.\" Man page generated from reStructuredText. . .TH "NOVA-ROOTWRAP" "1" "Jan 24, 2023" "" "nova" .SH NAME nova-rootwrap \- Root wrapper daemon for the OpenStack Compute service. . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SH SYNOPSIS .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C nova\-rootwrap [...] .ft P .fi .UNINDENT .UNINDENT .SH DESCRIPTION .sp \fBnova\-rootwrap\fP is an application that filters which commands nova is allowed to run as another user. .sp To use this, you should set the following in \fBnova.conf\fP: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C rootwrap_config=/etc/nova/rootwrap.conf .ft P .fi .UNINDENT .UNINDENT .sp You also need to let the nova user run \fBnova\-rootwrap\fP as root in \fBsudoers\fP: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C nova ALL = (root) NOPASSWD: /usr/bin/nova\-rootwrap /etc/nova/rootwrap.conf * .ft P .fi .UNINDENT .UNINDENT .sp To make allowed commands node\-specific, your packaging should only install \fB{compute,network}.filters\fP respectively on compute and network nodes, i.e. \fBnova\-api\fP nodes should not have any of those files installed. .sp \fBNOTE:\fP .INDENT 0.0 .INDENT 3.5 \fBnova\-rootwrap\fP is being slowly deprecated and replaced by \fBoslo.privsep\fP, and will eventually be removed. .UNINDENT .UNINDENT .SH OPTIONS .sp \fBGeneral options\fP .SH FILES .INDENT 0.0 .IP \(bu 2 \fB/etc/nova/nova.conf\fP .IP \(bu 2 \fB/etc/nova/rootwrap.conf\fP .IP \(bu 2 \fB/etc/nova/rootwrap.d/\fP .UNINDENT .SH SEE ALSO .INDENT 0.0 .IP \(bu 2 .nf :nova\-doc:\(gaOpenStack Nova <>\(ga .fi .UNINDENT .SH BUGS .INDENT 0.0 .IP \(bu 2 Nova bugs are managed at \fI\%Launchpad\fP .UNINDENT .SH AUTHOR openstack@lists.openstack.org .SH COPYRIGHT 2010-present, OpenStack Foundation .\" Generated by docutils manpage writer. .