diff --git a/chef/cookbooks/neutron/templates/default/neutron.conf.erb b/chef/cookbooks/neutron/templates/default/neutron.conf.erb index 1fd424f058..68e23bdfdf 100644 --- a/chef/cookbooks/neutron/templates/default/neutron.conf.erb +++ b/chef/cookbooks/neutron/templates/default/neutron.conf.erb @@ -742,6 +742,7 @@ root_helper=sudo neutron-rootwrap /etc/neutron/rootwrap.conf # Root helper daemon application to use when possible. # root_helper_daemon = +root_helper_daemon = sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf # Use the root helper when listing the namespaces on a system. This may not # be required depending on the security configuration. If the root helper is diff --git a/chef/cookbooks/nova/recipes/config.rb b/chef/cookbooks/nova/recipes/config.rb index 05cb0c0ec3..c192cee6c2 100644 --- a/chef/cookbooks/nova/recipes/config.rb +++ b/chef/cookbooks/nova/recipes/config.rb @@ -51,6 +51,9 @@ search_env_filtered(:node, "roles:nova-controller").first end +# use nova-rootwrap daemon on compute-only nodes +use_rootwrap_daemon = !node["roles"].include?("nova-controller") + api_ha_enabled = api[:nova][:ha][:enabled] admin_api_host = CrowbarHelper.get_host_for_admin_url(api, api_ha_enabled) public_api_host = CrowbarHelper.get_host_for_public_url(api, api[:nova][:ssl][:enabled], api_ha_enabled) @@ -334,6 +337,7 @@ ssl_key_file: api_ssl_keyfile, ssl_cert_required: api[:nova][:ssl][:cert_required], ssl_ca_file: api_ssl_cafile, + use_rootwrap_daemon: use_rootwrap_daemon, oat_appraiser_host: oat_server[:hostname], oat_appraiser_port: "8443", has_itxt: has_itxt diff --git a/chef/cookbooks/nova/templates/default/nova.conf.erb b/chef/cookbooks/nova/templates/default/nova.conf.erb index 0c908f75fa..c6f89bc2b5 100644 --- a/chef/cookbooks/nova/templates/default/nova.conf.erb +++ b/chef/cookbooks/nova/templates/default/nova.conf.erb @@ -448,6 +448,9 @@ instance_usage_audit_period = hour # root privileges. This option is usually enabled on nodes that run nova # compute processes (boolean value) #use_rootwrap_daemon = false +<% if @libvirt_type.eql?('kvm') -%> +use_rootwrap_daemon = <%= @use_rootwrap_daemon %> +<% end -%> # Path to the rootwrap configuration file to use for running commands as root # (string value)