cyborg/releasenotes/notes/implement_oslo_privsep-4fc6e15360c92772.yaml
Yumeng Bao 45ade8a10b Implement privsep boilerplate in cyborg.
This includes implementing a first trivial example of how to use
privsep to run something as root, specifically the gpu driver. FPGA
and other drivers should implement as well in the future.

For reference:
https://review.opendev.org/#/c/566479/4
https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep

Change-Id: Ibff356d9a7f57bc99cc26de90d81ff92948f37c4
2019-09-25 19:22:12 -07:00

15 lines
602 B
YAML

---
security:
- |
Privsep transitions. Cyborg is transitioning from using the older
style rootwrap privilege escalation path to the new style Oslo privsep
path. This should improve performance and security of Cyborg
in the long term.
- |
Privsep daemons are now started by Cyborg when required. These
daemons can be started via rootwrap if required. rootwrap configs
therefore need to be updated to include new privsep daemon invocations.
- |
Use oslo.privsep instead of subprocess to execute sudo related shell
operations can prevent shell injection attacks.