On 6/28/2016 4:56 PM, Sean Dague wrote:
On 06/28/2016 01:46 AM, Angus Lees wrote:
Ok, thanks for the in-depth explanation.
My take away is that we need to file any rootwrap updates as exceptions
for now (so releasenotes and grenade scripts).
That is definitely the fall back if there is no better idea. However, we
should try really hard to figure out if there is a non manual way
through this. Even if that means some compat code that we keep for a
release to just bridge the gap.
-Sean
Walter had this for os-brick:
https://review.openstack.org/#/c/329586/
That would fallback to rootwrap if privsep doesn't work / not available.
That could be a workaround for upgrading with os-brick for Newton, with
a big fat warning logged if we use it, and then drop it in Ocata and
require privsep.
I'm not sure about os-vif, we weren't using that in Mitaka so it doesn't
suffer from the same mitaka->newton upgrade issue, but will we get into
any problems with newton->ocata? I know there was a change to devstack
to configure nova to use privsep for os-vif:
https://review.openstack.org/#/c/327199/
And the os-vif integration change in nova has a rootwrap change for
using privsep + os-vif:
https://review.openstack.org/#/c/269672/25/etc/nova/rootwrap.d/compute.filters
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev