45ade8a10b
This includes implementing a first trivial example of how to use privsep to run something as root, specifically the gpu driver. FPGA and other drivers should implement as well in the future. For reference: https://review.opendev.org/#/c/566479/4 https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep Change-Id: Ibff356d9a7f57bc99cc26de90d81ff92948f37c4
15 lines
602 B
YAML
15 lines
602 B
YAML
---
|
|
security:
|
|
- |
|
|
Privsep transitions. Cyborg is transitioning from using the older
|
|
style rootwrap privilege escalation path to the new style Oslo privsep
|
|
path. This should improve performance and security of Cyborg
|
|
in the long term.
|
|
- |
|
|
Privsep daemons are now started by Cyborg when required. These
|
|
daemons can be started via rootwrap if required. rootwrap configs
|
|
therefore need to be updated to include new privsep daemon invocations.
|
|
- |
|
|
Use oslo.privsep instead of subprocess to execute sudo related shell
|
|
operations can prevent shell injection attacks.
|