<div dir="ltr"><div id="gmail-magicdomid577" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">Hello Neutrinos: </span></div><div id="gmail-magicdomid578" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h"> </span></div><div id="gmail-magicdomid579" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">During
the last cycles we have been migrating the Neutron code from
oslo.rootwrap to oslo.privsep. Those efforts are aimed at reaching the
goal defined in [1] and are tracked in [2].</span></div><div id="gmail-magicdomid580" class="gmail-ace-line"><br></div><div id="gmail-magicdomid581" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">At
this point, starting Xena developing cycle, we can state that we have
migrated all short lived commands from oslo.rootwrap to oslo.privsep or
to a native implementation (that could also use oslo.privsep to elevate
the permissions if needed).</span></div><div id="gmail-magicdomid582" class="gmail-ace-line"><br></div><div id="gmail-magicdomid942" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">The
problem are the daemons or services (long lived processes) that Neutron
spawns using "ProcessManager"; this is why "ProcessManager.enable" is
the only code calling "utils.execute" without "privsep_exec" parameter.
Those process cannot be executed using oslo.privsep because the privsep
root daemon has a limited number of executing threads. The remaining
processes are [3].</span></div><div id="gmail-magicdomid943" class="gmail-ace-line"><br></div><div id="gmail-magicdomid1525" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">Although
we didn't reach the Completion Criteria defined in [1], that is remove
the oslo.rootwrap dependency, I think we don't have an alternative to
run those services and we should keep rootwrap for them. If there are no
objections, once [3] is merged we can consider that Neutron (not other
Stadium projects) finished the efforts on [1].</span></div><div id="gmail-magicdomid1383" class="gmail-ace-line"><br></div><div id="gmail-magicdomid1522" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">Please, any feedback is always welcome.</span></div><div id="gmail-magicdomid1494" class="gmail-ace-line"><br></div><div id="gmail-magicdomid1505" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">Regards.</span></div><div id="gmail-magicdomid587" class="gmail-ace-line"><br></div><div id="gmail-magicdomid588" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">[1]</span><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h gmail-url"><a href="https://review.opendev.org/c/openstack/governance/+/718177" rel="noreferrer noopener">https://review.opendev.org/c/openstack/governance/+/718177</a></span></div><div id="gmail-magicdomid926" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">[2]</span><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h gmail-url"><a href="https://storyboard.openstack.org/#!/story/2007686" rel="noreferrer noopener">https://storyboard.openstack.org/#!/story/2007686</a></span></div><div id="gmail-magicdomid930" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">[3]</span><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/778444/2/etc/neutron/rootwrap.d/rootwrap.filters" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/778444/2/etc/neutron/rootwrap.d/rootwrap.filters</a></span></div><div id="gmail-magicdomid14" class="gmail-ace-line"><br><br></div></div>