Cloned from launchpad blueprint https://blueprints.launchpad.net/nova/+spec/rootwrap-autogen-filters.

Description:

Currently rootwrap filters are defined separately from the code that requires them. The link is somehow documented in comments in the filter files but this is clearly suboptimal, and can for example lead in keeping extra filters for commands that are no longer needed.

Almost quoting Dan Berrange:
It would be possible to auto-generate this entire config file, by adding some simple source code annotations or magic comments, at the place where the commands are actually used:

    @nova.rootwrap(['compute'], 'kpartx', 'CommandFilter, /sbin/kpartx, root')
    def map_dev(self):
        """Map partitions of the device to the file system namespace."""
          ....snip....
            _out, err = utils.trycmd('kpartx', '-a', self.device,
                                     run_as_root=True, discard_warnings=True)

and then have  a script that reads the source annotations to generate this compute.filters.

Specification URL (additional information):

None