openstack team mailing list archive

Thread
Date

Re: [Quantum] Removing quantum-rootwrap

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Robert Kukura <rkukura@xxxxxxxxxx>
Date: Wed, 08 Aug 2012 11:08:34 -0400
In-reply-to: <50226A4F.5050606@openstack.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0

On 08/08/2012 09:31 AM, Thierry Carrez wrote:
> Hi everyone,
> 
> Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap
> supposed to control its privilege escalation to run commands as root.
> 
> However quantum-rootwrap is currently non-functional, missing a lot of
> filter definitions that are necessary for it to work correctly. 

Is missing definitions the only issue? Those may need updating for F-3,
but this can certainly be done.

> Quantum
> is generally run with root_helper=sudo and a wildcard sudoers file.

What is your basis for this statement? The packaging of Essex Quantum
for Fedora and RHEL/EPEL do configure root_helper to use
quantum-rootwrap. If another distribution doesn't do this, I would
consider that a distribution bug, not an upstream problem.

> That
> means Quantum is not ready to deprecate in Folsom (and remove in
> Grizzly) its ability to run with root_helper=sudo, like Nova and Cinder do.

What's involved in deprecating this ability in Folsom? Is it that
difficult? If Nova and Cinder are doing it, why shouldn't Quantum?

> 
> I discussed this with Dan, and it appears that the sanest approach would
> be to remove quantum-rootwrap from Quantum and only support
> root_helper=sudo (the only option that works). I suspect nobody is
> actually using quantum-rootwrap right now anyway, given how broken it
> seems to be. For the first official release of Quantum as an OpenStack
> core project, I would prefer not to ship half-working options :)

The quantum-rootwrap configuration in Essex is being used by anyone who
uses the official Fedora or EPEL RPMs. It may not provide fine-grained
validation of command parameters, but I haven't heard complaints that
its broken. Isn't it better than nothing?

> 
> Quantum would then wait for rootwrap to move to openstack-common (should
> be done in Grizzly) to reconsider using it.
> 
> Let me know if any of you see issues with that approach.
> (posted to the general list to get the widest feedback).
> 

I do have an issue with Folsom dropping a capability that is being used
in Essex. If the existing rootwrap really does more harm than good, this
might be justified, but I don't think you can argue nobody has used it.

-Bob

Follow ups

Re: [Quantum] Removing quantum-rootwrap
From: Thierry Carrez, 2012-08-08

References

[Quantum] Removing quantum-rootwrap
From: Thierry Carrez, 2012-08-08