The patch to add support for ephemeral storage with the Virtuozzo config
is using the privsep helper from os-brick to run a new ploop command as
root:
https://review.openstack.org/#/c/312488/
I've objected to this because I'm pretty sure this is not how we
intended to be using privsep in Nova. The privsep helper in os-brick
should be for privileged commands that os-brick itself needs to run, and
was for things that used to have to be carried in both nova and cinder
rootwrap filters.
I know we also want new things in nova that require root access to
execute commands to run privsep, but we haven't had anything do that
yet, and we've said we'd like an example before making it a hard rule.
But we're finding it hard to put our foot down on the first one (I
remember we allowed something in with rootwrap in Newton because we
didn't want to block on privsep).
With feature freeze coming up tomorrow, however, I'm now torn on how to
handle this. The options I see are:
1. Block this until it's properly using privsep in Nova, effectively
killing it's chances to make Ocata.
2. Allow the patch as-is with how it's re-using the privsep helper from
os-brick.
3. Change the patch to just use rootwrap with a new compute.filters
entry, no privsep at all - basically how we used to always do this stuff.
In the interest of time, and not seeing anyone standing up to lead the
charge on privsep conversion in Nova in the immediate future, I'm
learning toward just doing #3 but wanted to get other opinions.
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
