[openstack-dev] [rootwrap] rootwrap and libraries - RFC

Sean McGinnis sean.mcginnis at gmx.com
Wed Sep 9 20:14:24 UTC 2015


On Wed, Sep 09, 2015 at 03:33:36PM -0400, Sean Dague wrote:
> On 09/09/2015 02:55 PM, Robert Collins wrote:
> > On 10 September 2015 at 06:45, Matt Riedemann
> > <mriedem at linux.vnet.ibm.com> wrote:
> >>
> > So, I realise thats a bit sucky. My suggestion would be to just take
> > the tactical approach of syncing things into each consuming tree - and
> > dogpile onto the privsep daemon asap.

This does look interesting, but I would be very hesitant to change
everything right away to move from rootwrap to privsep, assuming
privsep will land and be stable enough to use in time.

> 
> syncing things to the consuming tree means that you've now coupled
> upgrade of os-brick, cinder, and nova to be at the same time. Because
> the code to use the filters is in os-brick, but the filters are in
> cinder and nova.
> 
> That's exactly the opposite direction from where we'd like to move. We
> did that work around for Liberty, but that nearly completely makes
> os-brick pointless if it now means cinder and nova must be in lockstep
> all the time.

Agreed. I would like to see a clean separation of these. The reason this
is even a big issue right now is a command was added to os-brick's
rootwrap that was not picked up by Nova and Cinder. It only affected
fibre channel attached storage, so we didn't even realize there was an
issue until the third party CI's of FC drivers started all failing.

I do like the proposed approach of passing in the library to rootwrap
and letting rootwrap take care of loading its filters. It does bring
up some security questions, but as a consumer of a library I think it
makes sense to tell rootwrap - hey I'm using this library over there,
do what it says it needs to do.

Sean
(smcginnis)

PS - pardon the mail client SNAFU just sent prior to this. Oops.



More information about the OpenStack-dev mailing list