Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-19 Thread Thierry Carrez
Sean Dague wrote: On 07/04/2016 05:36 AM, Sean McGinnis wrote: On Mon, Jul 04, 2016 at 01:59:09PM +0200, Thierry Carrez wrote: [...] The issue here is that oslo.rootwrap uses config files to determine what to allow, but those are not really configuration files as far as the application using

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-18 Thread Sean Dague
On 07/04/2016 05:36 AM, Sean McGinnis wrote: On Mon, Jul 04, 2016 at 01:59:09PM +0200, Thierry Carrez wrote: [...] The issue here is that oslo.rootwrap uses config files to determine what to allow, but those are not really configuration files as far as the application using them is concerned.

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Angus Lees
On Thu, 7 Jul 2016 at 03:06 Matthew Treinish wrote: > On Wed, Jul 06, 2016 at 11:41:56AM -0500, Matt Riedemann wrote: > > I just wonder how many deployments are actually relying on this, since as > > noted elsewhere in this thread we don't really enforce this for all >

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Matthew Treinish
On Wed, Jul 06, 2016 at 11:41:56AM -0500, Matt Riedemann wrote: > On 7/6/2016 10:55 AM, Matthew Treinish wrote: > > > > Well, for better or worse rootwrap filters are put in /etc and treated like > > a > > config file. What you're essentially saying is that it shouldn't be config > > and > >

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Matthew Treinish
On Wed, Jul 06, 2016 at 06:20:30PM +0200, Thierry Carrez wrote: > Matthew Treinish wrote: > > > [...] > > > Am I missing something else here? > > > > Well, for better or worse rootwrap filters are put in /etc and treated like > > a > > config file. What you're essentially saying is that it

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Clint Byrum
Excerpts from Matthew Treinish's message of 2016-07-06 11:55:53 -0400: > On Wed, Jul 06, 2016 at 10:34:49AM -0500, Matt Riedemann wrote: > > On 6/27/2016 6:24 AM, Sean Dague wrote: > > > On 06/26/2016 10:02 PM, Angus Lees wrote: > > > > On Fri, 24 Jun 2016 at 20:48 Sean Dague > >

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Matt Riedemann
On 7/6/2016 10:55 AM, Matthew Treinish wrote: Well, for better or worse rootwrap filters are put in /etc and treated like a config file. What you're essentially saying is that it shouldn't be config and just be in code. I completely agree with that being what we want eventually, but it's not

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Thierry Carrez
Matthew Treinish wrote: [...] Am I missing something else here? Well, for better or worse rootwrap filters are put in /etc and treated like a config file. What you're essentially saying is that it shouldn't be config and just be in code. I completely agree with that being what we want

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Matthew Treinish
On Wed, Jul 06, 2016 at 10:34:49AM -0500, Matt Riedemann wrote: > On 6/27/2016 6:24 AM, Sean Dague wrote: > > On 06/26/2016 10:02 PM, Angus Lees wrote: > > > On Fri, 24 Jun 2016 at 20:48 Sean Dague > > > wrote: > > > > > > On 06/24/2016 05:12 AM,

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Matt Riedemann
On 6/27/2016 6:24 AM, Sean Dague wrote: On 06/26/2016 10:02 PM, Angus Lees wrote: On Fri, 24 Jun 2016 at 20:48 Sean Dague > wrote: On 06/24/2016 05:12 AM, Thierry Carrez wrote: > I'm adding Possibility (0): change Grenade so that rootwrap

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-06 Thread Matt Riedemann
On 7/3/2016 10:25 PM, Angus Lees wrote: I see there are already a few other additions to the rootwrap filters in nova/cinder (the comments suggest (nova) libvirt/imagebackend.py, (cinder) remotefs.py, and (both) vzstorage.py). The various privsep-only suggestions about fallback strategies

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-04 Thread Sean McGinnis
On Mon, Jul 04, 2016 at 01:59:09PM +0200, Thierry Carrez wrote: [...] > The issue here is that oslo.rootwrap uses config files to determine > what to allow, but those are not really configuration files as far > as the application using them is concerned. Those must match the > code being executed.

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-04 Thread Thierry Carrez
Angus Lees wrote: Ack. Ok .. so what's the additional difficulty around config files? It sounds like we can replace all the config files with something completely different during the update phase, if we wanted to do so. Indeed, it sounds like there isn't even a need to manage a deprecation

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-03 Thread Angus Lees
On Sat, 2 Jul 2016 at 01:02 Matt Riedemann wrote: > On 6/28/2016 4:56 PM, Sean Dague wrote: > > On 06/28/2016 01:46 AM, Angus Lees wrote: > >> Ok, thanks for the in-depth explanation. > >> > >> My take away is that we need to file any rootwrap updates as exceptions >

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-07-01 Thread Matt Riedemann
On 6/28/2016 4:56 PM, Sean Dague wrote: On 06/28/2016 01:46 AM, Angus Lees wrote: Ok, thanks for the in-depth explanation. My take away is that we need to file any rootwrap updates as exceptions for now (so releasenotes and grenade scripts). That is definitely the fall back if there is no

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-28 Thread Sean Dague
On 06/28/2016 01:46 AM, Angus Lees wrote: Ok, thanks for the in-depth explanation. My take away is that we need to file any rootwrap updates as exceptions for now (so releasenotes and grenade scripts). That is definitely the fall back if there is no better idea. However, we should try really

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-27 Thread Angus Lees
Ok, thanks for the in-depth explanation. My take away is that we need to file any rootwrap updates as exceptions for now (so releasenotes and grenade scripts). - Gus On Mon, 27 Jun 2016 at 21:25 Sean Dague wrote: > On 06/26/2016 10:02 PM, Angus Lees wrote: > > On Fri, 24 Jun

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-27 Thread Sean Dague
On 06/26/2016 10:02 PM, Angus Lees wrote: > On Fri, 24 Jun 2016 at 20:48 Sean Dague > wrote: > > On 06/24/2016 05:12 AM, Thierry Carrez wrote: > > I'm adding Possibility (0): change Grenade so that rootwrap > filters from > > N+1 are put in

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-26 Thread Angus Lees
On Mon, 27 Jun 2016 at 12:59 Tony Breeds wrote: > On Mon, Jun 27, 2016 at 02:02:35AM +, Angus Lees wrote: > > > *** > > What are we trying to impose on ourselves for upgrades for the present > and > > near future (ie: while rootwrap is still a thing)? > > *** > > > >

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-26 Thread Tony Breeds
On Mon, Jun 27, 2016 at 02:02:35AM +, Angus Lees wrote: > *** > What are we trying to impose on ourselves for upgrades for the present and > near future (ie: while rootwrap is still a thing)? > *** > > A. Sean says above that we do "offline" upgrades, by which I _think_ he > means a

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-26 Thread Angus Lees
On Fri, 24 Jun 2016 at 19:13 Thierry Carrez wrote: > In summary, I think the choice is between (1)+(4) and doing (4) > directly. How doable is (4) in the timeframe we have ? Do we all agree > that (4) is the endgame ? > I don't make predictions about development timelines

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-26 Thread Angus Lees
On Fri, 24 Jun 2016 at 20:48 Sean Dague wrote: > On 06/24/2016 05:12 AM, Thierry Carrez wrote: > > I'm adding Possibility (0): change Grenade so that rootwrap filters from > > N+1 are put in place before you upgrade. > > If you do that as general course what you are saying is

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Jeremy Stanley
On 2016-06-24 06:47:08 -0400 (-0400), Sean Dague wrote: [...] > When you upgrade Apache, you don't have to change your config > files. [...] *cough* (2.4) *cough* But it still highlights your point. There's been basically one Apache transition in recent history where a majority of people running

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Angus Lees
On Fri, 24 Jun 2016 at 21:04 Sean Dague wrote: > On 06/24/2016 05:19 AM, Daniel P. Berrange wrote: > > On Fri, Jun 24, 2016 at 11:12:27AM +0200, Thierry Carrez wrote: > >> No perfect answer here... I'm hesitating between (0), (1) and (4). (4) > is > >> IMHO the right solution,

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Sean Dague
On 06/24/2016 05:19 AM, Daniel P. Berrange wrote: > On Fri, Jun 24, 2016 at 11:12:27AM +0200, Thierry Carrez wrote: >> No perfect answer here... I'm hesitating between (0), (1) and (4). (4) is >> IMHO the right solution, but it's a larger change for downstream. (1) is a >> bit of a hack, where we

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Sean Dague
On 06/24/2016 05:12 AM, Thierry Carrez wrote: > Angus Lees wrote: >> [...] >> None of these are great, but: >> >> Possibility 1: Backdoor rootwrap >> >> However if we assume rootwrap already exists then we _could_ rollout a >> new version of oslo.rootwrap that contains a backdoor that allows >>

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Daniel P. Berrange
On Fri, Jun 24, 2016 at 11:12:27AM +0200, Thierry Carrez wrote: > Angus Lees wrote: > > [...] > > None of these are great, but: > > > > Possibility 1: Backdoor rootwrap > > > > However if we assume rootwrap already exists then we _could_ rollout a > > new version of oslo.rootwrap that contains

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Thierry Carrez
Angus Lees wrote: [...] None of these are great, but: Possibility 1: Backdoor rootwrap However if we assume rootwrap already exists then we _could_ rollout a new version of oslo.rootwrap that contains a backdoor that allows privsep-helper to be run as root for any context, without the need to

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-24 Thread Angus Lees
On Fri, 24 Jun 2016 at 00:40 Sean Dague wrote: > On 06/23/2016 10:07 AM, Sean McGinnis wrote: > > On Thu, Jun 23, 2016 at 12:19:34AM +, Angus Lees wrote: > >> So how does rootwrap fit into the "theory of upgrade"? > >> > >> The doc talks about deprecating config, but is

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-23 Thread Sean Dague
On 06/23/2016 10:07 AM, Sean McGinnis wrote: > On Thu, Jun 23, 2016 at 12:19:34AM +, Angus Lees wrote: >> So how does rootwrap fit into the "theory of upgrade"? >> >> The doc talks about deprecating config, but is silent on when new required >> config (rootwrap filters) should be installed.

Re: [openstack-dev] [grenade] upgrades vs rootwrap

2016-06-23 Thread Sean McGinnis
On Thu, Jun 23, 2016 at 12:19:34AM +, Angus Lees wrote: > So how does rootwrap fit into the "theory of upgrade"? > > The doc talks about deprecating config, but is silent on when new required > config (rootwrap filters) should be installed. By virtue of the way the > grenade code works

[openstack-dev] [grenade] upgrades vs rootwrap

2016-06-22 Thread Angus Lees
So how does rootwrap fit into the "theory of upgrade"? The doc talks about deprecating config, but is silent on when new required config (rootwrap filters) should be installed. By virtue of the way the grenade code works (install N from scratch, attempt to run code from N+1), we effectively have