[openstack-dev] [neutron] proposal to resolve a rootwrap problem for XenServer
thierry at openstack.org
Wed Nov 2 14:06:06 UTC 2016
Ihar Hrachyshka wrote:
> Tony Breeds <tony at bakeyournoodle.com> wrote:
>> On Tue, Nov 01, 2016 at 12:45:43PM +0100, Ihar Hrachyshka wrote:
>>> I suggested in the bug and the PoC review that neutron is not the right
>>> project to solve the issue. Seems like oslo.rootwrap is a better
>>> place to
>>> maintain privilege management code for OpenStack. Ideally, a solution
>>> be found in scope of the library that would not require any changes
>> With the change of direction from oslo.roowrap to oslo.provsep I doubt
>> there is scope to land this in oslo.rootwarp.
> It may take a while for projects to switch to caps for privilege
oslo.privsep doesn't require projects to switch to caps (just that you
rewrite the commands you call in Python) and can be done incrementally
(while keeping rootwrap around for not-yet-migrated stuff)...
> It may be easier to unblock xen folks with a small
> enhancement in oslo.rootwrap scope and handle transition to oslo.privsep
> on a separate schedule. I would like to hear from oslo folks on where
> alternative hypervisors fit in their rootwrap/privsep plans.
Like Tony said at this point new features are added to oslo.privsep
rather than oslo.rootwrap. In this specific case the most
forward-looking solution (and also best performance and security) would
be to write a Neutron @privileged.entrypoint function to call into
XenAPI and cache the connection.
https://review.openstack.org/#/c/155631 failed to land in Newton, would
be great if someone could pick it up (maybe a smaller version to
introduce privsep first, then migrate commands one by one).
Thierry Carrez (ttx)
More information about the OpenStack-dev