Open Stack

On 08/09/2012 10:32 AM, Thierry Carrez wrote:
> jrd at redhat.com wrote:
>>>    * Switch to rootwrap_config and deprecate root_helper
>>>    This would fully align quantum-rootwrap with nova-rootwrap. However I'm
>>>    not sure it's reasonable to deprecate root_helper=sudo in Folsom, given
>>>    how little tested quantum-rootwrap seems to be on Folsom. Maybe just
>>>    introducing rootwrap_config but leaving the deprecation message out ?
>>>    You can have a look at:
>>>    https://github.com/openstack/cinder/commit/2b2c97eb5ca332ce7d1f83e4fd2e81fabe0acb66
>>>    
>>
>> Ok.  I did talk through this issue with Bob yesterday, but I'd be
>> lying if I said I understood it all yet.
>>
>> Let me ask this:  Since, as you say, there's not a lot of evidence of
>> traffic through quantum-rootwrap, is there an obvious downside to
>> deprecating root_helper=sudo at this stage?  I'm not advocating either
>> way, just trying to get up to speed on all the parts of the issue.
> 
> Well, since there is not a lot of evidence of traffic through the
> rootwrap, that means almost everyone is using root_helper=sudo. Marking
> it deprecated, and recommending that everyone switches to the (untested
> yet) rootwrap doesn't sound that much like a great idea.
> 
> I think we should deprecate root_helper=sudo when we are confident that
> most people are using rootwrap and are satisfied with it.

By "almost everyone" and "most people", do you mean users of devstack?
I'd hate to think people are trying to deploy the quantum Folsom master
branch with all the change that's been going on.

We should immediately change devstack to stop running the quantum agents
as root, so at least the root_helper=sudo functionality is really being
used.

It looks like devstack does configure nova with the new
rootwrap/rootwrap_config and does not run any of its services as root.
Doing the same for quantum would seem get some mileage on it.

What exactly is involved in deprecating root_helper=sudo? Is this
something we could chose whether or not to do at the last minute after
implementing the new rootwrap and changing devstack to use it?

Thanks,

-Bob

> 
>> My goal is by end of today , or tomorrow morning latest, to have at
>> least a reasonably complete understanding of the changes necessary to
>> get the quantum-rootwrap facility up to parity with nova/cinder.  If I
>> get to that deadline and I'm not there, I'll probably punt, as it
>> becomes too much of a hail-mary to get the stuff stabilized and
>> reviewed etc by tues.
> 
> That sounds reasonable.
>