[openstack-dev] [Nova] Privsep transition state of play

Michael Still mikal at stillhq.com
Fri Nov 3 02:36:05 UTC 2017


I hope everyone travelling to the Sydney Summit is enjoying jet lag just as
much as I normally do. Revenge is sweet! My big advice is that caffeine is
your friend, and to not lick any of the wildlife.

On a more serious note, I want to give a checkpoint for the Nova privsep
transition in the hope that we can discuss it a bit more at the Forum /
Summit / whatever the thing in Sydney with developers is called [1].

As of just now, all rootwrap usage has been removed from the libvirt
driver, if you assume that the outstanding patches from the blueprint are
merged. I think that's a pretty cool milestone. That said, I feel that
https://review.openstack.org/#/c/517516/ needs a short talk to make sure
that people don't think the implementation approach I've taken is confusing
-- basically not all methods in nova/privsep are now escalated, as
sometimes we only sometimes escalate our privs for a call. The review makes
it clearer than I can in an email.

We could stop now for Queens if we wanted -- we originally said we'd land
things early to let them stabilise. That said, we haven't actually caused
any stability problems so far -- just a few out of tree drivers having to
play catchup. So we could also go all in and get this thing done fully in

So where to from here?


1: Its possibly called a pub.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171103/60cbe8c5/attachment.html>

More information about the OpenStack-dev mailing list