I think #3 is the right call for now. The person we had working on privsep has left the company, and I don't have anyone I could get to work on this right now. Oh, and we're out of time.
Michael On Thu, Jan 26, 2017 at 3:49 PM, Matt Riedemann <mriede...@gmail.com> wrote: > The patch to add support for ephemeral storage with the Virtuozzo config > is using the privsep helper from os-brick to run a new ploop command as > root: > > https://review.openstack.org/#/c/312488/ > > I've objected to this because I'm pretty sure this is not how we intended > to be using privsep in Nova. The privsep helper in os-brick should be for > privileged commands that os-brick itself needs to run, and was for things > that used to have to be carried in both nova and cinder rootwrap filters. > > I know we also want new things in nova that require root access to execute > commands to run privsep, but we haven't had anything do that yet, and we've > said we'd like an example before making it a hard rule. But we're finding > it hard to put our foot down on the first one (I remember we allowed > something in with rootwrap in Newton because we didn't want to block on > privsep). > > With feature freeze coming up tomorrow, however, I'm now torn on how to > handle this. The options I see are: > > 1. Block this until it's properly using privsep in Nova, effectively > killing it's chances to make Ocata. > > 2. Allow the patch as-is with how it's re-using the privsep helper from > os-brick. > > 3. Change the patch to just use rootwrap with a new compute.filters entry, > no privsep at all - basically how we used to always do this stuff. > > In the interest of time, and not seeing anyone standing up to lead the > charge on privsep conversion in Nova in the immediate future, I'm learning > toward just doing #3 but wanted to get other opinions. > > -- > > Thanks, > > Matt Riedemann > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Rackspace Australia
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev