Open Stack

On 7/3/2016 10:25 PM, Angus Lees wrote:
>
> I see there are already a few other additions to the rootwrap filters in
> nova/cinder (the comments suggest (nova) libvirt/imagebackend.py,
> (cinder) remotefs.py, and (both) vzstorage.py).  The various
> privsep-only suggestions about fallback strategies don't help in these
> other examples.  Any corresponding code changes that rely on these new
> filters will also need to be reverted and resubmitted during next cycle
> - or do what usually happens and slip under the radar as they are not
> exercised by grenade.

This is a good point - there were a couple of rootwrap filters added to 
nova already for virtuozzo features (vz volume attach support and 
rescue/resize support using the prl_disk_tool binary). These would fail 
grenade if we ran it with resize and the virtuozzo config with libvirt.

It seems a bit crazy to me to have to land rootwrap filters 6 months 
ahead of the code that uses them though, which is why I didn't block 
those changes from getting in.

>
>  - Gus
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

I haven't noticed anyone from the operators community weigh in on this 
thread, but I'm very curious to how they handle rootwrap filters when 
doing upgrades. I might start a separate thread in the operators list 
about that.

-- 

Thanks,

Matt Riedemann