> From: Thierry Carrez <thie...@openstack.org> > Date: Thu, 09 Aug 2012 10:34:17 +0200 > > j...@redhat.com wrote: > >> From: Dan Wendlandt <d...@nicira.com> > >> If someone (Bob?) has the immediate cycles to make rootwrap work in > Folsom with low to medium > >> risk of disruption, I'd be open to exploring that, even if it meant > inconsistent usage in quantum > >> vs. nova/cinder. > > > > Hi Dan. I've been working with Bob, getting myself up to speed on > > quantum. I've just talked it over with Bob, and I'll take a crack at > > this one. My approach is going to be to get the quantum rootwrap > > stuff up to parity with nova. It sounded like some further work might > > get done in this area for Grizzly, but for the short term, this ought > > to be fairly non-disruptive. > > There are a number of changes: > > * Switch to configuration-based filters > This should be relatively straightforward, although Quantum makes use of > root_helper in *many* more places than Nova/Cinder do. You can have a > look at: > > https://github.com/openstack/cinder/commit/d2d3c9cba4a647724f75c036a1985a10c966da35
Yes, I believe that's one of the changesets I've already been looking at. Glad to know I'm not off in the weeds :-) > > * Switch to rootwrap_config and deprecate root_helper > This would fully align quantum-rootwrap with nova-rootwrap. However I'm > not sure it's reasonable to deprecate root_helper=sudo in Folsom, given > how little tested quantum-rootwrap seems to be on Folsom. Maybe just > introducing rootwrap_config but leaving the deprecation message out ? > You can have a look at: > > https://github.com/openstack/cinder/commit/2b2c97eb5ca332ce7d1f83e4fd2e81fabe0acb66 > Ok. I did talk through this issue with Bob yesterday, but I'd be lying if I said I understood it all yet. Let me ask this: Since, as you say, there's not a lot of evidence of traffic through quantum-rootwrap, is there an obvious downside to deprecating root_helper=sudo at this stage? I'm not advocating either way, just trying to get up to speed on all the parts of the issue. > * Add missing filters, fix incomplete ones > You have to audit all uses of root_helper and add the corresponding > filter. In some cases the filter is there but the parameters are wrong > (kill, missing -HUP as an allowed signal). I also spotted one call that > sets environment before calling root_helper: that needs to use a > specific filter since rootwrap filters the environment out (see how > DnsmasqFilter works). > Ok. I haven't seen those, or didn't know what I was looking at, but I'll keep attention out for that stuff. > * Testing > The fact that nobody filed bugs around quantum-rootwrap being unusable > tends to show nobody actually uses Quantum with it (hence my suggestion > to remove it). If we are to ship that option, it needs to be tested one > way or another. Yes. Honestly, this is the part which I feel most unsure about. But I've decided to try to get my head around the code first, and then understand the testing implications. I will doubtless have more questions about that. > > I don't think it would be that disruptive (given that quantum-rootwrap > doesn't really work right now anyway). It is, however, a significant > amount of work to complete before the F3 cut Tuesday at end of day. > Corner-case missing filters can be treated as bugs post-F3 though. > Ok, understood. My goal is by end of today , or tomorrow morning latest, to have at least a reasonably complete understanding of the changes necessary to get the quantum-rootwrap facility up to parity with nova/cinder. If I get to that deadline and I'm not there, I'll probably punt, as it becomes too much of a hail-mary to get the stuff stabilized and reviewed etc by tues. > I'm available to help you and answer any question on the design of the > rootwrap you may have. Thanks very much. I will certainly have more questions as I proceed. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
