[nova][ptg] Privsep is not giving us any security

Eric Fried openstack at fried.cc
Thu Apr 18 19:56:03 UTC 2019

Scrubbing the Nova PTG agenda (hence added [ptg] subject tag), and this
is currently on it.

>> 1- introduce privsep
>> 2- change rootwrap calls into generic privsep functions
>> 3- start refactoring calling code so that generic privsep functions can
>> be replaced by narrow, context-aware functions

Based on the discussion in this thread, it sounds to me like nobody
disagrees about what should be done; it's going to be a matter of
getting mikal's series (2 above, [A] below) finished up and then finding
one or more bodies to throw at the next step (3 above).

Can I ask someone (perhaps Mr. Booth?) to file a blueprint to track this?

Is there any part of 3 that we expect to be able to start/finish in Train?

And other than that, is there anything further to discuss, or can we
strike this from the PTG agenda?

> [A]
> https://review.openstack.org/#/q/topic:my-own-personal-alternative-universe+(status:open+OR+status:merged)
> [B] Note that that series has been in flight for quite a while. The
> patch that actually removes rootwrap
> (https://review.openstack.org/#/c/554438/) was first proposed right
> about a year ago. I'm hoping this email thread gets the series some more
> review attention.


More information about the openstack-discuss mailing list