[openstack-dev] [nova] To rootwrap or piggyback privsep helpers?

Matt Riedemann mriedemos at gmail.com
Thu Jan 26 04:49:26 UTC 2017


The patch to add support for ephemeral storage with the Virtuozzo config 
is using the privsep helper from os-brick to run a new ploop command as 
root:

https://review.openstack.org/#/c/312488/

I've objected to this because I'm pretty sure this is not how we 
intended to be using privsep in Nova. The privsep helper in os-brick 
should be for privileged commands that os-brick itself needs to run, and 
was for things that used to have to be carried in both nova and cinder 
rootwrap filters.

I know we also want new things in nova that require root access to 
execute commands to run privsep, but we haven't had anything do that 
yet, and we've said we'd like an example before making it a hard rule. 
But we're finding it hard to put our foot down on the first one (I 
remember we allowed something in with rootwrap in Newton because we 
didn't want to block on privsep).

With feature freeze coming up tomorrow, however, I'm now torn on how to 
handle this. The options I see are:

1. Block this until it's properly using privsep in Nova, effectively 
killing it's chances to make Ocata.

2. Allow the patch as-is with how it's re-using the privsep helper from 
os-brick.

3. Change the patch to just use rootwrap with a new compute.filters 
entry, no privsep at all - basically how we used to always do this stuff.

In the interest of time, and not seeing anyone standing up to lead the 
charge on privsep conversion in Nova in the immediate future, I'm 
learning toward just doing #3 but wanted to get other opinions.

-- 

Thanks,

Matt Riedemann



More information about the OpenStack-dev mailing list