Hey folks,
So far a whole slew of people have joined up to develop small bits of this
blueprint! Thanks for that commitment. That said, there is still more work to
be done - so please feel free to pick up 1 or 2 container sets.
The initial R&D for this blueprint has been completed after three separate
implementation attempts. A big thanks for Sam Yaple and Paul Bourke for
putting up with me while I hammered out the right approach. To see the base
implementation, check out:
The base implementation is here:
https://review.openstack.org/#/c/242876/
To see how the base implementation was used with glance (the implementation to
copy), check out:
https://review.openstack.org/#/c/242877/
The 242877 review should mostly be copied and pasted with a bit of brainpower
to implement the securitization of the containers for other container sets.
The ones that may not follow the above pattern is nova, neutron, horizon, and
keystone because nova/neutron need to sudo to root via root wrap (it may or may
not work as is) and horizon/keystone need the UIDs they currently run under
(i.e. root + horizon + apache) merged into one (just horizon).
Thanks in advance for your contribution! Lets get er done by Friday!
Regards
-steve
From: Steven Dake mailto:std...@cisco.com>>
Reply-To:
"openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>"
mailto:openstack-dev@lists.openstack.org>>
Date: Thursday, November 5, 2015 at 6:18 PM
To:
"openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>"
mailto:openstack-dev@lists.openstack.org>>
Subject: [openstack-dev] [kolla] distributing work using work items - call for
participation in distributed blueprint development
HI folks,
Sam Yaple had suggested we try using Work Items to track our work rather then
Etherpad for complex distributed tasks. I've picked a pretty easy blueprint
which should be mostly one line patches where everyone can chip in. The work
should be pretty easy, even for new contributors to the project - so please
feel free to sign up for contributing work even if you are new to the project.
If your unable to set your name in the work items field, ping sdake on irc to
add you to the kolla-drivers group.
The blueprint is:
https://blueprints.launchpad.net/kolla/+spec/drop-root
The goal of the blueprint is to run the processes for each container as the
correct UID instead of root (except for the case where the container requires
root to do its job). These are easy to pick out in the ansible files by the
privileged: true flag. The real goal of this blueprint is to test if this new
work items workflow is faster and more effective then etherpad (while also
delivering this essential security work for mitaka-1 (deadline December 4th).
Please take a moment to sign up for 1-4 container sets. To do that, click the
Yellow checkbox in the work items field in launchpad, and then replace the
"unassigned" entry next to the work item with your irc nickname. I'd like this
work to finish as rapidly as possible, so please try to knock out the work by
next Friday (November 13th). Please try to complete the work if you assign
yourself to the container set by November 13th.
Regards,
-steve
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev