On Thu, Feb 25, 2016 at 02:26:49PM +0000, John Garbutt wrote: > > My understanding of what came out of the midcycle was: > * current rootwrap system horribly breaks upgrade > * adopting privsep in this "sudo" like form fixes upgrade > * this approach is much lower risk than a full conversion at this > point in the release > * security wise its terrible, but then the current rules don't buy us > much anyhow > * makes it easier to slowly transition to better privsep integration > * all seems better than reverting os-brick integration to fix upgrade issues > > Now at this point, we are way closer to release, but I want to check > we are making the correct tradeoff here. > > Maybe the upgrade problem is not too bad this release, as the hard bit > was done with the last upgrade? Or is that total nonsense?
We did have a couple cores watching this this cycle. Walt Boring has been heavily involved working on this, and I've been waiting to see the progress. I think what it ultimately came down to is that it took longer than expected, and it wasn't until after we cut the "final" os-brick Mitaka release that some of the blocking issues were worked out with using privsep. Given that it has taken this long to get things working, along with how close we are to M-3, I'm very hesitant to allow this through with very little runtime. We really are in a much better position this time around in that there hasn't been anything added to the rootwrap filters that requires matching changes in Cinder and Nova. So we should be able to use a mix of Liberty and Mitaka services without fear of incompatibility. I do want to see the patches to add the privsep wrapper to rootwrap go in to Cinder and Nova, even though the official Mitaka os-brick won't be using it. That should allow us to upgrade os-brick after release without needing a backported change to the services to allow it. Sean (smcginnis) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev