[openstack-dev] [Nova] Privsep transition state of play

Dan Smith dms at danplanet.com
Mon Nov 6 02:26:06 UTC 2017

> I hope everyone travelling to the Sydney Summit is enjoying jet lag
> just as much as I normally do. Revenge is sweet! My big advice is that
> caffeine is your friend, and to not lick any of the wildlife.

I wasn't planning on licking any of it, but thanks for the warning.

> As of just now, all rootwrap usage has been removed from the libvirt
> driver, if you assume that the outstanding patches from the blueprint
> are merged. I think that's a pretty cool milestone. That said, I feel
> that https://review.openstack.org/#/c/517516/ needs a short talk to
> make sure that people don't think the implementation approach I've
> taken is confusing -- basically not all methods in nova/privsep are
> now escalated, as sometimes we only sometimes escalate our privs for a
> call. The review makes it clearer than I can in an email.

I commented, agreeing with gibi. Make the exceptional cases
exceptionally named; assume non-exceptional names are escalated by

> We could stop now for Queens if we wanted -- we originally said we'd
> land things early to let them stabilise. That said, we haven't
> actually caused any stability problems so far -- just a few out of
> tree drivers having to play catchup. So we could also go all in and
> get this thing done fully in Queens.

I agree we should steam ahead. I don't really want to hang the fate of
the privsep transition on the removal of cellsv2 and nova-network, so
personally I'm not opposed to privsepping those bits if you're
willing. I also agree that the lack of breakage thus far should give us
more confidence that we're safe to continue applying these changes later
in the cycle. Just MHO.


More information about the OpenStack-dev mailing list