oslo.privsep change: https://review.openstack.org/#/c/329766/ And the nova change that uses it: https://review.openstack.org/#/c/329769
In particular I'm unsure if os-brick/os-vif is even loaded at this point in nova-compute main(). Does anyone know when that actually happens or shall I go exploring? - Gus On Wed, 15 Jun 2016 at 11:43 Sean Dague <s...@dague.net> wrote: > On 06/14/2016 06:11 PM, Angus Lees wrote: > > Yep (3) is quite possible, and the only reason it doesn't just do this > > already is because there's no way to find the name of the rootwrap > > command to use (from any library, privsep or os-brick) - and I was never > > very happy with the current need to specify a command line in > > oslo.config purely for this lame reason. > > > > As Sean points out, all the others involve some sort of configuration > > change preceding the code. I had imagined rollouts would work by > > pushing out the harmless conf or sudoers change first, but hadn't > > appreciated the strict change phases imposed by grenade (and ourselves). > > > > If all "end-application" devs are happy calling something like (3) > > before the first privileged operation occurs, then we should be good. I > > might even take the opportunity to phrase it as a general privsep.init() > > function, and then we can use it for any other top-of-main() > > privilege-setup steps that need to be taken in the future. > > That sounds promising. It would be fine to emit a warning if it only was > using the default, asking people to make a configuration change to make > it go away. We're totally good with things functioning with warnings > after transitions, that ops can adjust during their timetable. > > -Sean > > -- > Sean Dague > http://dague.net > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- > Message protected by MailGuard: e-mail anti-virus, anti-spam and content > filtering.http://www.mailguard.com.au/mg > Click here to report this message as spam: > https://console.mailguard.com.au/ras/1ODUv4oqIN/4x80DVYpDOULTM59jB3mdH/0.82 > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
