My (negative) feedback is on the review - I'm really not sure that this matches what I understood the vision of privsep to be at all.
- If this is the vision / the new vision then I think it is majorly flawed. - If it is skipping the vision in the name of expediency of implementation, then I think it has gone too far in that direction and we've better off holding off one more cycle and putting it in next cycle instead with a touch more purity of vision. Apologies since you've clearly put work into it, and I should have provided such feedback earlier. On 24 February 2016 at 14:59, Michał Dulko <michal.du...@intel.com> wrote: > On 02/24/2016 04:51 AM, Angus Lees wrote: > > Re: https://review.openstack.org/#/c/277224 > > > > Most of the various required changes have flushed out by now, and this > > change now passes the dsvm-full integration tests(*). > > > > (*) well, the experimental job anyway. It still relies on a > > merged-but-not-yet-released change in oslo.privsep so gate + 3rd party > > won't pass until that happens. > > > > What? > > This change replaces os-brick's use of rootwrap with a quick+dirty > > privsep-based drop-in replacement. Privsep doesn't actually provide > > much security isolation when used in this way, but it *does* now run > > commands with CAP_SYS_ADMIN (still uid=0/gid=0) rather than full root > > superpowers. The big win from a practical point of view is that it > > also means os-brick's rootwrap filters file is essentially deleted and > > no longer has to be manually merged with downstream projects. > > > > Code changes required in nova/cinder: > > There is one change each to nova+cinder to add the relevant > > privsep-helper command to rootwrap filters, and a devstack change to > > add a nova.conf/cinder.conf setting. That's it - this is otherwise a > > backwards/forwards compatible change for nova+cinder. > > > > Deployment changes required in nova/cinder: > > A new "privsep_rootwrap.helper_command" needs to be defined in > > nova/cinder.conf (default is something sensible using sudo), and > > rootwrap filters or sudoers updated depending on the exact command > > chosen. Be aware that any commands will now be run with CAP_SYS_ADMIN > > (only), and if that's insufficient for your hardware/drivers it can be > > tweaked with other oslo_config options. > > > > Risks: > > The end-result is still just running the same commands as before, via > > a different path - so there's not a lot of adventurousness here. The > > big behavioural change is CAP_SYS_ADMIN, and (as highlighted above) > > it's conceivable that the driver for some exotic os-brick/cinder > > hardware out there wants something more than that. > > > > Work remaining: > > - global-requirements change needed (for os-brick) once the latest > > oslo.privsep release is made > > - cinder/nova/devstack changes need to be merged > > - after the above, the os-brick gate integration jobs will be able to > > pass, and it can be merged > > - If we want to *force* the new version of os-brick, we then need an > > appropriate global-requirements os-brick bump > > - Documentation, release notes, etc > > > > I'll continue chewing through those remaining work items, but > > essentially this is now in your combined hands to prioritise for > > mitaka as you deem appropriate. > > > > - Gus > > > > It seems too me that risks are higher than advantages. Moreover final > release for libraries like os.brick should happen in just 2 days and I > don't believe we have time to get every part of the job merged given how > long TODO list is. > > Just my $0.02. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -- Duncan Thomas
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
