rootwrap是支持组件在不修改/etc/sudoers的情况下,在组件内运行root权限命令的工具,:
首先确认已有/usr/bin/ceilometer-rootwrap
cat /usr/bin/ceilometer-rootwrap
#!/usr/bin/python
# EASY-INSTALL-ENTRY-SCRIPT: 'ceilometer==12.1.0','console_scripts','ceilometer-rootwrap'
__requires__ = 'ceilometer==12.1.0'
import re
import sys
from pkg_resources import load_entry_point
if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
sys.exit(
load_entry_point('ceilometer==12.1.0', 'console_scripts', 'ceilometer-rootwrap')()
)
1,在/etc/sudoers.d/下新增文件ceilometer_sudoers
vim ceilometer_sudoers
ceilometer ALL=(root) NOPASSWD: /usr/bin/ceilometer-rootwrap /etc/ceilometer/rootwrap.conf *
2,在/etc/ceilometer/下的查看有没有rootwrap.conf文件及rootwrap.d文件夹,没有则创建:
vim rootwrap.conf:
# Configuration for ceilometer-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, user0, user1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
在/etc/ceilometer/rootwrap.d/下新建文件central.filters
vim central.filters
# ceilometer-rootwrap command filters for IPMI capable nodes
# This file should be owned by (and only-writeable by) the root user
[Filters]
# ceilometer/polling/data_process.py: 'fdisk' 'pvdisplay' 'libguestfs'
fdisk: CommandFilter, fdisk, root
pvdisplay: CommandFilter, pvdisplay, root
virt-df: CommandFilter, virt-df, root
这三个命令是需要root权限的
ceilometer代码中
command = "fdisk -l"
(out, _err) = utils.execute(command, run_as_root=True, shell=True)