On Sat, 2 Jul 2016 at 01:02 Matt Riedemann <mrie...@linux.vnet.ibm.com> wrote:
> On 6/28/2016 4:56 PM, Sean Dague wrote: > > On 06/28/2016 01:46 AM, Angus Lees wrote: > >> Ok, thanks for the in-depth explanation. > >> > >> My take away is that we need to file any rootwrap updates as exceptions > >> for now (so releasenotes and grenade scripts). > > > > That is definitely the fall back if there is no better idea. However, we > > should try really hard to figure out if there is a non manual way > > through this. Even if that means some compat code that we keep for a > > release to just bridge the gap. > > > > -Sean > > > > Walter had this for os-brick: > > https://review.openstack.org/#/c/329586/ > > That would fallback to rootwrap if privsep doesn't work / not available. > That could be a workaround for upgrading with os-brick for Newton, with > a big fat warning logged if we use it, and then drop it in Ocata and > require privsep. > Yes, this is basically a version of "submit the rootwrap filter, then wait 6 months before submitting the code that needs it". If we don't wish to use the exception mechanism (or adjust the policy to upgrade conf before code as I described earlier), then we can certainly do this. Rather than log a big fat warning if we use privsep, we may as well just revert the privsep change for os-brick and then resubmit it next cycle. This thread topic isn't actually about privsep however, although a migration to privsep will mostly mitigate this in the future which is perhaps why it is causing topic collisions for everyone. I see there are already a few other additions to the rootwrap filters in nova/cinder (the comments suggest (nova) libvirt/imagebackend.py, (cinder) remotefs.py, and (both) vzstorage.py). The various privsep-only suggestions about fallback strategies don't help in these other examples. Any corresponding code changes that rely on these new filters will also need to be reverted and resubmitted during next cycle - or do what usually happens and slip under the radar as they are not exercised by grenade. - Gus
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev