On 08/08/2012 09:31 AM, Thierry Carrez wrote: > Hi everyone, > > Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap > supposed to control its privilege escalation to run commands as root. > > However quantum-rootwrap is currently non-functional, missing a lot of > filter definitions that are necessary for it to work correctly.
Is missing definitions the only issue? Those may need updating for F-3, but this can certainly be done. > Quantum > is generally run with root_helper=sudo and a wildcard sudoers file. What is your basis for this statement? The packaging of Essex Quantum for Fedora and RHEL/EPEL do configure root_helper to use quantum-rootwrap. If another distribution doesn't do this, I would consider that a distribution bug, not an upstream problem. > That > means Quantum is not ready to deprecate in Folsom (and remove in > Grizzly) its ability to run with root_helper=sudo, like Nova and Cinder do. What's involved in deprecating this ability in Folsom? Is it that difficult? If Nova and Cinder are doing it, why shouldn't Quantum? > > I discussed this with Dan, and it appears that the sanest approach would > be to remove quantum-rootwrap from Quantum and only support > root_helper=sudo (the only option that works). I suspect nobody is > actually using quantum-rootwrap right now anyway, given how broken it > seems to be. For the first official release of Quantum as an OpenStack > core project, I would prefer not to ship half-working options :) The quantum-rootwrap configuration in Essex is being used by anyone who uses the official Fedora or EPEL RPMs. It may not provide fine-grained validation of command parameters, but I haven't heard complaints that its broken. Isn't it better than nothing? > > Quantum would then wait for rootwrap to move to openstack-common (should > be done in Grizzly) to reconsider using it. > > Let me know if any of you see issues with that approach. > (posted to the general list to get the widest feedback). > I do have an issue with Folsom dropping a capability that is being used in Essex. If the existing rootwrap really does more harm than good, this might be justified, but I don't think you can argue nobody has used it. -Bob _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
