[neutron] oslo.privsep migration in Neutron

Slawek Kaplonski skaplons at redhat.com
Wed Mar 31 06:53:56 UTC 2021


On Tue, Mar 30, 2021 at 05:33:40PM +0200, Rodolfo Alonso Hernandez wrote:
> Hello Neutrinos:
> During the last cycles we have been migrating the Neutron code from
> oslo.rootwrap to oslo.privsep. Those efforts are aimed at reaching the goal
> defined in [1] and are tracked in [2].
> At this point, starting Xena developing cycle, we can state that we have
> migrated all short lived commands from oslo.rootwrap to oslo.privsep or to
> a native implementation (that could also use oslo.privsep to elevate the
> permissions if needed).

Thanks a lot Rodolfo for working on that. Great job!

> The problem are the daemons or services (long lived processes) that Neutron
> spawns using "ProcessManager"; this is why "ProcessManager.enable" is the
> only code calling "utils.execute" without "privsep_exec" parameter. Those
> process cannot be executed using oslo.privsep because the privsep root
> daemon has a limited number of executing threads. The remaining processes
> are [3].
> Although we didn't reach the Completion Criteria defined in [1], that is
> remove the oslo.rootwrap dependency, I think we don't have an alternative
> to run those services and we should keep rootwrap for them. If there are no
> objections, once [3] is merged we can consider that Neutron (not other
> Stadium projects) finished the efforts on [1].

Sounds good for me.

> Please, any feedback is always welcome.

Maybe some oslo.privsep experts can take a look into that and help to solve that
problem somehow. If not, then IMO we can live with it like it is now.

> Regards.
> [1]https://review.opendev.org/c/openstack/governance/+/718177
> [2]https://storyboard.openstack.org/#!/story/2007686
> [3]
> https://review.opendev.org/c/openstack/neutron/+/778444/2/etc/neutron/rootwrap.d/rootwrap.filters

Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210331/a8d8f064/attachment.sig>

More information about the openstack-discuss mailing list