[neutron] oslo.privsep migration in Neutron
Slawek Kaplonski
skaplons at redhat.com
Wed Mar 31 06:53:56 UTC 2021
Hi,
On Tue, Mar 30, 2021 at 05:33:40PM +0200, Rodolfo Alonso Hernandez wrote:
> Hello Neutrinos:
>
> During the last cycles we have been migrating the Neutron code from
> oslo.rootwrap to oslo.privsep. Those efforts are aimed at reaching the goal
> defined in [1] and are tracked in [2].
>
> At this point, starting Xena developing cycle, we can state that we have
> migrated all short lived commands from oslo.rootwrap to oslo.privsep or to
> a native implementation (that could also use oslo.privsep to elevate the
> permissions if needed).
Thanks a lot Rodolfo for working on that. Great job!
>
> The problem are the daemons or services (long lived processes) that Neutron
> spawns using "ProcessManager"; this is why "ProcessManager.enable" is the
> only code calling "utils.execute" without "privsep_exec" parameter. Those
> process cannot be executed using oslo.privsep because the privsep root
> daemon has a limited number of executing threads. The remaining processes
> are [3].
>
> Although we didn't reach the Completion Criteria defined in [1], that is
> remove the oslo.rootwrap dependency, I think we don't have an alternative
> to run those services and we should keep rootwrap for them. If there are no
> objections, once [3] is merged we can consider that Neutron (not other
> Stadium projects) finished the efforts on [1].
Sounds good for me.
>
> Please, any feedback is always welcome.
Maybe some oslo.privsep experts can take a look into that and help to solve that
problem somehow. If not, then IMO we can live with it like it is now.
>
> Regards.
>
> [1]https://review.opendev.org/c/openstack/governance/+/718177
> [2]https://storyboard.openstack.org/#!/story/2007686
> [3]
> https://review.opendev.org/c/openstack/neutron/+/778444/2/etc/neutron/rootwrap.d/rootwrap.filters
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210331/a8d8f064/attachment.sig>
More information about the openstack-discuss
mailing list