[openstack-dev] [grenade] upgrades vs rootwrap

Sean Dague sean at dague.net
Fri Jun 24 11:03:02 UTC 2016


On 06/24/2016 05:19 AM, Daniel P. Berrange wrote:
> On Fri, Jun 24, 2016 at 11:12:27AM +0200, Thierry Carrez wrote:
>> No perfect answer here... I'm hesitating between (0), (1) and (4). (4) is
>> IMHO the right solution, but it's a larger change for downstream. (1) is a
>> bit of a hack, where we basically hardcode in rootwrap that it's being
>> transitioned to privsep. That's fine, but only if we get rid of rootwrap
>> soon. So only if we have a plan for (4) anyway. Option (0) is a bit of a
>> hard sell for upgrade procedures -- if we need to take a hit in that area,
>> let's do (4) directly...
>>
>> In summary, I think the choice is between (1)+(4) and doing (4) directly.
>> How doable is (4) in the timeframe we have ? Do we all agree that (4) is the
>> endgame ?
> 
> We've already merged change to privsep to allow nova/cinder/etc to
> initialize the default helper command to use rootwrap:
> 
>   https://github.com/openstack/oslo.privsep/commit/9bf606327d156de52c9418d5784cd7f29e243487
> 
> So we just need new release of privsep & add code to nova to initialize
> it and we're sorted.

Actually, I don't think so. Matt ran that test scenario, and we're
missing the rootwrap rule that lets privsep-helper run as root. So we
fail to start the daemon from the unpriv nova compute process post upgrade.

	-Sean

-- 
Sean Dague
http://dague.net



More information about the OpenStack-dev mailing list