j...@redhat.com wrote: >> From: Dan Wendlandt <d...@nicira.com> >> If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom >> with low to medium >> risk of disruption, I'd be open to exploring that, even if it meant >> inconsistent usage in quantum >> vs. nova/cinder. > > Hi Dan. I've been working with Bob, getting myself up to speed on > quantum. I've just talked it over with Bob, and I'll take a crack at > this one. My approach is going to be to get the quantum rootwrap > stuff up to parity with nova. It sounded like some further work might > get done in this area for Grizzly, but for the short term, this ought > to be fairly non-disruptive.
There are a number of changes: * Switch to configuration-based filters This should be relatively straightforward, although Quantum makes use of root_helper in *many* more places than Nova/Cinder do. You can have a look at: https://github.com/openstack/cinder/commit/d2d3c9cba4a647724f75c036a1985a10c966da35 * Switch to rootwrap_config and deprecate root_helper This would fully align quantum-rootwrap with nova-rootwrap. However I'm not sure it's reasonable to deprecate root_helper=sudo in Folsom, given how little tested quantum-rootwrap seems to be on Folsom. Maybe just introducing rootwrap_config but leaving the deprecation message out ? You can have a look at: https://github.com/openstack/cinder/commit/2b2c97eb5ca332ce7d1f83e4fd2e81fabe0acb66 * Add missing filters, fix incomplete ones You have to audit all uses of root_helper and add the corresponding filter. In some cases the filter is there but the parameters are wrong (kill, missing -HUP as an allowed signal). I also spotted one call that sets environment before calling root_helper: that needs to use a specific filter since rootwrap filters the environment out (see how DnsmasqFilter works). * Testing The fact that nobody filed bugs around quantum-rootwrap being unusable tends to show nobody actually uses Quantum with it (hence my suggestion to remove it). If we are to ship that option, it needs to be tested one way or another. I don't think it would be that disruptive (given that quantum-rootwrap doesn't really work right now anyway). It is, however, a significant amount of work to complete before the F3 cut Tuesday at end of day. Corner-case missing filters can be treated as bugs post-F3 though. I'm available to help you and answer any question on the design of the rootwrap you may have. -- Thierry Carrez (ttx) Release Manager, OpenStack _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp