Open Stack

>    From: Thierry Carrez <thierry at openstack.org>
>    Date: Thu, 09 Aug 2012 10:34:17 +0200
>    
>    jrd at redhat.com wrote:
>    >> From: Dan Wendlandt <dan at nicira.com>
>    >> If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom with low to medium
>    >> risk of disruption, I'd be open to exploring that, even if it meant inconsistent usage in quantum
>    >> vs. nova/cinder.     
>    > 
>    > Hi Dan.  I've been working with Bob, getting myself up to speed on
>    > quantum.  I've just talked it over with Bob, and I'll take a crack at
>    > this one.  My approach is going to be to get the quantum rootwrap
>    > stuff up to parity with nova.  It sounded like some further work might
>    > get done in this area for Grizzly, but for the short term, this ought
>    > to be fairly non-disruptive.
>    
>    There are a number of changes:
>    
>    * Switch to configuration-based filters
>    This should be relatively straightforward, although Quantum makes use of
>    root_helper in *many* more places than Nova/Cinder do. You can have a
>    look at:
>    https://github.com/openstack/cinder/commit/d2d3c9cba4a647724f75c036a1985a10c966da35

Yes, I believe that's one of the changesets I've already been looking
at.  Glad to know I'm not off in the weeds :-)

>    
>    * Switch to rootwrap_config and deprecate root_helper
>    This would fully align quantum-rootwrap with nova-rootwrap. However I'm
>    not sure it's reasonable to deprecate root_helper=sudo in Folsom, given
>    how little tested quantum-rootwrap seems to be on Folsom. Maybe just
>    introducing rootwrap_config but leaving the deprecation message out ?
>    You can have a look at:
>    https://github.com/openstack/cinder/commit/2b2c97eb5ca332ce7d1f83e4fd2e81fabe0acb66
>    

Ok.  I did talk through this issue with Bob yesterday, but I'd be
lying if I said I understood it all yet.

Let me ask this:  Since, as you say, there's not a lot of evidence of
traffic through quantum-rootwrap, is there an obvious downside to
deprecating root_helper=sudo at this stage?  I'm not advocating either
way, just trying to get up to speed on all the parts of the issue.

>    * Add missing filters, fix incomplete ones
>    You have to audit all uses of root_helper and add the corresponding
>    filter. In some cases the filter is there but the parameters are wrong
>    (kill, missing -HUP as an allowed signal). I also spotted one call that
>    sets environment before calling root_helper: that needs to use a
>    specific filter since rootwrap filters the environment out (see how
>    DnsmasqFilter works).
>    

Ok.  I haven't seen those, or didn't know what I was looking at, but
I'll keep attention out for that stuff.


>    * Testing
>    The fact that nobody filed bugs around quantum-rootwrap being unusable
>    tends to show nobody actually uses Quantum with it (hence my suggestion
>    to remove it). If we are to ship that option, it needs to be tested one
>    way or another.

Yes.  Honestly, this is the part which I feel most unsure about.  But
I've decided to try to get my head around the code first, and then
understand the testing implications.  I will doubtless have more
questions about that.

>    
>    I don't think it would be that disruptive (given that quantum-rootwrap
>    doesn't really work right now anyway). It is, however, a significant
>    amount of work to complete before the F3 cut Tuesday at end of day.
>    Corner-case missing filters can be treated as bugs post-F3 though.
>    

Ok, understood.

My goal is by end of today , or tomorrow morning latest, to have at
least a reasonably complete understanding of the changes necessary to
get the quantum-rootwrap facility up to parity with nova/cinder.  If I
get to that deadline and I'm not there, I'll probably punt, as it
becomes too much of a hail-mary to get the stuff stabilized and
reviewed etc by tues.

>    I'm available to help you and answer any question on the design of the
>    rootwrap you may have.

Thanks very much.  I will certainly have more questions as I proceed.