[openstack-dev] [cinder] [nova] os-brick privsep failures and an upgrade strategy?
gus at inodes.org
Wed Jun 15 06:11:56 UTC 2016
oslo.privsep change: https://review.openstack.org/#/c/329766/
And the nova change that uses it: https://review.openstack.org/#/c/329769
In particular I'm unsure if os-brick/os-vif is even loaded at this point in
nova-compute main(). Does anyone know when that actually happens or shall
I go exploring?
On Wed, 15 Jun 2016 at 11:43 Sean Dague <sean at dague.net> wrote:
> On 06/14/2016 06:11 PM, Angus Lees wrote:
> > Yep (3) is quite possible, and the only reason it doesn't just do this
> > already is because there's no way to find the name of the rootwrap
> > command to use (from any library, privsep or os-brick) - and I was never
> > very happy with the current need to specify a command line in
> > oslo.config purely for this lame reason.
> > As Sean points out, all the others involve some sort of configuration
> > change preceding the code. I had imagined rollouts would work by
> > pushing out the harmless conf or sudoers change first, but hadn't
> > appreciated the strict change phases imposed by grenade (and ourselves).
> > If all "end-application" devs are happy calling something like (3)
> > before the first privileged operation occurs, then we should be good. I
> > might even take the opportunity to phrase it as a general privsep.init()
> > function, and then we can use it for any other top-of-main()
> > privilege-setup steps that need to be taken in the future.
> That sounds promising. It would be fine to emit a warning if it only was
> using the default, asking people to make a configuration change to make
> it go away. We're totally good with things functioning with warnings
> after transitions, that ops can adjust during their timetable.
> Sean Dague
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> Message protected by MailGuard: e-mail anti-virus, anti-spam and content
> Click here to report this message as spam:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev