From 58467e2102824e92655f448fd6cb55f8820a4cf7 Mon Sep 17 00:00:00 2001
From: Angus Lees <gus@inodes.org>
Date: Tue, 9 Feb 2016 16:56:55 +1100
Subject: [PATCH] nova.conf: Set privsep_osbrick.helper_command

When os-brick starts using privsep, it will need to know how to invoke
its privileged half.  Amazingly the name of the rootwrap executable
isn't anywhere else in the config, so the privsep default uses just
"sudo" (no rootwrap).

We need to either:

1. set the privsep command line to use nova-rootwrap in nova.conf (and
   similar in other configs), or

2. add the privsep-helper line to sudoers and bypass rootwrap entirely.

This change implements (1) for devstack (nova only for now, cinder to
follow shortly).

Change-Id: I90dc41bc77993bd83b80c92286e015e14f290b45
---
 lib/nova | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/nova b/lib/nova
index dc425a19bd..e0bccc570b 100644
--- a/lib/nova
+++ b/lib/nova
@@ -501,6 +501,8 @@ function create_nova_conf {
         iniset $NOVA_CONF DEFAULT bindir "/usr/bin"
     fi
 
+    iniset $NOVA_CONF privsep_osbrick helper_command "sudo nova-rootwrap \$rootwrap_config privsep-helper --config-file $NOVA_CONF"
+
     if is_service_enabled n-api; then
         if is_service_enabled n-api-meta; then
             # If running n-api-meta as a separate service