Open Stack

On 7/6/2016 10:55 AM, Matthew Treinish wrote:
>
> Well, for better or worse rootwrap filters are put in /etc and treated like a
> config file. What you're essentially saying is that it shouldn't be config and
> just be in code. I completely agree with that being what we want eventually, but
> it's not how we advertise it today. Privsep sounds like it's our way of making
> this migration. But, it doesn't change the status quo where it's this hybrid
> config/code thing today, like policy was in nova before:
>
> http://specs.openstack.org/openstack/nova-specs/specs/newton/approved/policy-in-code.html
>
> (which has come up before as another tension point in the past during upgrades)
> I don't think we should break what we're currently enforcing today because we
> don't like the model we've built. We need to handle the migration to the new
> better thing gracefully so we don't break people who are relying on our current
> guarantees, regardless of how bad they are.
>
> -Matt Treinish
>
>

I just wonder how many deployments are actually relying on this, since 
as noted elsewhere in this thread we don't really enforce this for all 
things, only what happens to get tested in our CI system, e.g. the 
virtuozzo rootwrap filters that don't have grenade testing.

Which is also why I'd like to get some operator perspective on this.

-- 

Thanks,

Matt Riedemann