Rootwrap - python - write to root only owned file

asked 2015-02-13 11:40:17 -0600

Hakvah gravatar image

updated 2015-02-13 12:30:03 -0600


I have a file, owned by root, with read/write permissions for the root user only. (600 permissions).

I have been trying, unsuccessfully, to setup Rootwrap so that python can open this file when running as the nova user.

I followed the setup procedures here:

I am aware of the olso execute method(run_as_root=True) but am unsure of how to set this up, plus it doesn't seem necessary if I had Rootwrap configured properly.

Any help, or even better, links to examples of writing to a file owned by root (with 600 permissions) in python as the nova user would be great!

Thank you.

What I have done so far:

1) Ensured /etc/nova/rootwrap.conf exist and is owned and writeable only by root

2) Modified nova.conf:

  • commented out this line: root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
  • added this line: rootwrap_config=/etc/nova/rootwrap.conf

3) sudoers:

  • added this line (at the bottom below all defaults): nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

4) added an entry to compute.filters in /etc/nova/rootwrap.d:

  • python: CommandFilter, python, root

5) Restarted nova-compute:

  • service nova-compute restart

My python code that is failing is like this, which fails on the with open():


    with open(interfaceAddModule, 'w') as f:

        f.write('%s %s' % (vif['devname'], vif['id']))

except IOError, e:'Unable to open %s, exception: %r', interfaceAddModule, e)
edit retag flag offensive close merge delete


Can you show us what you've tried so far?

larsks gravatar imagelarsks ( 2015-02-13 12:09:11 -0600 )edit are you trying to acquire elevated privileges? I don't see that from the code example.

larsks gravatar imagelarsks ( 2015-02-13 13:04:27 -0600 )edit

Well, this probably shows my lack of understanding of how Rootwrap works. I thought the elevated privileges would come via the command filter entry for python, and the fact that python exists in /usr/bin which is part of the exec_dirs entry.

How does one explicitly gain elevated privileges?

Hakvah gravatar imageHakvah ( 2015-02-13 13:14:42 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2015-02-16 10:58:29 -0600

Hakvah gravatar image

updated 2015-02-16 10:59:24 -0600

OK, I got this working, and here's how:

1) Modify filter file, in my case compute.filters. I used a PathFilter because I felt it made sense in my scenario: python: PathFilter, /usr/bin/python, root, /my/script/dir

2) I place the .py scripts (such as that need to perform operations as the root user under: /my/script/dir

3) I alter the code in the .py file that is running as the nova user to do this:


4) Restart the nova-compute service.

Please note these steps are in addition to anything that needed to be setup by following the above link:

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-02-13 11:40:17 -0600

Seen: 1,271 times

Last updated: Feb 16 '15