[openstack-dev] [cinder] [nova] os-brick privsep failures and an upgrade strategy?

Thierry Carrez thierry at openstack.org
Mon Jul 25 16:37:40 UTC 2016


Sean Dague wrote:
> [...]
> After we brought that up in the room, we started going through other
> options. Someone brought up "what about making rootwrap always do this
> for privsep, instead of manually doing this for every project", and I
> volunteered to look at the code to figure out how hard it would be. That
> patch is up at https://review.openstack.org/344450.

I replied (removing my -1) on the review. Just a few answers to the
specific questions:

> I think the path forward here is about the following questions:
> 
> 1) how important are seamless upgrades in our vision?

Very

> 2) are root wrap rules supposed to be config (which is manually audited
> by installers)?

They are code, but were config files in the original design, and that
default persisted over time in some (most?) distros.

> 3) is the software supposed to take into account and adapt to the rules
> not being there (or disabled by an auditor)?

Depends on what you mean by software...

> 4) does always letting rootwrap call privsep regress our near term
> security in any real way (given the flaws in existing rules)?

Only for hypothetical non-OpenStack users, and only slightly.

> 5) what will most quickly allow us to transition into a non rootwrap
> world, with a privsep architecture that will give us a better security
> model?

Probably your patch, since it makes rootwrap a deprecated transitional
library enabling privsep. Which is fine as long as nobody else used
rootwrap (or all those hypothetical users would migrate to privsep).

In summary: I can live with the patch as proposed, as long as Angus is
fine with it.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list