nova.conf: Set privsep_osbrick.helper_command

anguslees · anguslees · commit 58467e210282 · 2016-02-25T14:33:56.000+11:00
When os-brick starts using privsep, it will need to know how to invoke
its privileged half.  Amazingly the name of the rootwrap executable
isn't anywhere else in the config, so the privsep default uses just
"sudo" (no rootwrap).

We need to either:

1. set the privsep command line to use nova-rootwrap in nova.conf (and
   similar in other configs), or

2. add the privsep-helper line to sudoers and bypass rootwrap entirely.

This change implements (1) for devstack (nova only for now, cinder to
follow shortly).

Change-Id: I90dc41bc77993bd83b80c92286e015e14f290b45
diff --git a/lib/nova b/lib/nova
@@ -501,6 +501,8 @@ function create_nova_conf {
         iniset $NOVA_CONF DEFAULT bindir "/usr/bin"
     fi
 
+    iniset $NOVA_CONF privsep_osbrick helper_command "sudo nova-rootwrap \$rootwrap_config privsep-helper --config-file $NOVA_CONF"
+
     if is_service_enabled n-api; then
         if is_service_enabled n-api-meta; then
             # If running n-api-meta as a separate service
