[openstack-dev] [Nova] On idmapshift deprecation

Michael Still mikal at stillhq.com
Sun Aug 20 08:28:50 UTC 2017


I'm going to take the general silence on this as permission to remove the
idmapshift binary from nova. You're welcome.

Michael

On Sat, Jul 29, 2017 at 10:09 AM, Michael Still <mikal at stillhq.com> wrote:

> Hi.
>
> I'm working through the process of converting the libvirt driver in Nova
> to privsep with the assistance of Tony Breeds. For various reasons, I
> started with removing all the calls to the chown binary and am replacing
> them with privsep equivalents. You can see this work at:
>
>     https://review.openstack.org/#/q/topic:hurrah-for-privsep
>
> The one remaining use of chown in libvirt in that topic is now a tool
> called idmapshift, which is used by the lxc container support to rearrange
> file ownership for filesystems mapped into containers. The tool is a
> separate binary, which the libvirt driver then runs as root.
>
> This binary is relatively easy to replace with python code inside the main
> nova binary in a privsep world -- its basically a refactor with low impact.
> That would be nice because it means we could stop building and shipping an
> extra binary.
>
> However, that binary appears to do a whole bunch of extra things which
> nova itself doesn't use.
>
> So... Do we keep carrying a binary that we wouldn't be using because it
> might be useful to someone? Do you throw away the unused bits of code and
> just refactor the bit we use? Do I bravely run away? If we remove the
> binary, do we do some form of deprecation first? Or because its "internal
> only" just remove it?
>
> Discuss.
>
> Michael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170820/704682f6/attachment.html>


More information about the OpenStack-dev mailing list