.py +oslo_rootwrap/__init__.py +oslo_rootwrap/client.py +oslo_rootwrap/cmd.py +oslo_rootwrap/daemon.py +oslo_rootwrap/filters.py +oslo_rootwrap/jsonrpc.py +oslo_rootwrap/wrapper.py +oslo_rootwrap/tests/__init__.py +oslo_rootwrap/tests/run_daemon.py +oslo_rootwrap/tests/test_functional.py +oslo_rootwrap/tests/test_functional_eventlet.py +oslo_rootwrap/tests/test_rootwrap.py +tests/__init__.py +tests/run_daemon.py +tests/test_functional.py +tests/test_functional_eventlet.py +tests/test_rootwrap.py +tests/test_warning.py +tools/run_cross_tests.sh \ No newline at end of file diff -pruN 1.6.0-1/oslo.rootwrap.egg-info/top_level.txt 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/top_level.txt --- 1.6.0-1/oslo.rootwrap.egg-info/top_level.txt 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/oslo.rootwrap.egg-info/top_level.txt 2015-03-09 14:32:57.000000000 +0000 @@ -0,0 +1,2 @@ +oslo +oslo_rootwrap diff -pruN 1.6.0-1/.pc/applied-patches 1.6.0-0ubuntu1/.pc/applied-patches --- 1.6.0-1/.pc/applied-patches 2015-04-28 04:38:05.278581908 +0000 +++ 1.6.0-0ubuntu1/.pc/applied-patches 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -do-not-run-toplevel-tests.patch diff -pruN 1.6.0-1/.pc/do-not-run-toplevel-tests.patch/.testr.conf 1.6.0-0ubuntu1/.pc/do-not-run-toplevel-tests.patch/.testr.conf --- 1.6.0-1/.pc/do-not-run-toplevel-tests.patch/.testr.conf 2015-03-04 11:50:25.000000000 +0000 +++ 1.6.0-0ubuntu1/.pc/do-not-run-toplevel-tests.patch/.testr.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -[DEFAULT] -test_command=OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 ${PYTHON:-python} -m subunit.run discover -t ./ . $LISTOPT $IDOPTION -test_id_option=--load-list $IDFILE -test_list_option=--list diff -pruN 1.6.0-1/PKG-INFO 1.6.0-0ubuntu1/PKG-INFO --- 1.6.0-1/PKG-INFO 1970-01-01 00:00:00.000000000 +0000 +++ 1.6.0-0ubuntu1/PKG-INFO 2015-03-09 14:32:58.000000000 +0000 @@ -0,0 +1,373 @@ +Metadata-Version: 1.1 +Name: oslo.rootwrap +Version: 1.6.0 +Summary: Oslo Rootwrap +Home-page: https://launchpad.net/oslo +Author: OpenStack +Author-email: openstack-dev@lists.openstack.org +License: UNKNOWN +Description: ------------- + Oslo Rootwrap + ------------- + + The Oslo Rootwrap allows fine filtering of shell commands to run as `root` + from OpenStack services. + + * License: Apache License, Version 2.0 + * Documentation: http://docs.openstack.org/developer/oslo.rootwrap + * Source: http://git.openstack.org/cgit/openstack/oslo.rootwrap + * Bugs: http://bugs.launchpad.net/oslo.rootwrap + + Using + ===== + + Rootwrap should be used as a separate Python process calling the + ``oslo_rootwrap.cmd:main`` function. You can set up a specific console_script + calling into ``oslo_rootwrap.cmd:main``, called for example `nova-rootwrap`. + To keep things simple, this document will consider that your console_script + is called `/usr/bin/nova-rootwrap`. + + The rootwrap command line should be called under `sudo`. It's first parameter + is the configuration file to use, and the remainder of the parameters are the + command line to execute: + + `sudo nova-rootwrap ROOTWRAP_CONFIG COMMAND_LINE` + + + How rootwrap works + ================== + + OpenStack services generally run under a specific, unprivileged user. However, + sometimes they need to run a command as `root`. Instead of just calling + `sudo make me a sandwich` and have a blanket `sudoers` permission to always + escalate rights from their unprivileged users to `root`, those services can + call `sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich`. + + A sudoers entry lets the unprivileged user run `nova-rootwrap` as `root`. + `nova-rootwrap` looks for filter definition directories in its configuration + file, and loads command filters from them. Then it checks if the command + requested by the OpenStack service matches one of those filters, in which + case it executes the command (as `root`). If no filter matches, it denies + the request. This allows for complex filtering of allowed commands, as well + as shipping filter definitions together with the OpenStack code that needs + them. + + Security model + ============== + + The escalation path is fully controlled by the `root` user. A `sudoers` entry + (owned by `root`) allows the unprivileged user to run (as `root`) a specific + rootwrap executable, and only with a specific configuration file (which should + be owned by `root`) as its first parameter. + + `nova-rootwrap` imports the Python modules it needs from a cleaned (and + system-default) `PYTHONPATH`. The configuration file points to root-owned + filter definition directories, which contain root-owned filters definition + files. This chain ensures that the unprivileged user itself is never in + control of the configuration or modules used by the `nova-rootwrap` executable. + + Installation + ============ + + All nodes wishing to run `nova-rootwrap` should contain a `sudoers` entry that + lets the unprivileged user run `nova-rootwrap` as `root`, pointing to the + root-owned `rootwrap.conf` configuration file and allowing any parameter + after that. For example, Nova nodes should have this line in their `sudoers` + file, to allow the `nova` user to call `sudo nova-rootwrap`: + + ``nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *`` + + Then the node also should ship the filter definitions corresponding to its + usage of `nova-rootwrap`. You should not install any other filters file on + that node, otherwise you would allow extra unneeded commands to be run as + `root`. + + The filter file(s) corresponding to the node must be installed in one of the + filters_path directories. For example, on Nova compute nodes, you should only + have `compute.filters` installed. The file should be owned and writeable only + by the `root` user. + + Rootwrap configuration + ====================== + + The `rootwrap.conf` file is used to influence how `nova-rootwrap` works. Since + it's in the trusted security path, it needs to be owned and writeable only by + the `root` user. Its location is specified in the `sudoers` entry, and must be + provided on `nova-rootwrap` command line as its first argument. + + `rootwrap.conf` uses an *INI* file format with the following sections and + parameters: + + [DEFAULT] section + ----------------- + + filters_path + Comma-separated list of directories containing filter definition files. + All directories listed must be owned and only writeable by `root`. + This is the only mandatory parameter. + Example: + ``filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap`` + + exec_dirs + Comma-separated list of directories to search executables in, in case + filters do not explicitely specify a full path. If not specified, defaults + to the system `PATH` environment variable. All directories listed must be + owned and only writeable by `root`. Example: + ``exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin`` + + use_syslog + Enable logging to syslog. Default value is False. Example: + ``use_syslog=True`` + + use_syslog_rfc_format + Enable RFC5424 compliant format for syslog (add APP-NAME before MSG part). + Default value is False. Example: + ``use_syslog_rfc_format=True`` + + syslog_log_facility + Which syslog facility to use for syslog logging. Valid values include + `auth`, `authpriv`, `syslog`, `user0`, `user1`... + Default value is `syslog`. Example: + ``syslog_log_facility=syslog`` + + syslog_log_level + Which messages to log. `INFO` means log all usage, `ERROR` means only log + unsuccessful attempts. Example: + ``syslog_log_level=ERROR`` + + .filters files + ============== + + Filters definition files contain lists of filters that `nova-rootwrap` will + use to allow or deny a specific command. They are generally suffixed by + `.filters`. Since they are in the trusted security path, they need to be + owned and writeable only by the `root` user. Their location is specified + in the `rootwrap.conf` file. + + It uses an *INI* file format with a `[Filters]` section and several lines, + each with a unique parameter name (different for each filter you define): + + [Filters] section + ----------------- + + filter_name (different for each filter) + Comma-separated list containing first the Filter class to use, followed + by that Filter arguments (which vary depending on the Filter class + selected). Example: + ``kpartx: CommandFilter, /sbin/kpartx, root`` + + + Available filter classes + ======================== + + CommandFilter + ------------- + + Basic filter that only checks the executable called. Parameters are: + + 1. Executable allowed + 2. User to run the command under + + Example: allow to run kpartx as the root user, with any parameters: + + ``kpartx: CommandFilter, kpartx, root`` + + RegExpFilter + ------------ + + Generic filter that checks the executable called, then uses a list of regular + expressions to check all subsequent arguments. Parameters are: + + 1. Executable allowed + 2. User to run the command under + 3. (and following) Regular expressions to use to match first (and subsequent) + command arguments + + Example: allow to run `/usr/sbin/tunctl`, but only with three parameters with + the first two being -b and -t: + + ``tunctl: RegExpFilter, /usr/sbin/tunctl, root, tunctl, -b, -t, .*`` + + PathFilter + ---------- + + Generic filter that lets you check that paths provided as parameters fall + under a given directory. Parameters are: + + 1. Executable allowed + 2. User to run the command under + 3. (and following) Command arguments. + + There are three types of command arguments: `pass` will accept any parameter + value, a string will only accept the corresponding string as a parameter, + except if the string starts with '/' in which case it will accept any path + that resolves under the corresponding directory. + + Example: allow to chown to the 'nova' user any file under /var/lib/images: + + ``chown: PathFilter, /bin/chown, root, nova, /var/lib/images`` + + EnvFilter + --------- + + Filter allowing extra environment variables to be set by the calling code. + Parameters are: + + 1. `env` + 2. User to run the command under + 3. (and following) name of the environment variables that can be set, + suffixed by `=` + 4. Executable allowed + + Example: allow to run `CONFIG_FILE=foo NETWORK_ID=bar dnsmasq ...` as root: + + ``dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq`` + + ReadFileFilter + -------------- + + Specific filter that lets you read files as `root` using `cat`. + Parameters are: + + 1. Path to the file that you want to read as the `root` user. + + Example: allow to run `cat /etc/iscsi/initiatorname.iscsi` as `root`: + + ``read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi`` + + KillFilter + ---------- + + Kill-specific filter that checks the affected process and the signal sent + before allowing the command. Parameters are: + + 1. User to run `kill` under + 2. Only affect processes running that executable + 3. (and following) Signals you're allowed to send + + Example: allow to send `-9` or `-HUP` signals to `/usr/sbin/dnsmasq` processes: + + ``kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP`` + + IpFilter + -------- + + ip-specific filter that allows to run any `ip` command, except for `ip netns` + (in which case it only allows the list, add and delete subcommands). + Parameters are: + + 1. `ip` + 2. User to run `ip` under + + Example: allow to run any `ip` command except `ip netns exec` and + `ip netns monitor`: + + ``ip: IpFilter, ip, root`` + + IpNetnsExecFilter + ----------------- + + ip-specific filter that allows to run any otherwise-allowed command under + `ip netns exec`. The command specified to `ip netns exec` must match another + filter for this filter to accept it. Parameters are: + + 1. `ip` + 2. User to run `ip` under + + Example: allow to run `ip netns exec ` as long as + `` matches another filter: + + ``ip: IpNetnsExecFilter, ip, root`` + + ChainingRegExpFilter + -------------------- + + Filter that allows to run the prefix command, if the beginning of its arguments + match to a list of regular expressions, and if remaining arguments are any + otherwise-allowed command. Parameters are: + + 1. Executable allowed + 2. User to run the command under + 3. (and following) Regular expressions to use to match first (and subsequent) + command arguments. + + This filter regards the length of the regular expressions list as the number of + arguments to be checked, and remaining parts are checked by other filters. + + Example: allow to run `/usr/bin/nice`, but only with first two parameters being + -n and integer, and followed by any allowed command by the other filters: + + ``nice: ChainingRegExpFilter, /usr/bin/nice, root, nice, -n, -?\d+`` + + Note: this filter can't be used to impose that the subcommand is always run + under the prefix command. In particular, it can't enforce that a particular + command is only run under "nice", since the subcommand can explicitly be + called directly. + + + Calling rootwrap from OpenStack services + ============================================= + + Standalone mode (``sudo`` way) + -------------------------- + + The `oslo.processutils` library ships with a convenience `execute()` function + that can be used to call shell commands as `root`, if you call it with the + following parameters: + + ``run_as_root=True`` + + ``root_helper='sudo nova-rootwrap /etc/nova/rootwrap.conf`` + + NB: Some services ship with a `utils.execute()` convenience function that + automatically sets `root_helper` based on the value of a `rootwrap_config` + parameter, so only `run_as_root=True` needs to be set. + + If you want to call as `root` a previously-unauthorized command, you will also + need to modify the filters (generally shipped in the source tree under + `etc/rootwrap.d` so that the command you want to run as `root` will actually + be allowed by `nova-rootwrap`. + + Daemon mode + ----------- + + Since 1.3.0 version ``oslo.rootwrap`` supports "daemon mode". In this mode + rootwrap would start, read config file and wait for commands to be run with + root priviledges. All communications with the daemon should go through + ``Client`` class that resides in ``oslo_rootwrap.client`` module. + + Its constructor expects one argument - a list that can be passed to ``Popen`` + to create rootwrap daemon process. For ``root_helper`` above it will be + ``["sudo", "nova-rootwrap-daemon", "/etc/neutron/rootwrap.conf"]``, + for example. Note that it uses a separate script that points to + ``oslo_rootwrap.cmd:daemon`` endpoint (instead of ``:main``). + + The class provides one method ``execute`` with following arguments: + + * ``userargs`` - list of command line arguments that are to be used to run the + command; + * ``stdin`` - string to be passed to standard input of child process. + + The method returns 3-tuple containing: + + * return code of child process; + * string containing everything captured from its stdout stream; + * string containing everything captured from its stderr stream. + + The class lazily creates an instance of the daemon, connects to it and passes + arguments. This daemon can die or be killed, ``Client`` will respawn it and/or + reconnect to it as necessary. + + +Platform: UNKNOWN +Classifier: Development Status :: 4 - Beta +Classifier: Environment :: OpenStack +Classifier: Intended Audience :: Developers +Classifier: Intended Audience :: Information Technology +Classifier: License :: OSI Approved :: Apache Software License +Classifier: Operating System :: OS Independent +Classifier: Programming Language :: Python +Classifier: Programming Language :: Python :: 2.6 +Classifier: Programming Language :: Python :: 2.7 +Classifier: Programming Language :: Python :: 3 +Classifier: Programming Language :: Python :: 3.3 diff -pruN 1.6.0-1/setup.cfg 1.6.0-0ubuntu1/setup.cfg --- 1.6.0-1/setup.cfg 2015-03-04 11:50:25.000000000 +0000 +++ 1.6.0-0ubuntu1/setup.cfg 2015-03-09 14:32:58.000000000 +0000 @@ -3,29 +3,29 @@ name = oslo.rootwrap author = OpenStack author-email = openstack-dev@lists.openstack.org summary = Oslo Rootwrap -description-file = - README.rst +description-file = + README.rst home-page = https://launchpad.net/oslo -classifier = - Development Status :: 4 - Beta - Environment :: OpenStack - Intended Audience :: Developers - Intended Audience :: Information Technology - License :: OSI Approved :: Apache Software License - Operating System :: OS Independent - Programming Language :: Python - Programming Language :: Python :: 2.6 - Programming Language :: Python :: 2.7 - Programming Language :: Python :: 3 - Programming Language :: Python :: 3.3 +classifier = + Development Status :: 4 - Beta + Environment :: OpenStack + Intended Audience :: Developers + Intended Audience :: Information Technology + License :: OSI Approved :: Apache Software License + Operating System :: OS Independent + Programming Language :: Python + Programming Language :: Python :: 2.6 + Programming Language :: Python :: 2.7 + Programming Language :: Python :: 3 + Programming Language :: Python :: 3.3 [files] -packages = - oslo - oslo.rootwrap - oslo_rootwrap -namespace_packages = - oslo +packages = + oslo + oslo.rootwrap + oslo_rootwrap +namespace_packages = + oslo [build_sphinx] source-dir = doc/source @@ -37,3 +37,9 @@ upload-dir = doc/build/html [wheel] universal = 1 + +[egg_info] +tag_date = 0 +tag_svn_revision = 0 +tag_build = + diff -pruN 1.6.0-1/.testr.conf 1.6.0-0ubuntu1/.testr.conf --- 1.6.0-1/.testr.conf 2015-04-28 04:38:05.000000000 +0000 +++ 1.6.0-0ubuntu1/.testr.conf 2015-03-09 14:32:41.000000000 +0000 @@ -1,4 +1,4 @@ [DEFAULT] -test_command=OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 ${PYTHON:-python} -m subunit.run discover -t ./ ./oslo_rootwrap $LISTOPT $IDOPTION +test_command=OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 ${PYTHON:-python} -m subunit.run discover -t ./ . $LISTOPT $IDOPTION test_id_option=--load-list $IDFILE test_list_option=--list