[openstack-dev] [grenade] upgrades vs rootwrap
Matt Riedemann
mriedem at linux.vnet.ibm.com
Fri Jul 1 15:01:32 UTC 2016
On 6/28/2016 4:56 PM, Sean Dague wrote:
> On 06/28/2016 01:46 AM, Angus Lees wrote:
>> Ok, thanks for the in-depth explanation.
>>
>> My take away is that we need to file any rootwrap updates as exceptions
>> for now (so releasenotes and grenade scripts).
>
> That is definitely the fall back if there is no better idea. However, we
> should try really hard to figure out if there is a non manual way
> through this. Even if that means some compat code that we keep for a
> release to just bridge the gap.
>
> -Sean
>
Walter had this for os-brick:
https://review.openstack.org/#/c/329586/
That would fallback to rootwrap if privsep doesn't work / not available.
That could be a workaround for upgrading with os-brick for Newton, with
a big fat warning logged if we use it, and then drop it in Ocata and
require privsep.
I'm not sure about os-vif, we weren't using that in Mitaka so it doesn't
suffer from the same mitaka->newton upgrade issue, but will we get into
any problems with newton->ocata? I know there was a change to devstack
to configure nova to use privsep for os-vif:
https://review.openstack.org/#/c/327199/
And the os-vif integration change in nova has a rootwrap change for
using privsep + os-vif:
https://review.openstack.org/#/c/269672/25/etc/nova/rootwrap.d/compute.filters
--
Thanks,
Matt Riedemann
More information about the OpenStack-dev
mailing list