[openstack-dev] [nova] Initial oslo.privsep conversion?

Michael Still mikal at stillhq.com
Wed Jun 8 22:51:09 UTC 2016


On Thu, Jun 9, 2016 at 7:10 AM, Matt Riedemann <mriedem at linux.vnet.ibm.com>

> While sitting in Angus' cross-project session on oslo.privsep at the
> Austin summit I believe I had a conversation with myself in my head that
> Nova should stop adding new rootwrap filters and anything new should use
> oslo.privsep.
> For example:
> https://review.openstack.org/#/c/182257/
> However, we don't have anything in Nova using oslo.privsep directly. We
> have os-brick and soon we'll have os-vif using oslo.privsep, but those are
> indirect.
> Looking at the change in Neutron for using privsep [1] it's pretty
> complicated. So I'm struggling with requiring new changes to Nova that
> require new rootwrap filters to use privsep when we don't have an example
> in tree of how to do this.
> Is anyone working on something like that yet that I haven't seen? If not,
> has anyone thought about doing something or is interested in doing it?
> Because I don't think it's really fair to prevent new things until that
> happens - although the flip side to that is there isn't an example until
> someone is forced to do it.
> Other thoughts? Is anyone willing to help here? I'm assuming there will
> need to be hand-holding from Angus at least initially.
> [1] https://review.openstack.org/#/c/155631/

This seems like the sort of thing we should document in the devref. I agree
we shouldn't be doing any more of the old thing and should provide a worked
example of the new thing.


