On 11/22/2016 03:49 PM, Gabriele Cerami wrote: > On 22 Nov, Yolanda Robla Mota wrote: >> Hi all >> I wanted to start a thread about the current privileges model for TripleO >> quickstart. >> Currently there is the assumption that quickstart does not need root >> privileges after the environment and provision roles. However, this >> assumption cannot be valid for several use cases. >> In particular, I have the need of creating working directories outside the >> home directory of the user running quickstart. This can be useful on >> environments where /home partition is small and cannot be modified (so there >> is not enough disk space to host TripleO quickstart artifacts there). >> This is the change i'm working on for that use case: >> https://review.openstack.org/#/c/384892 > > Hi, > > I may suggest a compromise that will allow not to break the model, and > moving forward with you patch. > If you can make it work, you can try to move the working_dir creation > tasks to the provision role. > You already moved working_dir default var to common role, so it should > work. > > Any other thoughts ? > Thanks for raising the question. >
Sorry for the slow response, and thanks for raising this question. I added Lars to the thread as well, because he was the original architect of the current privilege model in quickstart. There were two reasons (I can think of anyways) for the current model: 1. Doing tasks as root on the virthost makes clean up trickier. With the current model, deleting the non-root quickstart user cleans up almost everything. By keeping all of the root privilege tasks in the provision and environment roles, it is much easier to reason about the few things that do not get cleaned up when deleting the quickstart user. If we start allowing root privilege tasks in the libvirt role, this will be harder. 2. Theoretically, (I have not actually heard anyone actually doing this), someone could set up a virthost for use by quickstart, and then hand it over to someone with only non-root privileges. While I do not know of anyone using quickstart this way today, it is a compelling use case for setting up training environments using quickstart. An admin/trainer could set up a bunch of virthosts for a training and the students would only have non-root access to the machines. I think at the very least, we want to maintain the default running of quickstart with the current model. If some feature absolutely needs to break this model, it needs to be guarded by a variable defaulted to false. In the specific case of https://review.openstack.org/#/c/384892 I do think we could do the directory creation tasks earlier, and then we do not need to break the model at all to support your use case. There is also https://review.openstack.org/#/c/399704/ that is running into the same thing, but again, I think we could probably move all of the root stuff to earlier roles (though I have yet to thoroughly review that yet, so I am less sure). I have also been working with some folks from the OPNFV Apex (which is tripleo based) team to port their CI to quickstart. I have not seen patches yet, but it does seem some of the networking requirements may require us to run the virtual machines under qemu://system which will break the current privilege model completely. Their case is why we may need to make the model optional. @Yolanda wdyt about the suggestion to move directory creation to an earlier role in your patch? Also, thanks for all your work on quickstart! -trown __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev