On 7/6/2016 10:55 AM, Matthew Treinish wrote:
Well, for better or worse rootwrap filters are put in /etc and treated like a config file. What you're essentially saying is that it shouldn't be config and just be in code. I completely agree with that being what we want eventually, but it's not how we advertise it today. Privsep sounds like it's our way of making this migration. But, it doesn't change the status quo where it's this hybrid config/code thing today, like policy was in nova before: http://specs.openstack.org/openstack/nova-specs/specs/newton/approved/policy-in-code.html (which has come up before as another tension point in the past during upgrades) I don't think we should break what we're currently enforcing today because we don't like the model we've built. We need to handle the migration to the new better thing gracefully so we don't break people who are relying on our current guarantees, regardless of how bad they are. -Matt Treinish
I just wonder how many deployments are actually relying on this, since as noted elsewhere in this thread we don't really enforce this for all things, only what happens to get tested in our CI system, e.g. the virtuozzo rootwrap filters that don't have grenade testing.
Which is also why I'd like to get some operator perspective on this. -- Thanks, Matt Riedemann __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
