oslo.privsep

3.10.1 verified Mon Apr 27 auth: no python

OpenStack library for privilege separation. Provides a framework for running sensitive operations in a separate privileged process. Current version is 3.10.1, released as part of OpenStack Dalmatian. Released on a 6-month cadence aligned with OpenStack releases.

pip install oslo-privsep

Common errors

error ModuleNotFoundError: No module named 'oslo.privsep' ↓

cause Using period instead of underscore in import path.

fix

Use from oslo_privsep import priv_context instead.

error PermissionError: [Errno 13] Permission denied ↓

cause The daemon principal user/group does not have sufficient privileges for the requested operation.

fix

Check that the user and group parameters in DaemonPrincipal are correct and that the system allows privilege escalation.

Warnings

breaking In version 3.0.0, the package name changed from oslo-privsep to oslo_privsep for imports. All underscores must be used in Python code. ↓

fix Use from oslo_privsep import priv_context instead of from oslo.privsep.

deprecated The `capabilities` module is deprecated and will be removed in a future release. Use `resource` module directly with `oslo_privsep.prctl` if needed. ↓

fix Replace capabilities imports with direct resource constants (e.g., oslo_privsep.prctl.RLIMIT_AS).

gotcha The privileged process runs as a separate daemon; ensure the daemon is started before calling privileged functions. If using eventlet, monkey-patching must be done before daemon start. ↓

fix Initialize the daemon at module load time and avoid lazy initialization in request handlers.

Imports

priv_context
wrong
```
from oslo.privsep import priv_context
```
correct
```
from oslo_privsep import priv_context
```
Package uses underscores, not dots, in the import path (PEP 8 style).
daemon
wrong
```
import oslo_privsep.daemon
```
correct
```
from oslo_privsep import daemon
```
Submodules are not automatically imported; import directly.

Quickstart

Initialize a daemon principal with root privileges and call a function that runs as root.

import os
from oslo_privsep import priv_context
from oslo_privsep import capabilities

# Define a privileged context
priv_context.init(
    priv_context.DaemonPrincipal(
        user='root',
        group='root',
    ),
    resource_limits=[
        priv_context.ResourceLimit(
            resource=capabilities.RLIMIT_AS,
            soft=1024 * 1024 * 500,  # 500 MB
            hard=1024 * 1024 * 500,
        ),
    ],
)

# Expose a function to run as privileged
@priv_context.entrypoint
def run_as_root():
    # This runs with escalated privileges
    import subprocess
    return subprocess.check_output(['whoami']).strip()

if __name__ == '__main__':
    print(run_as_root())