[openstack-dev] [neutron] proposal to resolve a rootwrap problem for XenServer

Bob Ball bob.ball at citrix.com
Thu Nov 3 14:20:40 UTC 2016 

Hi Ihar,

> I am puzzled. Is Neutron the only component that need to call to dom0?

No it's not.  Nova has similar code to call plugins in dom0[1], and Ceilometer will also need to make the calls for some metrics not exposed through the formal API.

We don't want code duplication, and are working on a common os-xenapi library which will include session management.
It would, of course, make sense for Neutron to use this common library when it is available to replace the session management already existing[2], but I'd argue that as there is existing XenAPI session management code, the refactor to avoid using a per-command rootwrap should be independent of using the session code from os-xenapi.

> I would think that Neutron is not in business of handling hypervisor privilege isolation mechanics, and that
> some other components will handle that for Neutron (and other services that may need it), that’s why I
> suggested to consider oslo.* realm for the proposed code.

This is less about hypervisor privilege isolation and more about the location of the logical component being updated.  Neutron is assuming that the OVS being updated is running in the same location as Neutron itself.  For XenAPI that is not true; the OVS is running in the hypervisor, whereas Neutron is running in a VM (or potentially elsewhere entirely).

If oslo.* is going to decide whether to run a command using a specific abstraction or locally, then it would need some way of making that decision - perhaps either command-based (very ugly and fragile) or with the caller telling oslo.* what logical component was being affected by the call.  The latter sounds to me much more as a Neutron-specific decision.

> Side note: if we are going to make drastic changes to existing Xen-wrap script, we should first have Xen
> third-party CI testing running against it, not to introduce regressions. AFAIK it’s not happening right now.

It already is running, and has been for several months - see "Citrix XenServer CI"s "dsvm-tempest-neutron-network" job on https://review.openstack.org/#/c/391308/ as an example.  The CI is non-voting but if it were added to the neutron-ci group we would be very happy to make it voting.

Thanks,

[1] https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/xenapi/client/session.py#n214
[2] https://git.openstack.org/cgit/openstack/neutron/tree/bin/neutron-rootwrap-xen-dom0#n112
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list