openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #15601
Re: [Quantum] Removing quantum-rootwrap
Hi,
How much work would would be needed to get this added in quantum?
Thanks
chuck
On Wed, 08 Aug 2012 15:31:59 +0200
Thierry Carrez <thierry@xxxxxxxxxxxxx> wrote:
> Hi everyone,
>
> Quantum currently contains bin/quantum-rootwrap, a copy of
> nova-rootwrap supposed to control its privilege escalation to run
> commands as root.
>
> However quantum-rootwrap is currently non-functional, missing a lot of
> filter definitions that are necessary for it to work correctly.
> Quantum is generally run with root_helper=sudo and a wildcard sudoers
> file. That means Quantum is not ready to deprecate in Folsom (and
> remove in Grizzly) its ability to run with root_helper=sudo, like
> Nova and Cinder do.
>
> I discussed this with Dan, and it appears that the sanest approach
> would be to remove quantum-rootwrap from Quantum and only support
> root_helper=sudo (the only option that works). I suspect nobody is
> actually using quantum-rootwrap right now anyway, given how broken it
> seems to be. For the first official release of Quantum as an OpenStack
> core project, I would prefer not to ship half-working options :)
>
> Quantum would then wait for rootwrap to move to openstack-common
> (should be done in Grizzly) to reconsider using it.
>
> Let me know if any of you see issues with that approach.
> (posted to the general list to get the widest feedback).
>
Follow ups
References