1- introduce privsep 2- change rootwrap calls into generic privsep functions 3- start refactoring calling code so that generic privsep functions can be replaced by narrow, context-aware functions
You can tackle (2) and (3) at the same time.
In Nova at least, (2) (without (3)) already has patches proposed all the way up [A], so I'm going to go out on a limb and say we're going to wait to tackle (3) until after that series [B], at least for existing code.
It would be good to describe the antipattern and how to write "good" privsep functions though, if only to be able to point developers and reviewers to that. Suggestions on where we could do that? Agree with this for sure. I understand the rootwrap->privsep thing well enough to review the existing series, but will need help understanding how (3) will need to look.
Long-term, the document should obviously live somewhere non-project-specific, and I don't know where that would be. Short(er)-term, since we have momentum on the issue in Nova, as well as a clear picture of all the places it needs to be applied (thanks to (2)/[A]), how about we include it in a Nova spec, since we're going to need one anyway? -efried [A] https://review.openstack.org/#/q/topic:my-own-personal-alternative-universe+...) [B] Note that that series has been in flight for quite a while. The patch that actually removes rootwrap (https://review.openstack.org/#/c/554438/) was first proposed right about a year ago. I'm hoping this email thread gets the series some more review attention.