Open Stack

On 11/22/2016 03:49 PM, Gabriele Cerami wrote:
> On 22 Nov, Yolanda Robla Mota wrote:
>> Hi all
>> I wanted to start a thread about the current privileges model for TripleO quickstart.
>> Currently there is the assumption that quickstart does not need root privileges after the environment and provision roles. However, this assumption cannot be valid for several use cases.
>> In particular, I have the need of creating working directories outside the home directory of the user running quickstart. This can be useful on environments where /home partition is small and cannot be modified (so there is not enough disk space to host TripleO quickstart artifacts there).
>> This is the change i'm working on for that use case: https://review.openstack.org/#/c/384892
> 
> Hi,
> 
> I may suggest a compromise that will allow not to break the model, and
> moving forward with you patch.
> If you can make it work, you can try to move the working_dir creation
> tasks to the provision role.
> You already moved working_dir default var to common role, so it should
> work.
> 
> Any other thoughts ?
> Thanks for raising the question.
> 

Sorry for the slow response, and thanks for raising this question. I
added Lars to the thread as well, because he was the original architect
of the current privilege model in quickstart.

There were two reasons (I can think of anyways) for the current model:

1. Doing tasks as root on the virthost makes clean up trickier. With the
current model, deleting the non-root quickstart user cleans up almost
everything. By keeping all of the root privilege tasks in the provision
and environment roles, it is much easier to reason about the few things
that do not get cleaned up when deleting the quickstart user. If we
start allowing root privilege tasks in the libvirt role, this will be
harder.

2. Theoretically, (I have not actually heard anyone actually doing
this), someone could set up a virthost for use by quickstart, and then
hand it over to someone with only non-root privileges. While I do not
know of anyone using quickstart this way today, it is a compelling use
case for setting up training environments using quickstart. An
admin/trainer could set up a bunch of virthosts for a training and the
students would only have non-root access to the machines.

I think at the very least, we want to maintain the default running of
quickstart with the current model. If some feature absolutely needs to
break this model, it needs to be guarded by a variable defaulted to false.

In the specific case of https://review.openstack.org/#/c/384892 I do
think we could do the directory creation tasks earlier, and then we do
not need to break the model at all to support your use case.

There is also https://review.openstack.org/#/c/399704/ that is running
into the same thing, but again, I think we could probably move all of
the root stuff to earlier roles (though I have yet to thoroughly review
that yet, so I am less sure).

I have also been working with some folks from the OPNFV Apex (which is
tripleo based) team to port their CI to quickstart. I have not seen
patches yet, but it does seem some of the networking requirements may
require us to run the virtual machines under qemu://system which will
break the current privilege model completely. Their case is why we may
need to make the model optional.

@Yolanda wdyt about the suggestion to move directory creation to an
earlier role in your patch? Also, thanks for all your work on quickstart!

-trown