Open Stack

Robert Kukura wrote:
> On 08/09/2012 10:32 AM, Thierry Carrez wrote:
>>> Let me ask this:  Since, as you say, there's not a lot of evidence of
>>> traffic through quantum-rootwrap, is there an obvious downside to
>>> deprecating root_helper=sudo at this stage?  I'm not advocating either
>>> way, just trying to get up to speed on all the parts of the issue.
>>
>> Well, since there is not a lot of evidence of traffic through the
>> rootwrap, that means almost everyone is using root_helper=sudo. Marking
>> it deprecated, and recommending that everyone switches to the (untested
>> yet) rootwrap doesn't sound that much like a great idea.
>>
>> I think we should deprecate root_helper=sudo when we are confident that
>> most people are using rootwrap and are satisfied with it.
> 
> By "almost everyone" and "most people", do you mean users of devstack?
> I'd hate to think people are trying to deploy the quantum Folsom master
> branch with all the change that's been going on.

Well, I'm sure Folsom testers are not using quantum-rootwrap, since it
currently doesn't work. The only other option being (the default)
root_helper=sudo, I maintain that "almost everyone" testing Folsom run
root_helper=sudo. That may mean that "most people" testing Folsom run
devstack :)

> We should immediately change devstack to stop running the quantum agents
> as root, so at least the root_helper=sudo functionality is really being
> used.

That's the very minimum. I thought that was the case already...

> It looks like devstack does configure nova with the new
> rootwrap/rootwrap_config and does not run any of its services as root.
> Doing the same for quantum would seem get some mileage on it.

Agreed. That cannot be done until quantum-rootwrap is fixed, though.

> What exactly is involved in deprecating root_helper=sudo? Is this
> something we could chose whether or not to do at the last minute after
> implementing the new rootwrap and changing devstack to use it?

Yes, adding the warning about a deprecated option can be done at the
last minute after implementing the new rootwrap. We are still very much
supporting the old option for the next release, so it's not destructive
at all. The question is rather if we trust the quantum-rootwrap enough
to actively encourage people to migrate to it during Folsom life.

Nova-rootwrap has seen wide adoption by all distros (and devstack) over
the Essex timeframe, it's now used in almost all deployments, so we can
easily warn about root_helper=sudo being deprecated in Nova/Cinder in
Folsom.

I thought quantum-rootwrap was in the same situation, but it's not even
working, two days away from FeatureFreeze. We may be able to fix it
(rather than having to remove it), but I don't think we can assume that
it's the thing most people use... so it may not be mature enough for us
to mark the other option deprecated.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack