Open Stack

Hi everyone,

Originally introduced in Essex, the rootwrap is now used in 3 core
projects (it will soon be proposed to openstack-common to avoid this
code duplication). But now that its usage is widespread it might be time
to deprecate the possibility to just run "sudo" instead.

Currently you can use root_helper=sudo, together with a proper sudoers
file allowing all necessary commands, as an alternative to using the
rootwrap. Since the root_helper is called with the shell command to
execute as root, it just works.

However this prevents rootwrap to grow smarter features, like the
ability to run snippets of Python code instead of shelling out. To
support that, we need to stop supporting running pure "sudo" as the
root_helper.

For Folsom, we could mark usage of root_helper as deprecated (but
obviously still support it) so that we can get rid of it during Grizzly.
It would be replaced with rootwrap_path and rootwrap_conf options. For
Grizzly, you would *have to* use those new rootwrap_* options.

All distributions I know of are using rootwrap, but I may have missed
some. There may also be lovers of the flexibility the root_helper config
option provided and who would prefer to accept the limitations it
imposes on further rootwrap development.

Thoughts ?

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack