Open Stack

>    From: Thierry Carrez <thierry at openstack.org>
>    Date: Thu, 09 Aug 2012 16:32:23 +0200
>    
[...]
>    
>    > My goal is by end of today , or tomorrow morning latest, to have at
>    > least a reasonably complete understanding of the changes necessary to
>    > get the quantum-rootwrap facility up to parity with nova/cinder.  If I
>    > get to that deadline and I'm not there, I'll probably punt, as it
>    > becomes too much of a hail-mary to get the stuff stabilized and
>    > reviewed etc by tues.
>    
>    That sounds reasonable.
>    

Ok, here's what I think I know, and what I propose to do with it:

Fix quantum/bin/quantum-rootwrap to mimic changes to nova/cinder w/r/t
conf file.  This will introduce the notion of
/etc/quantum/rootwrap.conf and allow for specifying path to filter specs.

Fix quantum/rootwrap/filters.py likewise; update KillFilter (maybe more?)

Fix quantum/rootwrap/wrapper.py likewise; load from files and
construct filter datastructures

Create etc/quantum/quantum-rootwrap.conf etc/quantum/rootwrap.d/

Move the filter specs from the various agent pieces in
quantum/rootwrap to matching files in etc/quantum/filters.d.  Update
them while I'm at it.  This probably means that those files in
quantum/rootwrap go away.  Alternate implementation:  Collect all
those pieces into a consolidated quantum.filters file and stick that
in there.

There appears to be no analog of nova/tests/test_nova_rootwrap.py for
quantum, so I'll likely need to write something for that.

It looks like the various .ini files in etc/quantum/plugins all set
root helper for each agent.  Keep that structure for now, revisit
later.  That likely means I'll need a way to propagate the a default
root helper setting from the conf to each agent.

Devstack appears to frob configs in nova and cinder, but copy the
quantum configs verbatim.  So I'm hoping I can get away without
modifying devstack.

Things I don't know yet: 

Python compatibility?  I'm running 2.7; I don't believe anything I'm
doing would break in earlier ones, but I gather that that will need to
be tested before I'm done.

Will I need to hair up the filter match code?  I don't think so, but I
haven't gotten enough working yet to tell.  Hoping I can leave it as
is. 


Apologies for the not-very coherent description.  Please let me know
if you think I'm off in the weeds or missing important bits.

Thanks in advance...