[openstack-dev] [cinder] [nova] os-brick privsep failures and an upgrade strategy?

Angus Lees gus at inodes.org
Wed Jun 15 06:11:56 UTC 2016

oslo.privsep change: https://review.openstack.org/#/c/329766/
And the nova change that uses it: https://review.openstack.org/#/c/329769

In particular I'm unsure if os-brick/os-vif is even loaded at this point in
nova-compute main().  Does anyone know when that actually happens or shall
I go exploring?

 - Gus

On Wed, 15 Jun 2016 at 11:43 Sean Dague <sean at dague.net> wrote:

> On 06/14/2016 06:11 PM, Angus Lees wrote:
> > Yep (3) is quite possible, and the only reason it doesn't just do this
> > already is because there's no way to find the name of the rootwrap
> > command to use (from any library, privsep or os-brick) - and I was never
> > very happy with the current need to specify a command line in
> > oslo.config purely for this lame reason.
> >
> > As Sean points out, all the others involve some sort of configuration
> > change preceding the code.  I had imagined rollouts would work by
> > pushing out the harmless conf or sudoers change first, but hadn't
> > appreciated the strict change phases imposed by grenade (and ourselves).
> >
> > If all "end-application" devs are happy calling something like (3)
> > before the first privileged operation occurs, then we should be good.  I
> > might even take the opportunity to phrase it as a general privsep.init()
> > function, and then we can use it for any other top-of-main()
> > privilege-setup steps that need to be taken in the future.
> That sounds promising. It would be fine to emit a warning if it only was
> using the default, asking people to make a configuration change to make
> it go away. We're totally good with things functioning with warnings
> after transitions, that ops can adjust during their timetable.
>         -Sean
> --
> Sean Dague
> http://dague.net
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> --
> Message  protected by MailGuard: e-mail anti-virus, anti-spam and content
> filtering.http://www.mailguard.com.au/mg
> Click here to report this message as spam:
> https://console.mailguard.com.au/ras/1ODUv4oqIN/4x80DVYpDOULTM59jB3mdH/0.82
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160615/3e2c7b72/attachment.html>

More information about the OpenStack-dev mailing list