Hello Neutrinos:
During
the last cycles we have been migrating the Neutron code from
oslo.rootwrap to oslo.privsep. Those efforts are aimed at reaching the
goal defined in [1] and are tracked in [2].
At
this point, starting Xena developing cycle, we can state that we have
migrated all short lived commands from oslo.rootwrap to oslo.privsep or
to a native implementation (that could also use oslo.privsep to elevate
the permissions if needed).
The
problem are the daemons or services (long lived processes) that Neutron
spawns using "ProcessManager"; this is why "ProcessManager.enable" is
the only code calling "utils.execute" without "privsep_exec" parameter.
Those process cannot be executed using oslo.privsep because the privsep
root daemon has a limited number of executing threads. The remaining
processes are [3].
Although
we didn't reach the Completion Criteria defined in [1], that is remove
the oslo.rootwrap dependency, I think we don't have an alternative to
run those services and we should keep rootwrap for them. If there are no
objections, once [3] is merged we can consider that Neutron (not other
Stadium projects) finished the efforts on [1].
Please, any feedback is always welcome.
Regards.