[openstack-dev] [cinder] [nova] os-brick privsep failures and an upgrade strategy?
Thierry Carrez
thierry at openstack.org
Mon Jul 25 16:37:40 UTC 2016
Sean Dague wrote:
> [...]
> After we brought that up in the room, we started going through other
> options. Someone brought up "what about making rootwrap always do this
> for privsep, instead of manually doing this for every project", and I
> volunteered to look at the code to figure out how hard it would be. That
> patch is up at https://review.openstack.org/344450.
I replied (removing my -1) on the review. Just a few answers to the
specific questions:
> I think the path forward here is about the following questions:
>
> 1) how important are seamless upgrades in our vision?
Very
> 2) are root wrap rules supposed to be config (which is manually audited
> by installers)?
They are code, but were config files in the original design, and that
default persisted over time in some (most?) distros.
> 3) is the software supposed to take into account and adapt to the rules
> not being there (or disabled by an auditor)?
Depends on what you mean by software...
> 4) does always letting rootwrap call privsep regress our near term
> security in any real way (given the flaws in existing rules)?
Only for hypothetical non-OpenStack users, and only slightly.
> 5) what will most quickly allow us to transition into a non rootwrap
> world, with a privsep architecture that will give us a better security
> model?
Probably your patch, since it makes rootwrap a deprecated transitional
library enabling privsep. Which is fine as long as nobody else used
rootwrap (or all those hypothetical users would migrate to privsep).
In summary: I can live with the patch as proposed, as long as Angus is
fine with it.
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list