Hello community, here is the log from the commit of package python-oslo.rootwrap for openSUSE:Factory checked in at 2017-08-28 15:31:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-oslo.rootwrap (Old) and /work/SRC/openSUSE:Factory/.python-oslo.rootwrap.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-oslo.rootwrap" Mon Aug 28 15:31:32 2017 rev:5 rq:514998 version:5.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-oslo.rootwrap/python-oslo.rootwrap.changes 2017-06-08 15:03:11.409439584 +0200 +++ /work/SRC/openSUSE:Factory/.python-oslo.rootwrap.new/python-oslo.rootwrap.changes 2017-08-28 15:31:33.891292174 +0200 @@ -1,0 +2,20 @@ +Mon Aug 7 13:49:53 UTC 2017 - cloud-devel@suse.de + +- update to version 5.9.0 + - Always check cmd which does not exist + - rearrange existing documentation to fit the new standard layout + - Don't open subdirectories rootwrap filter directories + - [Fix gate]Update test requirement + - Allow rootwrap-daemon to timeout and exit + - Avoid importing Linux specific modules on Windows + - Update URLs in documents according to document migration + - Remove support for py34 + - pbr.version.VersionInfo needs package name (oslo.xyz and not oslo_xyz) + - Update reno for stable/ocata + - [daemon] Close inherited filedescriptors after forking + - Remove pbr warnerrors in favor of sphinx check + - Updated from global requirements + - Switch from oslosphinx to openstackdocstheme + - Trivial: Remove testscenarios from test-requirements.txt + +------------------------------------------------------------------- Old: ---- oslo.rootwrap-5.4.1.tar.gz New: ---- oslo.rootwrap-5.9.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-oslo.rootwrap.spec ++++++ --- /var/tmp/diff_new_pack.VcUQTp/_old 2017-08-28 15:31:34.695179160 +0200 +++ /var/tmp/diff_new_pack.VcUQTp/_new 2017-08-28 15:31:34.703178035 +0200 @@ -18,7 +18,7 @@ %global sname oslo.rootwrap Name: python-oslo.rootwrap -Version: 5.4.1 +Version: 5.9.0 Release: 0 Summary: Filtering shell commands to run as root from OpenStack services License: Apache-2.0 @@ -31,7 +31,7 @@ BuildRequires: python-fixtures >= 3.0.0 BuildRequires: python-mock >= 2.0 BuildRequires: python-oslotest >= 1.10.0 -BuildRequires: python-pbr >= 1.8 +BuildRequires: python-pbr >= 2.0.0 BuildRequires: python-python-subunit >= 0.0.18 BuildRequires: python-six >= 1.9.0 BuildRequires: python-testrepository >= 0.0.18 @@ -53,7 +53,7 @@ Summary: Documentation for OpenStack %{sname} Group: Development/Languages/Python BuildRequires: python-Sphinx -BuildRequires: python-oslosphinx >= 4.7.0 +BuildRequires: python-openstackdocstheme >= 1.11.0 BuildRequires: python-reno >= 1.8.0 %description doc @@ -62,6 +62,7 @@ %prep %autosetup -n %{sname}-%{version} %py_req_cleanup +sed -i 's/^warning-is-error.*/warning-is-error = 0/g' setup.cfg %build %{py2_build} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.VcUQTp/_old 2017-08-28 15:31:34.783166790 +0200 +++ /var/tmp/diff_new_pack.VcUQTp/_new 2017-08-28 15:31:34.783166790 +0200 @@ -1,8 +1,8 @@ <services> <service mode="disabled" name="renderspec"> - <param name="input-template">https://raw.githubusercontent.com/openstack/rpm-packaging/stable/ocata/openstack/oslo.rootwrap/oslo.rootwrap.spec.j2</param> + <param name="input-template">https://raw.githubusercontent.com/openstack/rpm-packaging/stable/pike/openstack/oslo.rootwrap/oslo.rootwrap.spec.j2</param> <param name="output-name">python-oslo.rootwrap.spec</param> - <param name="requirements">https://raw.githubusercontent.com/openstack/rpm-packaging/stable/ocata/global-requirements.txt</param> + <param name="requirements">https://raw.githubusercontent.com/openstack/rpm-packaging/stable/pike/global-requirements.txt</param> <param name="changelog-email">cloud-devel@suse.de</param> <param name="changelog-provider">gh,openstack,oslo.rootwrap</param> </service> ++++++ oslo.rootwrap-5.4.1.tar.gz -> oslo.rootwrap-5.9.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/AUTHORS new/oslo.rootwrap-5.9.0/AUTHORS --- old/oslo.rootwrap-5.4.1/AUTHORS 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/AUTHORS 2017-07-18 15:10:50.000000000 +0200 @@ -1,3 +1,4 @@ +Akihiro Motoki <amotoki@gmail.com> Andreas Jaeger <aj@suse.com> Angus Lees <gus@inodes.org> Bogdan Dobrelya <bdobrelia@mirantis.com> @@ -33,6 +34,7 @@ Sergey Kraynev <skraynev@mirantis.com> Sergey Lukjanov <slukjanov@mirantis.com> Stanislav Kudriashev <skudriashev@griddynamics.com> +Stephen Ma <stephen.ma@hpe.com> Steve Martinelli <stevemar@ca.ibm.com> Swapnil Kulkarni (coolsvap) <me@coolsvap.net> Thierry Carrez <thierry@openstack.org> @@ -41,6 +43,8 @@ Tony Breeds <tony@bakeyournoodle.com> Tony Xu <hhktony@gmail.com> Victor Stinner <vstinner@redhat.com> +Vu Cong Tuan <tuanvc@vn.fujitsu.com> +XianChaobo <xianchaobo@huawei.com> Yatin Kumbhare <yatinkumbhare@gmail.com> Yufang Zhang <zhangyufang@360.cn> Yuriy Taraday <yorik.sar@gmail.com> @@ -48,5 +52,7 @@ Zhongyue Luo <zhongyue.nah@intel.com> fumihiko kakuma <kakuma@valinux.co.jp> howardlee <lihongweibj@inspur.com> +melissaml <ma.lei@99cloud.net> +ricolin <rico.lin@easystack.cn> sonu.kumar <sonu.kumar@nectechnologies.in> yan.haifeng <yanheven@qq.com> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/ChangeLog new/oslo.rootwrap-5.9.0/ChangeLog --- old/oslo.rootwrap-5.4.1/ChangeLog 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/ChangeLog 2017-07-18 15:10:50.000000000 +0200 @@ -1,14 +1,45 @@ CHANGES ======= -5.4.1 +5.9.0 ----- +* Update URLs in documents according to document migration + +5.8.0 +----- + +* rearrange existing documentation to fit the new standard layout +* Switch from oslosphinx to openstackdocstheme +* Updated from global requirements +* Remove pbr warnerrors in favor of sphinx check +* Updated from global requirements +* Updated from global requirements +* Updated from global requirements + +5.7.0 +----- + +* Trivial: Remove testscenarios from test-requirements.txt + +5.6.0 +----- + + +5.5.0 +----- + +* Updated from global requirements +* [Fix gate]Update test requirement * Allow rootwrap-daemon to timeout and exit +* Don't open subdirectories rootwrap filter directories * Avoid importing Linux specific modules on Windows +* Always check cmd which does not exist +* Updated from global requirements +* Remove support for py34 +* pbr.version.VersionInfo needs package name (oslo.xyz and not oslo\_xyz) * [daemon] Close inherited filedescriptors after forking -* Update UPPER_CONSTRAINTS_FILE for stable/ocata -* Update .gitreview for stable/ocata +* Update reno for stable/ocata 5.4.0 ----- @@ -30,7 +61,7 @@ ----- * Update homepage with developer documentation page -* Enhance _program() and _program_path() +* Enhance \_program() and \_program\_path() 5.1.0 ----- @@ -143,9 +174,9 @@ 1.8.0 ----- -* Remove run_cross_tests.sh +* Remove run\_cross\_tests.sh * Updated from global requirements -* Remove mentions of root "tests" package from test_funcional_* +* Remove mentions of root "tests" package from test\_funcional\_\* * Generate a oslo-rootwrap console script 1.7.0 @@ -172,7 +203,7 @@ * Add cross-testing script * Updated from global requirements * Move files out of the namespace package -* Activate pep8 check that _ is imported +* Activate pep8 check that \_ is imported * Workflow documentation is now in infra-manual 1.4.0 @@ -228,14 +259,14 @@ * Avoid matching ip -s netns exec in IpFilter * Don't use system pip things in tox * Add Python 3 trove classifiers -* To honor RFC5424 add use_syslog_rfc_format config option +* To honor RFC5424 add use\_syslog\_rfc\_format config option * Trivial changes from oslo-incubator 1.1.0 ----- * Discontinue usage of oslo-rootwrap -* Add missing oslo/__init__.py +* Add missing oslo/\_\_init\_\_.py * Fix spelling errors in comments 1.0.0 @@ -264,7 +295,7 @@ * Enable hacking H402 test * Update KillFilter to stop at '\0' for readlink() function * Stylistic improvements from quantum-rootwrap -* Use print_function __future__ import +* Use print\_function \_\_future\_\_ import * Revert common logging use in rootwrap * Improve Python 3.x compatibility * Replaces standard logging with common logging diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/PKG-INFO new/oslo.rootwrap-5.9.0/PKG-INFO --- old/oslo.rootwrap-5.4.1/PKG-INFO 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/PKG-INFO 2017-07-18 15:10:50.000000000 +0200 @@ -1,8 +1,8 @@ Metadata-Version: 1.1 Name: oslo.rootwrap -Version: 5.4.1 +Version: 5.9.0 Summary: Oslo Rootwrap -Home-page: http://docs.openstack.org/developer/oslo.rootwrap +Home-page: https://docs.openstack.org/oslo.rootwrap/latest/ Author: OpenStack Author-email: openstack-dev@lists.openstack.org License: UNKNOWN @@ -31,9 +31,9 @@ as `root` from OpenStack services. * License: Apache License, Version 2.0 - * Documentation: http://docs.openstack.org/developer/oslo.rootwrap - * Source: http://git.openstack.org/cgit/openstack/oslo.rootwrap - * Bugs: http://bugs.launchpad.net/oslo.rootwrap + * Documentation: https://docs.openstack.org/oslo.rootwrap/latest/ + * Source: https://git.openstack.org/cgit/openstack/oslo.rootwrap + * Bugs: https://bugs.launchpad.net/oslo.rootwrap Platform: UNKNOWN @@ -46,5 +46,4 @@ Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: 3.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/README.rst new/oslo.rootwrap-5.9.0/README.rst --- old/oslo.rootwrap-5.4.1/README.rst 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/README.rst 2017-07-18 15:08:47.000000000 +0200 @@ -23,6 +23,6 @@ as `root` from OpenStack services. * License: Apache License, Version 2.0 -* Documentation: http://docs.openstack.org/developer/oslo.rootwrap -* Source: http://git.openstack.org/cgit/openstack/oslo.rootwrap -* Bugs: http://bugs.launchpad.net/oslo.rootwrap +* Documentation: https://docs.openstack.org/oslo.rootwrap/latest/ +* Source: https://git.openstack.org/cgit/openstack/oslo.rootwrap +* Bugs: https://bugs.launchpad.net/oslo.rootwrap diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/conf.py new/oslo.rootwrap-5.9.0/doc/source/conf.py --- old/oslo.rootwrap-5.4.1/doc/source/conf.py 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/doc/source/conf.py 2017-07-18 15:08:47.000000000 +0200 @@ -23,9 +23,14 @@ extensions = [ 'sphinx.ext.autodoc', #'sphinx.ext.intersphinx', - 'oslosphinx' + 'openstackdocstheme', ] +# openstackdocstheme options +repository_name = 'openstack/oslo.rootwrap' +bug_project = 'oslo.rootwrap' +bug_tag = '' + # autodoc generation is a bit aggressive and a nuisance when doing heavy # text edit cycles. # execute "export SPHINX_DEBUG=1" in your terminal to disable @@ -57,6 +62,9 @@ # html_theme_path = ["."] # html_theme = '_theme' # html_static_path = ['static'] +html_theme = 'openstackdocs' + +html_last_updated_fmt = '%Y-%m-%d %H:%M' # Output file base name for HTML help builder. htmlhelp_basename = '%sdoc' % project @@ -72,4 +80,4 @@ ] # Example configuration for intersphinx: refer to the Python standard library. -#intersphinx_mapping = {'http://docs.python.org/': None} \ No newline at end of file +#intersphinx_mapping = {'http://docs.python.org/': None} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/contributing.rst new/oslo.rootwrap-5.9.0/doc/source/contributing.rst --- old/oslo.rootwrap-5.4.1/doc/source/contributing.rst 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/doc/source/contributing.rst 1970-01-01 01:00:00.000000000 +0100 @@ -1,5 +0,0 @@ -============= -Contributing -============= - -.. include:: ../../CONTRIBUTING.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/contributor/index.rst new/oslo.rootwrap-5.9.0/doc/source/contributor/index.rst --- old/oslo.rootwrap-5.4.1/doc/source/contributor/index.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.rootwrap-5.9.0/doc/source/contributor/index.rst 2017-07-18 15:08:47.000000000 +0200 @@ -0,0 +1,5 @@ +============= +Contributing +============= + +.. include:: ../../../CONTRIBUTING.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/history.rst new/oslo.rootwrap-5.9.0/doc/source/history.rst --- old/oslo.rootwrap-5.4.1/doc/source/history.rst 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/doc/source/history.rst 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -.. include:: ../../ChangeLog diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/index.rst new/oslo.rootwrap-5.9.0/doc/source/index.rst --- old/oslo.rootwrap-5.4.1/doc/source/index.rst 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/doc/source/index.rst 2017-07-18 15:08:47.000000000 +0200 @@ -8,20 +8,11 @@ .. toctree:: :maxdepth: 2 - installation - usage - contributing + install/index + user/index + contributor/index -Release Notes -============= - -.. toctree:: - :maxdepth: 1 - - history - -Indices and tables -================== +.. rubric:: Indices and tables * :ref:`genindex` * :ref:`modindex` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/install/index.rst new/oslo.rootwrap-5.9.0/doc/source/install/index.rst --- old/oslo.rootwrap-5.4.1/doc/source/install/index.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.rootwrap-5.9.0/doc/source/install/index.rst 2017-07-18 15:08:47.000000000 +0200 @@ -0,0 +1,12 @@ +============ +Installation +============ + +At the command line:: + + $ pip install oslo.rootwrap + +Or, if you have virtualenvwrapper installed:: + + $ mkvirtualenv oslo.rootwrap + $ pip install oslo.rootwrap \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/installation.rst new/oslo.rootwrap-5.9.0/doc/source/installation.rst --- old/oslo.rootwrap-5.4.1/doc/source/installation.rst 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/doc/source/installation.rst 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ -============ -Installation -============ - -At the command line:: - - $ pip install oslo.rootwrap - -Or, if you have virtualenvwrapper installed:: - - $ mkvirtualenv oslo.rootwrap - $ pip install oslo.rootwrap \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/usage.rst new/oslo.rootwrap-5.9.0/doc/source/usage.rst --- old/oslo.rootwrap-5.4.1/doc/source/usage.rst 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/doc/source/usage.rst 1970-01-01 01:00:00.000000000 +0100 @@ -1,338 +0,0 @@ -===== -Usage -===== - -Rootwrap should be used as a separate Python process calling the -``oslo_rootwrap.cmd:main`` function. You can set up a specific console_script -calling into ``oslo_rootwrap.cmd:main``, called for example ``nova-rootwrap``. -To keep things simple, this document will consider that your console_script -is called ``/usr/bin/nova-rootwrap``. - -The rootwrap command line should be called under `sudo`. It's first parameter -is the configuration file to use, and the remainder of the parameters are the -command line to execute: - -:: - - sudo nova-rootwrap ROOTWRAP_CONFIG COMMAND_LINE - - -How rootwrap works -================== - -OpenStack services generally run under a specific, unprivileged user. However, -sometimes they need to run a command as ``root``. Instead of just calling -``sudo make me a sandwich`` and have a blanket ``sudoers`` permission to always -escalate rights from their unprivileged users to ``root``, those services can -call ``sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich``. - -A sudoers entry lets the unprivileged user run ``nova-rootwrap`` as ``root``. -``nova-rootwrap`` looks for filter definition directories in its configuration -file, and loads command filters from them. Then it checks if the command -requested by the OpenStack service matches one of those filters, in which -case it executes the command (as ``root``). If no filter matches, it denies -the request. This allows for complex filtering of allowed commands, as well -as shipping filter definitions together with the OpenStack code that needs -them. - -Security model -============== - -The escalation path is fully controlled by the ``root`` user. A ``sudoers`` entry -(owned by ``root``) allows the unprivileged user to run (as ``root``) a specific -rootwrap executable, and only with a specific configuration file (which should -be owned by ``root``) as its first parameter. - -``nova-rootwrap`` imports the Python modules it needs from a cleaned (and -system-default) ``PYTHONPATH``. The configuration file points to root-owned -filter definition directories, which contain root-owned filters definition -files. This chain ensures that the unprivileged user itself is never in -control of the configuration or modules used by the ``nova-rootwrap`` executable. - -Installation -============ - -All nodes wishing to run ``nova-rootwrap`` should contain a ``sudoers`` entry that -lets the unprivileged user run ``nova-rootwrap`` as ``root``, pointing to the -root-owned ``rootwrap.conf`` configuration file and allowing any parameter -after that. For example, Nova nodes should have this line in their ``sudoers`` -file, to allow the ``nova`` user to call ``sudo nova-rootwrap``:: - - nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf * - -Then the node also should ship the filter definitions corresponding to its -usage of ``nova-rootwrap``. You should not install any other filters file on -that node, otherwise you would allow extra unneeded commands to be run as -``root``. - -The filter file(s) corresponding to the node must be installed in one of the -filters_path directories. For example, on Nova compute nodes, you should only -have ``compute.filters`` installed. The file should be owned and writeable only -by the ``root`` user. - -Rootwrap configuration -====================== - -The ``rootwrap.conf`` file is used to influence how ``nova-rootwrap`` works. Since -it's in the trusted security path, it needs to be owned and writeable only by -the ``root`` user. Its location is specified in the ``sudoers`` entry, and must be -provided on ``nova-rootwrap`` command line as its first argument. - -``rootwrap.conf`` uses an *INI* file format with the following sections and -parameters: - -[DEFAULT] section ------------------ - -filters_path - Comma-separated list of directories containing filter definition files. - All directories listed must be owned and only writeable by ``root``. - This is the only mandatory parameter. - Example: - ``filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap`` - -exec_dirs - Comma-separated list of directories to search executables in, in case - filters do not explicitly specify a full path. If not specified, defaults - to the system ``PATH`` environment variable. All directories listed must be - owned and only writeable by ``root``. Example: - ``exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin`` - -use_syslog - Enable logging to syslog. Default value is False. Example: - ``use_syslog=True`` - -syslog_log_facility - Which syslog facility to use for syslog logging. Valid values include - ``auth``, ``authpriv``, ``syslog``, ``user0``, ``user1``... - Default value is ``syslog``. Example: - ``syslog_log_facility=syslog`` - -syslog_log_level - Which messages to log. ``INFO`` means log all usage, ``ERROR`` means only log - unsuccessful attempts. Example: - ``syslog_log_level=ERROR`` - -.filters files -============== - -Filters definition files contain lists of filters that ``nova-rootwrap`` will -use to allow or deny a specific command. They are generally suffixed by -``.filters``. Since they are in the trusted security path, they need to be -owned and writeable only by the ``root`` user. Their location is specified -in the ``rootwrap.conf`` file. - -It uses an *INI* file format with a ``[Filters]`` section and several lines, -each with a unique parameter name (different for each filter you define): - -[Filters] section ------------------ - -filter_name (different for each filter) - Comma-separated list containing first the Filter class to use, followed - by that Filter arguments (which vary depending on the Filter class - selected). Example: - ``kpartx: CommandFilter, /sbin/kpartx, root`` - - -Available filter classes -======================== - -CommandFilter -------------- - -Basic filter that only checks the executable called. Parameters are: - -1. Executable allowed -2. User to run the command under - -Example: allow to run kpartx as the root user, with any parameters:: - - kpartx: CommandFilter, kpartx, root - -RegExpFilter ------------- - -Generic filter that checks the executable called, then uses a list of regular -expressions to check all subsequent arguments. Parameters are: - -1. Executable allowed -2. User to run the command under -3. (and following) Regular expressions to use to match first (and subsequent) - command arguments - -Example: allow to run ``/usr/sbin/tunctl``, but only with three parameters with -the first two being -b and -t:: - - tunctl: RegExpFilter, /usr/sbin/tunctl, root, tunctl, -b, -t, .* - -PathFilter ----------- - -Generic filter that lets you check that paths provided as parameters fall -under a given directory. Parameters are: - -1. Executable allowed -2. User to run the command under -3. (and following) Command arguments. - -There are three types of command arguments: ``pass`` will accept any parameter -value, a string will only accept the corresponding string as a parameter, -except if the string starts with '/' in which case it will accept any path -that resolves under the corresponding directory. - -Example: allow to chown to the 'nova' user any file under /var/lib/images:: - - chown: PathFilter, /bin/chown, root, nova, /var/lib/images - -EnvFilter ---------- - -Filter allowing extra environment variables to be set by the calling code. -Parameters are: - -1. ``env`` -2. User to run the command under -3. (and following) name of the environment variables that can be set, - suffixed by ``=`` -4. Executable allowed - -Example: allow to run ``CONFIG_FILE=foo NETWORK_ID=bar dnsmasq ...`` as root:: - - dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -ReadFileFilter --------------- - -Specific filter that lets you read files as ``root`` using ``cat``. -Parameters are: - -1. Path to the file that you want to read as the ``root`` user. - -Example: allow to run ``cat /etc/iscsi/initiatorname.iscsi`` as ``root``:: - - read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi - -KillFilter ----------- - -Kill-specific filter that checks the affected process and the signal sent -before allowing the command. Parameters are: - -1. User to run ``kill`` under -2. Only affect processes running that executable -3. (and following) Signals you're allowed to send - -Example: allow to send ``-9`` or ``-HUP`` signals to -``/usr/sbin/dnsmasq`` processes:: - - kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -IpFilter --------- - -ip-specific filter that allows to run any ``ip`` command, except for ``ip netns`` -(in which case it only allows the list, add and delete subcommands). -Parameters are: - -1. ``ip`` -2. User to run ``ip`` under - -Example: allow to run any ``ip`` command except ``ip netns exec`` and -``ip netns monitor``:: - - ip: IpFilter, ip, root - -IpNetnsExecFilter ------------------ - -ip-specific filter that allows to run any otherwise-allowed command under -``ip netns exec``. The command specified to ``ip netns exec`` must match another -filter for this filter to accept it. Parameters are: - -1. ``ip`` -2. User to run ``ip`` under - -Example: allow to run ``ip netns exec <namespace> <command>`` as long as -``<command>`` matches another filter:: - - ip: IpNetnsExecFilter, ip, root - -ChainingRegExpFilter --------------------- - -Filter that allows to run the prefix command, if the beginning of its arguments -match to a list of regular expressions, and if remaining arguments are any -otherwise-allowed command. Parameters are: - -1. Executable allowed -2. User to run the command under -3. (and following) Regular expressions to use to match first (and subsequent) - command arguments. - -This filter regards the length of the regular expressions list as the number of -arguments to be checked, and remaining parts are checked by other filters. - -Example: allow to run ``/usr/bin/nice``, but only with first two parameters being --n and integer, and followed by any allowed command by the other filters:: - - nice: ChainingRegExpFilter, /usr/bin/nice, root, nice, -n, -?\d+ - -Note: this filter can't be used to impose that the subcommand is always run -under the prefix command. In particular, it can't enforce that a particular -command is only run under "nice", since the subcommand can explicitly be -called directly. - - -Calling rootwrap from OpenStack services -======================================== - -Standalone mode (``sudo`` way) ------------------------------- - -The ``oslo.processutils`` library ships with a convenience ``execute()`` function -that can be used to call shell commands as ``root``, if you call it with the -following parameters:: - - run_as_root=True - - root_helper='sudo nova-rootwrap /etc/nova/rootwrap.conf - -NB: Some services ship with a ``utils.execute()`` convenience function that -automatically sets ``root_helper`` based on the value of a ``rootwrap_config`` -parameter, so only ``run_as_root=True`` needs to be set. - -If you want to call as ``root`` a previously-unauthorized command, you will also -need to modify the filters (generally shipped in the source tree under -``etc/rootwrap.d`` so that the command you want to run as ``root`` will actually -be allowed by ``nova-rootwrap``. - -Daemon mode ------------ - -Since 1.3.0 version ``oslo.rootwrap`` supports "daemon mode". In this mode -rootwrap would start, read config file and wait for commands to be run with -root privileges. All communications with the daemon should go through -``Client`` class that resides in ``oslo_rootwrap.client`` module. - -Its constructor expects one argument - a list that can be passed to ``Popen`` -to create rootwrap daemon process. For ``root_helper`` above it will be -``["sudo", "nova-rootwrap-daemon", "/etc/neutron/rootwrap.conf"]``, -for example. Note that it uses a separate script that points to -``oslo_rootwrap.cmd:daemon`` endpoint (instead of ``:main``). - -The class provides one method ``execute`` with following arguments: - -* ``userargs`` - list of command line arguments that are to be used to run the - command; -* ``stdin`` - string to be passed to standard input of child process. - -The method returns 3-tuple containing: - -* return code of child process; -* string containing everything captured from its stdout stream; -* string containing everything captured from its stderr stream. - -The class lazily creates an instance of the daemon, connects to it and passes -arguments. This daemon can die or be killed, ``Client`` will respawn it and/or -reconnect to it as necessary. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/user/history.rst new/oslo.rootwrap-5.9.0/doc/source/user/history.rst --- old/oslo.rootwrap-5.4.1/doc/source/user/history.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.rootwrap-5.9.0/doc/source/user/history.rst 2017-07-18 15:08:47.000000000 +0200 @@ -0,0 +1 @@ +.. include:: ../../../ChangeLog diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/user/index.rst new/oslo.rootwrap-5.9.0/doc/source/user/index.rst --- old/oslo.rootwrap-5.4.1/doc/source/user/index.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.rootwrap-5.9.0/doc/source/user/index.rst 2017-07-18 15:08:47.000000000 +0200 @@ -0,0 +1,9 @@ +=================== +Using oslo.rootwrap +=================== + +.. toctree:: + :maxdepth: 2 + + usage + history diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/doc/source/user/usage.rst new/oslo.rootwrap-5.9.0/doc/source/user/usage.rst --- old/oslo.rootwrap-5.4.1/doc/source/user/usage.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.rootwrap-5.9.0/doc/source/user/usage.rst 2017-07-18 15:08:47.000000000 +0200 @@ -0,0 +1,338 @@ +===== +Usage +===== + +Rootwrap should be used as a separate Python process calling the +``oslo_rootwrap.cmd:main`` function. You can set up a specific console_script +calling into ``oslo_rootwrap.cmd:main``, called for example ``nova-rootwrap``. +To keep things simple, this document will consider that your console_script +is called ``/usr/bin/nova-rootwrap``. + +The rootwrap command line should be called under `sudo`. It's first parameter +is the configuration file to use, and the remainder of the parameters are the +command line to execute: + +:: + + sudo nova-rootwrap ROOTWRAP_CONFIG COMMAND_LINE + + +How rootwrap works +================== + +OpenStack services generally run under a specific, unprivileged user. However, +sometimes they need to run a command as ``root``. Instead of just calling +``sudo make me a sandwich`` and have a blanket ``sudoers`` permission to always +escalate rights from their unprivileged users to ``root``, those services can +call ``sudo nova-rootwrap /etc/nova/rootwrap.conf make me a sandwich``. + +A sudoers entry lets the unprivileged user run ``nova-rootwrap`` as ``root``. +``nova-rootwrap`` looks for filter definition directories in its configuration +file, and loads command filters from them. Then it checks if the command +requested by the OpenStack service matches one of those filters, in which +case it executes the command (as ``root``). If no filter matches, it denies +the request. This allows for complex filtering of allowed commands, as well +as shipping filter definitions together with the OpenStack code that needs +them. + +Security model +============== + +The escalation path is fully controlled by the ``root`` user. A ``sudoers`` entry +(owned by ``root``) allows the unprivileged user to run (as ``root``) a specific +rootwrap executable, and only with a specific configuration file (which should +be owned by ``root``) as its first parameter. + +``nova-rootwrap`` imports the Python modules it needs from a cleaned (and +system-default) ``PYTHONPATH``. The configuration file points to root-owned +filter definition directories, which contain root-owned filters definition +files. This chain ensures that the unprivileged user itself is never in +control of the configuration or modules used by the ``nova-rootwrap`` executable. + +Installation +============ + +All nodes wishing to run ``nova-rootwrap`` should contain a ``sudoers`` entry that +lets the unprivileged user run ``nova-rootwrap`` as ``root``, pointing to the +root-owned ``rootwrap.conf`` configuration file and allowing any parameter +after that. For example, Nova nodes should have this line in their ``sudoers`` +file, to allow the ``nova`` user to call ``sudo nova-rootwrap``:: + + nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf * + +Then the node also should ship the filter definitions corresponding to its +usage of ``nova-rootwrap``. You should not install any other filters file on +that node, otherwise you would allow extra unneeded commands to be run as +``root``. + +The filter file(s) corresponding to the node must be installed in one of the +filters_path directories. For example, on Nova compute nodes, you should only +have ``compute.filters`` installed. The file should be owned and writeable only +by the ``root`` user. + +Rootwrap configuration +====================== + +The ``rootwrap.conf`` file is used to influence how ``nova-rootwrap`` works. Since +it's in the trusted security path, it needs to be owned and writeable only by +the ``root`` user. Its location is specified in the ``sudoers`` entry, and must be +provided on ``nova-rootwrap`` command line as its first argument. + +``rootwrap.conf`` uses an *INI* file format with the following sections and +parameters: + +[DEFAULT] section +----------------- + +filters_path + Comma-separated list of directories containing filter definition files. + All directories listed must be owned and only writeable by ``root``. + This is the only mandatory parameter. + Example: + ``filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap`` + +exec_dirs + Comma-separated list of directories to search executables in, in case + filters do not explicitly specify a full path. If not specified, defaults + to the system ``PATH`` environment variable. All directories listed must be + owned and only writeable by ``root``. Example: + ``exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin`` + +use_syslog + Enable logging to syslog. Default value is False. Example: + ``use_syslog=True`` + +syslog_log_facility + Which syslog facility to use for syslog logging. Valid values include + ``auth``, ``authpriv``, ``syslog``, ``user0``, ``user1``... + Default value is ``syslog``. Example: + ``syslog_log_facility=syslog`` + +syslog_log_level + Which messages to log. ``INFO`` means log all usage, ``ERROR`` means only log + unsuccessful attempts. Example: + ``syslog_log_level=ERROR`` + +.filters files +============== + +Filters definition files contain lists of filters that ``nova-rootwrap`` will +use to allow or deny a specific command. They are generally suffixed by +``.filters``. Since they are in the trusted security path, they need to be +owned and writeable only by the ``root`` user. Their location is specified +in the ``rootwrap.conf`` file. + +It uses an *INI* file format with a ``[Filters]`` section and several lines, +each with a unique parameter name (different for each filter you define): + +[Filters] section +----------------- + +filter_name (different for each filter) + Comma-separated list containing first the Filter class to use, followed + by that Filter arguments (which vary depending on the Filter class + selected). Example: + ``kpartx: CommandFilter, /sbin/kpartx, root`` + + +Available filter classes +======================== + +CommandFilter +------------- + +Basic filter that only checks the executable called. Parameters are: + +1. Executable allowed +2. User to run the command under + +Example: allow to run kpartx as the root user, with any parameters:: + + kpartx: CommandFilter, kpartx, root + +RegExpFilter +------------ + +Generic filter that checks the executable called, then uses a list of regular +expressions to check all subsequent arguments. Parameters are: + +1. Executable allowed +2. User to run the command under +3. (and following) Regular expressions to use to match first (and subsequent) + command arguments + +Example: allow to run ``/usr/sbin/tunctl``, but only with three parameters with +the first two being -b and -t:: + + tunctl: RegExpFilter, /usr/sbin/tunctl, root, tunctl, -b, -t, .* + +PathFilter +---------- + +Generic filter that lets you check that paths provided as parameters fall +under a given directory. Parameters are: + +1. Executable allowed +2. User to run the command under +3. (and following) Command arguments. + +There are three types of command arguments: ``pass`` will accept any parameter +value, a string will only accept the corresponding string as a parameter, +except if the string starts with '/' in which case it will accept any path +that resolves under the corresponding directory. + +Example: allow to chown to the 'nova' user any file under /var/lib/images:: + + chown: PathFilter, /bin/chown, root, nova, /var/lib/images + +EnvFilter +--------- + +Filter allowing extra environment variables to be set by the calling code. +Parameters are: + +1. ``env`` +2. User to run the command under +3. (and following) name of the environment variables that can be set, + suffixed by ``=`` +4. Executable allowed + +Example: allow to run ``CONFIG_FILE=foo NETWORK_ID=bar dnsmasq ...`` as root:: + + dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq + +ReadFileFilter +-------------- + +Specific filter that lets you read files as ``root`` using ``cat``. +Parameters are: + +1. Path to the file that you want to read as the ``root`` user. + +Example: allow to run ``cat /etc/iscsi/initiatorname.iscsi`` as ``root``:: + + read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi + +KillFilter +---------- + +Kill-specific filter that checks the affected process and the signal sent +before allowing the command. Parameters are: + +1. User to run ``kill`` under +2. Only affect processes running that executable +3. (and following) Signals you're allowed to send + +Example: allow to send ``-9`` or ``-HUP`` signals to +``/usr/sbin/dnsmasq`` processes:: + + kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + +IpFilter +-------- + +ip-specific filter that allows to run any ``ip`` command, except for ``ip netns`` +(in which case it only allows the list, add and delete subcommands). +Parameters are: + +1. ``ip`` +2. User to run ``ip`` under + +Example: allow to run any ``ip`` command except ``ip netns exec`` and +``ip netns monitor``:: + + ip: IpFilter, ip, root + +IpNetnsExecFilter +----------------- + +ip-specific filter that allows to run any otherwise-allowed command under +``ip netns exec``. The command specified to ``ip netns exec`` must match another +filter for this filter to accept it. Parameters are: + +1. ``ip`` +2. User to run ``ip`` under + +Example: allow to run ``ip netns exec <namespace> <command>`` as long as +``<command>`` matches another filter:: + + ip: IpNetnsExecFilter, ip, root + +ChainingRegExpFilter +-------------------- + +Filter that allows to run the prefix command, if the beginning of its arguments +match to a list of regular expressions, and if remaining arguments are any +otherwise-allowed command. Parameters are: + +1. Executable allowed +2. User to run the command under +3. (and following) Regular expressions to use to match first (and subsequent) + command arguments. + +This filter regards the length of the regular expressions list as the number of +arguments to be checked, and remaining parts are checked by other filters. + +Example: allow to run ``/usr/bin/nice``, but only with first two parameters being +-n and integer, and followed by any allowed command by the other filters:: + + nice: ChainingRegExpFilter, /usr/bin/nice, root, nice, -n, -?\d+ + +Note: this filter can't be used to impose that the subcommand is always run +under the prefix command. In particular, it can't enforce that a particular +command is only run under "nice", since the subcommand can explicitly be +called directly. + + +Calling rootwrap from OpenStack services +======================================== + +Standalone mode (``sudo`` way) +------------------------------ + +The ``oslo.processutils`` library ships with a convenience ``execute()`` function +that can be used to call shell commands as ``root``, if you call it with the +following parameters:: + + run_as_root=True + + root_helper='sudo nova-rootwrap /etc/nova/rootwrap.conf + +NB: Some services ship with a ``utils.execute()`` convenience function that +automatically sets ``root_helper`` based on the value of a ``rootwrap_config`` +parameter, so only ``run_as_root=True`` needs to be set. + +If you want to call as ``root`` a previously-unauthorized command, you will also +need to modify the filters (generally shipped in the source tree under +``etc/rootwrap.d`` so that the command you want to run as ``root`` will actually +be allowed by ``nova-rootwrap``. + +Daemon mode +----------- + +Since 1.3.0 version ``oslo.rootwrap`` supports "daemon mode". In this mode +rootwrap would start, read config file and wait for commands to be run with +root privileges. All communications with the daemon should go through +``Client`` class that resides in ``oslo_rootwrap.client`` module. + +Its constructor expects one argument - a list that can be passed to ``Popen`` +to create rootwrap daemon process. For ``root_helper`` above it will be +``["sudo", "nova-rootwrap-daemon", "/etc/neutron/rootwrap.conf"]``, +for example. Note that it uses a separate script that points to +``oslo_rootwrap.cmd:daemon`` endpoint (instead of ``:main``). + +The class provides one method ``execute`` with following arguments: + +* ``userargs`` - list of command line arguments that are to be used to run the + command; +* ``stdin`` - string to be passed to standard input of child process. + +The method returns 3-tuple containing: + +* return code of child process; +* string containing everything captured from its stdout stream; +* string containing everything captured from its stderr stream. + +The class lazily creates an instance of the daemon, connects to it and passes +arguments. This daemon can die or be killed, ``Client`` will respawn it and/or +reconnect to it as necessary. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo.rootwrap.egg-info/PKG-INFO new/oslo.rootwrap-5.9.0/oslo.rootwrap.egg-info/PKG-INFO --- old/oslo.rootwrap-5.4.1/oslo.rootwrap.egg-info/PKG-INFO 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo.rootwrap.egg-info/PKG-INFO 2017-07-18 15:10:50.000000000 +0200 @@ -1,8 +1,8 @@ Metadata-Version: 1.1 Name: oslo.rootwrap -Version: 5.4.1 +Version: 5.9.0 Summary: Oslo Rootwrap -Home-page: http://docs.openstack.org/developer/oslo.rootwrap +Home-page: https://docs.openstack.org/oslo.rootwrap/latest/ Author: OpenStack Author-email: openstack-dev@lists.openstack.org License: UNKNOWN @@ -31,9 +31,9 @@ as `root` from OpenStack services. * License: Apache License, Version 2.0 - * Documentation: http://docs.openstack.org/developer/oslo.rootwrap - * Source: http://git.openstack.org/cgit/openstack/oslo.rootwrap - * Bugs: http://bugs.launchpad.net/oslo.rootwrap + * Documentation: https://docs.openstack.org/oslo.rootwrap/latest/ + * Source: https://git.openstack.org/cgit/openstack/oslo.rootwrap + * Bugs: https://bugs.launchpad.net/oslo.rootwrap Platform: UNKNOWN @@ -46,5 +46,4 @@ Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: 3.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo.rootwrap.egg-info/SOURCES.txt new/oslo.rootwrap-5.9.0/oslo.rootwrap.egg-info/SOURCES.txt --- old/oslo.rootwrap-5.4.1/oslo.rootwrap.egg-info/SOURCES.txt 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo.rootwrap.egg-info/SOURCES.txt 2017-07-18 15:10:50.000000000 +0200 @@ -13,11 +13,12 @@ benchmark/rootwrap.conf benchmark/filters.d/ip.filters doc/source/conf.py -doc/source/contributing.rst -doc/source/history.rst doc/source/index.rst -doc/source/installation.rst -doc/source/usage.rst +doc/source/contributor/index.rst +doc/source/install/index.rst +doc/source/user/history.rst +doc/source/user/index.rst +doc/source/user/usage.rst etc/rootwrap.conf.sample oslo.rootwrap.egg-info/PKG-INFO oslo.rootwrap.egg-info/SOURCES.txt @@ -43,6 +44,7 @@ releasenotes/notes/add_reno-3b4ae0789e9c45b4.yaml releasenotes/source/conf.py releasenotes/source/index.rst +releasenotes/source/ocata.rst releasenotes/source/unreleased.rst releasenotes/source/_static/.placeholder releasenotes/source/_templates/.placeholder diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo.rootwrap.egg-info/pbr.json new/oslo.rootwrap-5.9.0/oslo.rootwrap.egg-info/pbr.json --- old/oslo.rootwrap-5.4.1/oslo.rootwrap.egg-info/pbr.json 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo.rootwrap.egg-info/pbr.json 2017-07-18 15:10:50.000000000 +0200 @@ -1 +1 @@ -{"git_version": "fdacd0e", "is_release": true} \ No newline at end of file +{"git_version": "1bd761d", "is_release": true} \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo_rootwrap/filters.py new/oslo.rootwrap-5.9.0/oslo_rootwrap/filters.py --- old/oslo.rootwrap-5.4.1/oslo_rootwrap/filters.py 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo_rootwrap/filters.py 2017-07-18 15:08:47.000000000 +0200 @@ -44,7 +44,6 @@ exec_dirs = exec_dirs or [] if self.real_exec is not None: return self.real_exec - self.real_exec = "" if os.path.isabs(self.exec_path): if os.access(self.exec_path, os.X_OK): self.real_exec = self.exec_path diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo_rootwrap/tests/test_functional.py new/oslo.rootwrap-5.9.0/oslo_rootwrap/tests/test_functional.py --- old/oslo.rootwrap-5.4.1/oslo_rootwrap/tests/test_functional.py 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo_rootwrap/tests/test_functional.py 2017-07-18 15:08:47.000000000 +0200 @@ -18,6 +18,7 @@ import logging import os import pwd +import shutil import signal import sys import threading @@ -45,6 +46,7 @@ super(_FunctionalBase, self).setUp() tmpdir = self.useFixture(fixtures.TempDir()).path self.config_file = os.path.join(tmpdir, 'rootwrap.conf') + self.later_cmd = os.path.join(tmpdir, 'later_install_cmd') filters_dir = os.path.join(tmpdir, 'filters.d') filters_file = os.path.join(tmpdir, 'filters.d', 'test.filters') os.mkdir(filters_dir) @@ -60,7 +62,8 @@ sh: CommandFilter, /bin/sh, root id: CommandFilter, /usr/bin/id, nobody unknown_cmd: CommandFilter, /unknown/unknown_cmd, root -""") +later_install_cmd: CommandFilter, %s, root +""" % self.later_cmd) def _test_run_once(self, expect_byte=True): code, out, err = self.execute(['echo', 'teststr']) @@ -194,6 +197,15 @@ def test_run_with_stdin(self): self._test_run_with_stdin(expect_byte=False) + def test_run_with_later_install_cmd(self): + code, out, err = self.execute(['later_install_cmd']) + self.assertEqual(cmd.RC_NOEXECFOUND, code) + # Install cmd and try again + shutil.copy('/bin/echo', self.later_cmd) + code, out, err = self.execute(['later_install_cmd']) + # Expect successfully run the cmd + self.assertEqual(0, code) + def test_daemon_ressurection(self): # Let the client start a daemon self.execute(['cat']) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo_rootwrap/tests/test_rootwrap.py new/oslo.rootwrap-5.9.0/oslo_rootwrap/tests/test_rootwrap.py --- old/oslo.rootwrap-5.4.1/oslo_rootwrap/tests/test_rootwrap.py 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo_rootwrap/tests/test_rootwrap.py 2017-07-18 15:08:47.000000000 +0200 @@ -46,6 +46,7 @@ def test_strict_switched_off_in_configparser(self): temp_dir = self.useFixture(fixtures.TempDir()).path + os.mkdir(os.path.join(temp_dir, 'nested')) temp_file = os.path.join(temp_dir, 'test.conf') f = open(temp_file, 'w') f.write("""[Filters] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo_rootwrap/version.py new/oslo.rootwrap-5.9.0/oslo_rootwrap/version.py --- old/oslo.rootwrap-5.4.1/oslo_rootwrap/version.py 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo_rootwrap/version.py 2017-07-18 15:08:47.000000000 +0200 @@ -15,4 +15,4 @@ import pbr.version -version_info = pbr.version.VersionInfo('oslo_rootwrap') +version_info = pbr.version.VersionInfo('oslo.rootwrap') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/oslo_rootwrap/wrapper.py new/oslo.rootwrap-5.9.0/oslo_rootwrap/wrapper.py --- old/oslo.rootwrap-5.4.1/oslo_rootwrap/wrapper.py 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/oslo_rootwrap/wrapper.py 2017-07-18 15:08:47.000000000 +0200 @@ -126,9 +126,12 @@ continue for filterfile in filter(lambda f: not f.startswith('.'), os.listdir(filterdir)): + filterfilepath = os.path.join(filterdir, filterfile) + if not os.path.isfile(filterfilepath): + continue kwargs = {"strict": False} if six.PY3 else {} filterconfig = moves.configparser.RawConfigParser(**kwargs) - filterconfig.read(os.path.join(filterdir, filterfile)) + filterconfig.read(filterfilepath) for (name, value) in filterconfig.items("Filters"): filterdefinition = [s.strip() for s in value.split(',')] newfilter = build_filter(*filterdefinition) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/releasenotes/source/conf.py new/oslo.rootwrap-5.9.0/releasenotes/source/conf.py --- old/oslo.rootwrap-5.4.1/releasenotes/source/conf.py 2017-05-22 19:05:28.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/releasenotes/source/conf.py 2017-07-18 15:08:47.000000000 +0200 @@ -35,10 +35,15 @@ # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ - 'oslosphinx', + 'openstackdocstheme', 'reno.sphinxext', ] +# openstackdocstheme options +repository_name = 'openstack/oslo.rootwrap' +bug_project = 'oslo.rootwrap' +bug_tag = '' + # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] @@ -109,7 +114,7 @@ # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'default' +html_theme = 'openstackdocs' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the @@ -147,7 +152,7 @@ # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. -# html_last_updated_fmt = '%b %d, %Y' +html_last_updated_fmt = '%Y-%m-%d %H:%M' # If true, SmartyPants will be used to convert quotes and dashes to # typographically correct entities. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/releasenotes/source/index.rst new/oslo.rootwrap-5.9.0/releasenotes/source/index.rst --- old/oslo.rootwrap-5.4.1/releasenotes/source/index.rst 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/releasenotes/source/index.rst 2017-07-18 15:08:47.000000000 +0200 @@ -6,3 +6,4 @@ :maxdepth: 1 unreleased + ocata diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/releasenotes/source/ocata.rst new/oslo.rootwrap-5.9.0/releasenotes/source/ocata.rst --- old/oslo.rootwrap-5.4.1/releasenotes/source/ocata.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.rootwrap-5.9.0/releasenotes/source/ocata.rst 2017-07-18 15:08:47.000000000 +0200 @@ -0,0 +1,6 @@ +=================================== + Ocata Series Release Notes +=================================== + +.. release-notes:: + :branch: origin/stable/ocata diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/setup.cfg new/oslo.rootwrap-5.9.0/setup.cfg --- old/oslo.rootwrap-5.4.1/setup.cfg 2017-05-22 19:07:39.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/setup.cfg 2017-07-18 15:10:50.000000000 +0200 @@ -5,7 +5,7 @@ summary = Oslo Rootwrap description-file = README.rst -home-page = http://docs.openstack.org/developer/oslo.rootwrap +home-page = https://docs.openstack.org/oslo.rootwrap/latest/ classifier = Development Status :: 4 - Beta Environment :: OpenStack @@ -16,7 +16,6 @@ Programming Language :: Python Programming Language :: Python :: 2.7 Programming Language :: Python :: 3 - Programming Language :: Python :: 3.4 Programming Language :: Python :: 3.5 [files] @@ -32,13 +31,11 @@ source-dir = doc/source build-dir = doc/build all_files = 1 +warning-is-error = 1 [upload_sphinx] upload-dir = doc/build/html -[pbr] -warnerrors = True - [wheel] universal = 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/setup.py new/oslo.rootwrap-5.9.0/setup.py --- old/oslo.rootwrap-5.4.1/setup.py 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/setup.py 2017-07-18 15:08:47.000000000 +0200 @@ -25,5 +25,5 @@ pass setuptools.setup( - setup_requires=['pbr>=1.8'], + setup_requires=['pbr>=2.0.0'], pbr=True) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/test-requirements.txt new/oslo.rootwrap-5.9.0/test-requirements.txt --- old/oslo.rootwrap-5.4.1/test-requirements.txt 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/test-requirements.txt 2017-07-18 15:08:47.000000000 +0200 @@ -2,17 +2,16 @@ # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -hacking<0.11,>=0.10.0 +hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 fixtures>=3.0.0 # Apache-2.0/BSD python-subunit>=0.0.18 # Apache-2.0/BSD testrepository>=0.0.18 # Apache-2.0/BSD -testscenarios>=0.4 # Apache-2.0/BSD testtools>=1.4.0 # MIT # this is required for the docs build jobs -sphinx!=1.3b1,<1.4,>=1.2.1 # BSD -oslosphinx>=4.7.0 # Apache-2.0 +sphinx>=1.6.2 # BSD +openstackdocstheme>=1.11.0 # Apache-2.0 oslotest>=1.10.0 # Apache-2.0 @@ -20,6 +19,6 @@ mock>=2.0 # BSD # rootwrap daemon's client should be verified to run in eventlet -eventlet!=0.18.3,>=0.18.2 # MIT +eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT -reno>=1.8.0 # Apache-2.0 +reno!=2.3.1,>=1.8.0 # Apache-2.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.rootwrap-5.4.1/tox.ini new/oslo.rootwrap-5.9.0/tox.ini --- old/oslo.rootwrap-5.4.1/tox.ini 2017-05-22 19:05:29.000000000 +0200 +++ new/oslo.rootwrap-5.9.0/tox.ini 2017-07-18 15:08:47.000000000 +0200 @@ -1,13 +1,13 @@ [tox] minversion = 2.0 -envlist = py35,py34,py27,pep8 +envlist = py35,py27,pep8 [testenv] setenv = VIRTUAL_ENV={envdir} BRANCH_NAME=master CLIENT_NAME=oslo.rootwrap -install_command = {toxinidir}/tools/tox_install.sh {env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?h=stable/ocata} {opts} {packages} +install_command = {toxinidir}/tools/tox_install.sh {env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages} deps = -r{toxinidir}/test-requirements.txt # Functional tests with Eventlet involve monkeypatching, so force them to be # run in a separate process