.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "NOVA-ROOTWRAP" "1" "Apr 18, 2024" "29.0.1" "nova"
.SH NAME
nova-rootwrap \- Root wrapper daemon for the OpenStack Compute service.
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.EX
nova\-rootwrap CONFIG_FILE COMMAND
.EE
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
\fBnova\-rootwrap\fP is an application that filters which commands nova is
allowed to run as another user.
.sp
To use this, you should set the following in \fBnova.conf\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
rootwrap_config=/etc/nova/rootwrap.conf
.EE
.UNINDENT
.UNINDENT
.sp
You also need to let the nova user run \fBnova\-rootwrap\fP as root in
\fBsudoers\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
nova ALL = (root) NOPASSWD: /usr/bin/nova\-rootwrap /etc/nova/rootwrap.conf *
.EE
.UNINDENT
.UNINDENT
.sp
To make allowed commands node\-specific, your packaging should only install
\fB{compute,network}.filters\fP respectively on compute and network nodes, i.e.
\fBnova\-api\fP nodes should not have any of those files installed.
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
\fBnova\-rootwrap\fP is being slowly deprecated and replaced by
\fBoslo.privsep\fP, and will eventually be removed.
.UNINDENT
.UNINDENT
.SH FILES
.INDENT 0.0
.IP \(bu 2
\fB/etc/nova/nova.conf\fP
.IP \(bu 2
\fB/etc/nova/rootwrap.conf\fP
.IP \(bu 2
\fB/etc/nova/rootwrap.d/\fP
.UNINDENT
.SH SEE ALSO
.sp
\fI\%nova\-compute(1)\fP
.SH BUGS
.INDENT 0.0
.IP \(bu 2
Nova bugs are managed at \fI\%Launchpad\fP
.UNINDENT
.SH AUTHOR
openstack@lists.openstack.org
.SH COPYRIGHT
2010-present, OpenStack Foundation
.\" Generated by docutils manpage writer.
.