On 06/24/2016 05:19 AM, Daniel P. Berrange wrote: > On Fri, Jun 24, 2016 at 11:12:27AM +0200, Thierry Carrez wrote: >> No perfect answer here... I'm hesitating between (0), (1) and (4). (4) is >> IMHO the right solution, but it's a larger change for downstream. (1) is a >> bit of a hack, where we basically hardcode in rootwrap that it's being >> transitioned to privsep. That's fine, but only if we get rid of rootwrap >> soon. So only if we have a plan for (4) anyway. Option (0) is a bit of a >> hard sell for upgrade procedures -- if we need to take a hit in that area, >> let's do (4) directly... >> >> In summary, I think the choice is between (1)+(4) and doing (4) directly. >> How doable is (4) in the timeframe we have ? Do we all agree that (4) is the >> endgame ? > > We've already merged change to privsep to allow nova/cinder/etc to > initialize the default helper command to use rootwrap: > > > https://github.com/openstack/oslo.privsep/commit/9bf606327d156de52c9418d5784cd7f29e243487 > > So we just need new release of privsep & add code to nova to initialize > it and we're sorted.
Actually, I don't think so. Matt ran that test scenario, and we're missing the rootwrap rule that lets privsep-helper run as root. So we fail to start the daemon from the unpriv nova compute process post upgrade. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev