On 07/22/2016 09:20 AM, Angus Lees wrote: > On Thu, 21 Jul 2016 at 09:27 Sean Dague <s...@dague.net > <mailto:s...@dague.net>> wrote: > > On 07/12/2016 06:25 AM, Matt Riedemann wrote: > <snip> > > We probably aren't doing anything while Sean Dague is on vacation. > He's > > back next week and we have the nova/cinder meetups, so I'm planning on > > talking about the grenade issue in person and hopefully we'll have a > > plan by the end of next week to move forward. > > After some discussions at the Nova midcycle we threw together an > approach where we just always allow privsep-helper from oslo.rootwrap. > > https://review.openstack.org/344450 > > > Were these discussions captured anywhere? I thought we'd discussed > alternatives on os-dev, reached a conclusion, implemented the > changes(*), and verified the results all a month ago - and that we were > just awaiting nova approval. So I'm surprised to see this sudden change > in direction... > > (*) Changes: > https://review.openstack.org/#/c/329769/ > https://review.openstack.org/#/c/332610/ > mriedem's verification: https://review.openstack.org/#/c/331885/
By agreed we said that - https://review.openstack.org/#/c/332610/ was the option of last resort if no better option could be figured out. But then we ran into having to do this again for os-vif. And given the roll out of privsep it looks like we'll basically have this same exception / manual update another place in base IaaS for multiple cycles here as this rolls out. Which is exactly the opposite of our upgrade vision, which upgrades should be seamless code rolling forward. If we only had to do this once, maybe we mea culpa and do it. But we know we at least have to do this twice, and coordinated nova and neutron coupling the release. This gets exponentially worse. After we brought that up in the room, we started going through other options. Someone brought up "what about making rootwrap always do this for privsep, instead of manually doing this for every project", and I volunteered to look at the code to figure out how hard it would be. That patch is up at https://review.openstack.org/344450. I think the path forward here is about the following questions: 1) how important are seamless upgrades in our vision? 2) are root wrap rules supposed to be config (which is manually audited by installers)? 3) is the software supposed to take into account and adapt to the rules not being there (or disabled by an auditor)? 4) does always letting rootwrap call privsep regress our near term security in any real way (given the flaws in existing rules)? 5) what will most quickly allow us to transition into a non rootwrap world, with a privsep architecture that will give us a better security model? Making oslo.rootwrap trust privsep seems like the least worst option in front of us, especially to actually get os-vif out there and deployed this cycle as well. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev