[openstack-dev] [Nova] On idmapshift deprecation

Michael Still mikal at stillhq.com
Sat Jul 29 00:09:00 UTC 2017


I'm working through the process of converting the libvirt driver in Nova to
privsep with the assistance of Tony Breeds. For various reasons, I started
with removing all the calls to the chown binary and am replacing them with
privsep equivalents. You can see this work at:


The one remaining use of chown in libvirt in that topic is now a tool
called idmapshift, which is used by the lxc container support to rearrange
file ownership for filesystems mapped into containers. The tool is a
separate binary, which the libvirt driver then runs as root.

This binary is relatively easy to replace with python code inside the main
nova binary in a privsep world -- its basically a refactor with low impact.
That would be nice because it means we could stop building and shipping an
extra binary.

However, that binary appears to do a whole bunch of extra things which nova
itself doesn't use.

So... Do we keep carrying a binary that we wouldn't be using because it
might be useful to someone? Do you throw away the unused bits of code and
just refactor the bit we use? Do I bravely run away? If we remove the
binary, do we do some form of deprecation first? Or because its "internal
only" just remove it?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170729/11b6c26c/attachment.html>

More information about the OpenStack-dev mailing list