[openstack-dev] [all] [tc] Community Goals for Rocky -- privsep

Michael Still mikal at stillhq.com
Sun Jan 28 20:54:17 UTC 2018


Sorry for the slow reply, I've spent the last month camping in a tent and
it was wonderful.

The privsep transition isn't complete in Nova, but it was never intended to
be in Queens. We did get further than we envisaged and its doable to finish
off in Rocky.

That said, I feel like we have a nice established pattern for what we think
works now, and the changes are largely mechanical -- the holdups tend to be
when you encounter some weird history in the codebase that needs to be
unravelled along the way.

That said, I don't think we're proposing to remove rootwrap entirely, it
would still be a supported mechanism for launching the privsep helpers.

Michael



On Fri, Jan 12, 2018 at 1:20 AM, Thierry Carrez <thierry at openstack.org>
wrote:

> Emilien Macchi wrote:
> > [...]
> > Thierry mentioned privsep migration (done in Nova and Zun). (action,
> > ping mikal about it).
>
> It's not "done" in Nova: Mikal planned to migrate all of nova-compute
> (arguably the largest service using rootwrap) to privsep during Queens,
> but AFAICT it's still work in progress.
>
> Other projects like cinder and neutron are using it.
>
> If support in Nova is almost there, it would make a great Queens goal to
> get rid of the last rootwrap leftovers and deprecate it.
>
> Mikal: could you give us a quick update of where you are ?
> Anyone interested in championing that as a goal?
>
> --
> Thierry Carrez (ttx)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180129/3763e1e8/attachment.html>


More information about the OpenStack-dev mailing list