Open Stack

Hi everyone,

Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap
supposed to control its privilege escalation to run commands as root.

However quantum-rootwrap is currently non-functional, missing a lot of
filter definitions that are necessary for it to work correctly. Quantum
is generally run with root_helper=sudo and a wildcard sudoers file. That
means Quantum is not ready to deprecate in Folsom (and remove in
Grizzly) its ability to run with root_helper=sudo, like Nova and Cinder do.

I discussed this with Dan, and it appears that the sanest approach would
be to remove quantum-rootwrap from Quantum and only support
root_helper=sudo (the only option that works). I suspect nobody is
actually using quantum-rootwrap right now anyway, given how broken it
seems to be. For the first official release of Quantum as an OpenStack
core project, I would prefer not to ship half-working options :)

Quantum would then wait for rootwrap to move to openstack-common (should
be done in Grizzly) to reconsider using it.

Let me know if any of you see issues with that approach.
(posted to the general list to get the widest feedback).

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack