On Wed, Sep 09, 2015 at 03:33:36PM -0400, Sean Dague wrote: > On 09/09/2015 02:55 PM, Robert Collins wrote: > > On 10 September 2015 at 06:45, Matt Riedemann > > <[email protected]> wrote: > >> > > So, I realise thats a bit sucky. My suggestion would be to just take > > the tactical approach of syncing things into each consuming tree - and > > dogpile onto the privsep daemon asap.
This does look interesting, but I would be very hesitant to change everything right away to move from rootwrap to privsep, assuming privsep will land and be stable enough to use in time. > > syncing things to the consuming tree means that you've now coupled > upgrade of os-brick, cinder, and nova to be at the same time. Because > the code to use the filters is in os-brick, but the filters are in > cinder and nova. > > That's exactly the opposite direction from where we'd like to move. We > did that work around for Liberty, but that nearly completely makes > os-brick pointless if it now means cinder and nova must be in lockstep > all the time. Agreed. I would like to see a clean separation of these. The reason this is even a big issue right now is a command was added to os-brick's rootwrap that was not picked up by Nova and Cinder. It only affected fibre channel attached storage, so we didn't even realize there was an issue until the third party CI's of FC drivers started all failing. I do like the proposed approach of passing in the library to rootwrap and letting rootwrap take care of loading its filters. It does bring up some security questions, but as a consumer of a library I think it makes sense to tell rootwrap - hey I'm using this library over there, do what it says it needs to do. Sean (smcginnis) PS - pardon the mail client SNAFU just sent prior to this. Oops. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
