[neutron] oslo.privsep migration in Neutron

Ben Nemec openstack at nemebean.com
Wed Mar 31 14:49:00 UTC 2021



On 3/31/21 1:53 AM, Slawek Kaplonski wrote:
> Hi,
> 
> On Tue, Mar 30, 2021 at 05:33:40PM +0200, Rodolfo Alonso Hernandez wrote:
>> Hello Neutrinos:
>>
>> During the last cycles we have been migrating the Neutron code from
>> oslo.rootwrap to oslo.privsep. Those efforts are aimed at reaching the goal
>> defined in [1] and are tracked in [2].
>>
>> At this point, starting Xena developing cycle, we can state that we have
>> migrated all short lived commands from oslo.rootwrap to oslo.privsep or to
>> a native implementation (that could also use oslo.privsep to elevate the
>> permissions if needed).
> 
> Thanks a lot Rodolfo for working on that. Great job!
> 
>>
>> The problem are the daemons or services (long lived processes) that Neutron
>> spawns using "ProcessManager"; this is why "ProcessManager.enable" is the
>> only code calling "utils.execute" without "privsep_exec" parameter. Those
>> process cannot be executed using oslo.privsep because the privsep root
>> daemon has a limited number of executing threads. The remaining processes
>> are [3].
>>
>> Although we didn't reach the Completion Criteria defined in [1], that is
>> remove the oslo.rootwrap dependency, I think we don't have an alternative
>> to run those services and we should keep rootwrap for them. If there are no
>> objections, once [3] is merged we can consider that Neutron (not other
>> Stadium projects) finished the efforts on [1].
> 
> Sounds good for me.
> 
>>
>> Please, any feedback is always welcome.
> 
> Maybe some oslo.privsep experts can take a look into that and help to solve that
> problem somehow. If not, then IMO we can live with it like it is now.

One possibility is to start a separate privsep daemon for the 
long-running services. I believe privsep was designed with that in mind 
so you could have privileged calls running in a daemon with just the 
necessary permissions for that call, not the permissions for every 
privileged call in the service.

That said, I'm not sure how much, if at all, it has been used.

> 
>>
>> Regards.
>>
>> [1]https://review.opendev.org/c/openstack/governance/+/718177
>> [2]https://storyboard.openstack.org/#!/story/2007686
>> [3]
>> https://review.opendev.org/c/openstack/neutron/+/778444/2/etc/neutron/rootwrap.d/rootwrap.filters
> 



More information about the openstack-discuss mailing list