Open Stack

On Thu, Feb 25, 2016 at 02:26:49PM +0000, John Garbutt wrote:
> 
> My understanding of what came out of the midcycle was:
> * current rootwrap system horribly breaks upgrade
> * adopting privsep in this "sudo" like form fixes upgrade
> * this approach is much lower risk than a full conversion at this
> point in the release
> * security wise its terrible, but then the current rules don't buy us
> much anyhow
> * makes it easier to slowly transition to better privsep integration
> * all seems better than reverting os-brick integration to fix upgrade issues
> 
> Now at this point, we are way closer to release, but I want to check
> we are making the correct tradeoff here.
> 
> Maybe the upgrade problem is not too bad this release, as the hard bit
> was done with the last upgrade? Or is that total nonsense?

We did have a couple cores watching this this cycle. Walt Boring has
been heavily involved working on this, and I've been waiting to see the
progress.

I think what it ultimately came down to is that it took longer than
expected, and it wasn't until after we cut the "final" os-brick Mitaka
release that some of the blocking issues were worked out with using
privsep.

Given that it has taken this long to get things working, along with how
close we are to M-3, I'm very hesitant to allow this through with very
little runtime.

We really are in a much better position this time around in that there
hasn't been anything added to the rootwrap filters that requires
matching changes in Cinder and Nova. So we should be able to use a mix
of Liberty and Mitaka services without fear of incompatibility.

I do want to see the patches to add the privsep wrapper to rootwrap go
in to Cinder and Nova, even though the official Mitaka os-brick won't be
using it. That should allow us to upgrade os-brick after release without
needing a backported change to the services to allow it.

Sean (smcginnis)