Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-16 Thread jrd
From: j...@redhat.com Date: Tue, 14 Aug 2012 20:23:52 -0400 From: Dan Wendlandt d...@nicira.com Date: Tue, 14 Aug 2012 15:22:31 -0700 jrd, my feeling is that we'd need a patch for this under review this week to understand the

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-16 Thread Thierry Carrez
j...@redhat.com wrote: Update: Dan and ttx, Gary has uploaded a patch set addressing the fix of quantum-rootwrap for me, until I finish getting my credentials sorted out so that I can push them myself. See https://review.openstack.org/11472 There's a couple of review comments, which I

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-14 Thread Thierry Carrez
Dan Wendlandt wrote: On Mon, Aug 13, 2012 at 12:51 PM, Vishvananda Ishaya vishvana...@gmail.com mailto:vishvana...@gmail.com wrote: This is up to dan, I suppose, but the rootwrap stuff seems like something worth granting a ffe to… I wasn't going to mention it, as the urgency of

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-14 Thread Dan Wendlandt
On Tue, Aug 14, 2012 at 1:54 AM, Thierry Carrez thie...@openstack.orgwrote: Dan Wendlandt wrote: On Mon, Aug 13, 2012 at 12:51 PM, Vishvananda Ishaya vishvana...@gmail.com mailto:vishvana...@gmail.com wrote: This is up to dan, I suppose, but the rootwrap stuff seems like

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-14 Thread jrd
From: Dan Wendlandt d...@nicira.com Date: Tue, 14 Aug 2012 15:22:31 -0700 On Tue, Aug 14, 2012 at 1:54 AM, Thierry Carrez thie...@openstack.org wrote: Dan Wendlandt wrote: On Mon, Aug 13, 2012 at 12:51 PM, Vishvananda Ishaya vishvana...@gmail.com

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-13 Thread Gary Kotton
On 08/13/2012 08:42 AM, balaji patnala wrote: Hello Thierry, Can we download Folsom branch codebase for understanding Quantum and other changes in Folsom release? You can get the code at git://github.com/openstack/quantum.git. If you would like to see the status of things regarding F-3 then

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-13 Thread jrd
From: j...@redhat.com Date: Fri, 10 Aug 2012 11:52:49 -0400 [...] Very much, thanks. More news as it happens... Here's where I've got to so far I've ported/transliterated code from nova/cinder to manage rootwrap filter defs the same way in quantum. I've plowed through most of

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-13 Thread Vishvananda Ishaya
This is up to dan, I suppose, but the rootwrap stuff seems like something worth granting a ffe to… Vish On Aug 13, 2012, at 11:49 AM, j...@redhat.com wrote: From: j...@redhat.com Date: Fri, 10 Aug 2012 11:52:49 -0400 [...] Very much, thanks. More news as it happens... Here's

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-13 Thread Dan Wendlandt
On Mon, Aug 13, 2012 at 12:51 PM, Vishvananda Ishaya vishvana...@gmail.comwrote: This is up to dan, I suppose, but the rootwrap stuff seems like something worth granting a ffe to… I wasn't going to mention it, as the urgency of a nearby deadline can be helpful :) But yes, I'd grant an ffe to

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-12 Thread balaji patnala
Hello Thierry, Can we download Folsom branch codebase for understanding Quantum and other changes in Folsom release? Please give us your comments,experience and known issues. Thanks in advance. -balaji On Wed, Aug 8, 2012 at 7:01 PM, Thierry Carrez thie...@openstack.orgwrote: Hi everyone,

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-10 Thread Thierry Carrez
Robert Kukura wrote: On 08/09/2012 10:32 AM, Thierry Carrez wrote: Let me ask this: Since, as you say, there's not a lot of evidence of traffic through quantum-rootwrap, is there an obvious downside to deprecating root_helper=sudo at this stage? I'm not advocating either way, just trying to

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-10 Thread jrd
From: Thierry Carrez thie...@openstack.org Date: Thu, 09 Aug 2012 16:32:23 +0200 [...] My goal is by end of today , or tomorrow morning latest, to have at least a reasonably complete understanding of the changes necessary to get the quantum-rootwrap facility up to

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-10 Thread Thierry Carrez
j...@redhat.com wrote: Apologies for the not-very coherent description. Please let me know if you think I'm off in the weeds or missing important bits. One other thing I spotted when I evaluated how broken quantum-rootwrap was is at quantum/agent/linux/dhcp.py:181 where a command is called

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-10 Thread jrd
From: Thierry Carrez thie...@openstack.org Date: Fri, 10 Aug 2012 17:38:52 +0200 j...@redhat.com wrote: Apologies for the not-very coherent description. Please let me know if you think I'm off in the weeds or missing important bits. One other thing I spotted

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-09 Thread Thierry Carrez
j...@redhat.com wrote: From: Dan Wendlandt d...@nicira.com If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom with low to medium risk of disruption, I'd be open to exploring that, even if it meant inconsistent usage in quantum vs. nova/cinder. Hi Dan. I've

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-09 Thread jrd
From: Thierry Carrez thie...@openstack.org Date: Thu, 09 Aug 2012 10:34:17 +0200 j...@redhat.com wrote: From: Dan Wendlandt d...@nicira.com If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom with low to medium risk of disruption, I'd be

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-09 Thread Thierry Carrez
j...@redhat.com wrote: * Switch to rootwrap_config and deprecate root_helper This would fully align quantum-rootwrap with nova-rootwrap. However I'm not sure it's reasonable to deprecate root_helper=sudo in Folsom, given how little tested quantum-rootwrap seems to be on Folsom.

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-09 Thread jrd
From: Thierry Carrez thie...@openstack.org Date: Thu, 09 Aug 2012 16:32:23 +0200 j...@redhat.com wrote: * Switch to rootwrap_config and deprecate root_helper This would fully align quantum-rootwrap with nova-rootwrap. However I'm not sure it's reasonable

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-09 Thread Robert Kukura
On 08/09/2012 10:32 AM, Thierry Carrez wrote: j...@redhat.com wrote: * Switch to rootwrap_config and deprecate root_helper This would fully align quantum-rootwrap with nova-rootwrap. However I'm not sure it's reasonable to deprecate root_helper=sudo in Folsom, given how little

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-09 Thread Vishvananda Ishaya
On Aug 9, 2012, at 8:13 AM, Robert Kukura rkuk...@redhat.com wrote: We should immediately change devstack to stop running the quantum agents as root, so at least the root_helper=sudo functionality is really being used. It looks like devstack does configure nova with the new

[Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Thierry Carrez
Hi everyone, Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap supposed to control its privilege escalation to run commands as root. However quantum-rootwrap is currently non-functional, missing a lot of filter definitions that are necessary for it to work correctly.

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Chuck Short
Hi, How much work would would be needed to get this added in quantum? Thanks chuck On Wed, 08 Aug 2012 15:31:59 +0200 Thierry Carrez thie...@openstack.org wrote: Hi everyone, Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap supposed to control its privilege

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Thierry Carrez
Chuck Short wrote: How much work would would be needed to get this added in quantum? It's actually *in* Quantum right now, it's just not working. It misses filter definitions, and Quantum code grew some adherence with using sudo directly. So it's a lot of work to fix, a bit late in the cycle to

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Robert Kukura
On 08/08/2012 09:31 AM, Thierry Carrez wrote: Hi everyone, Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap supposed to control its privilege escalation to run commands as root. However quantum-rootwrap is currently non-functional, missing a lot of filter

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Thierry Carrez
Robert Kukura wrote: On 08/08/2012 09:31 AM, Thierry Carrez wrote: Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap supposed to control its privilege escalation to run commands as root. However quantum-rootwrap is currently non-functional, missing a lot of filter

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Dan Wendlandt
On Wed, Aug 8, 2012 at 9:22 AM, Thierry Carrez thie...@openstack.orgwrote: Robert Kukura wrote: On 08/08/2012 09:31 AM, Thierry Carrez wrote: Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap supposed to control its privilege escalation to run commands as root.

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread jrd
From: Dan Wendlandt d...@nicira.com Date: Wed, 8 Aug 2012 10:28:37 -0700 On Wed, Aug 8, 2012 at 9:22 AM, Thierry Carrez thie...@openstack.org wrote: Robert Kukura wrote: On 08/08/2012 09:31 AM, Thierry Carrez wrote: Quantum currently contains

Re: [Openstack] [Quantum] Removing quantum-rootwrap

2012-08-08 Thread Dan Wendlandt
On Wed, Aug 8, 2012 at 1:20 PM, j...@redhat.com wrote: If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom with low to medium risk of disruption, I'd be open to exploring that, even if it meant inconsistent usage in quantum vs. nova/cinder. Hi Dan.