On 7/22/2016 8:20 AM, Angus Lees wrote:
On Thu, 21 Jul 2016 at 09:27 Sean Dague <s...@dague.net
<mailto:s...@dague.net>> wrote:
On 07/12/2016 06:25 AM, Matt Riedemann wrote:
<snip>
> We probably aren't doing anything while Sean Dague is on vacation.
He's
> back next week and we have the nova/cinder meetups, so I'm planning on
> talking about the grenade issue in person and hopefully we'll have a
> plan by the end of next week to move forward.
After some discussions at the Nova midcycle we threw together an
approach where we just always allow privsep-helper from oslo.rootwrap.
https://review.openstack.org/344450
Were these discussions captured anywhere? I thought we'd discussed
alternatives on os-dev, reached a conclusion, implemented the
changes(*), and verified the results all a month ago - and that we were
just awaiting nova approval. So I'm surprised to see this sudden change
in direction...
(*) Changes:
https://review.openstack.org/#/c/329769/
https://review.openstack.org/#/c/332610/
mriedem's verification: https://review.openstack.org/#/c/331885/
- Gus
We did a sniff test of this, and it worked to roll over the upgrade
boundary, without an etc change, and work with osbrick 1.4.0 (currently
blacklisted because of the upgrade issue). While I realize it wasn't the
favorite approach by many it works. It's 3 lines of functional change.
If we land this, release, and bump the minimum, we've got the upgrade
issue solved in this cycle.
Please take a look and see if we can agree to this path forward.
-Sean
--
Sean Dague
http://dague.net
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and
content filtering.http://www.mailguard.com.au/mg
Click here to report this message as spam:
https://console.mailguard.com.au/ras/1OSGOh3pqW/kb4I7l49SLBdqHGpZpoHi/0.82
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
We talked about it at the nova midcycle, the etherpad is here but the
notes on privsep/grenade are pretty sparse:
https://etherpad.openstack.org/p/nova-newton-midcycle
Long-term we want this in code, which is why privsep is for, but today
it's config because it's deployed into /etc, so we treat it as config
with the same rules for upgrades that are applied in grenade for actual
config options, i.e. new code should be able to run on old config.
I mentioned that we still break this for other new filters which we
don't test, but the feeling was we shouldn't change how we do this for
things we do test since operators rely on it and upgrade is their top
pain point.
We also decided that simply hard-coding the privsep-helper in
oslo.rootwrap itself was better than needing to script/hack the same
thing for every project that is going to adopt privsep - and we can
isolate it in the rootwrap library so there are no exceptional upgrade
scripts for newton (for nova, or anyone).
So this is not great, but it's the least bad to get us over this issue
for newton and unblock os-brick and os-vif and allow new projects to
start adopting privsep and not hit the same upgrade issues.
mikal suggested that gus and sdague talk over a hangout or some higher
bandwidth medium if we still need to hash things out here.
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
