rootwrap
参考这两个
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
ceph: RegExpFilter, ceph, root, ceph, -v
hans ALL=(root) useradd,userdel
[Filters]
privileged/init.py: priv_context.PrivContext(default)
This line ties the superuser privs with the config files, context name,
and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /usr/share/., --config-file, /etc/., --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
创建一个 filters 文件
cat > /etc/cinder/rootwrap.d/volume.filters <<“EOF”
[Filters]
mkdir: RegExpFilter, mkdir, root, mkdir, -p, /etc/cinder/.*
chown: RegExpFilter, chown, root, chown, -R, cinder:cinder, /etc/cinder/.*
EOF
