openstack team mailing list archive

[Thierry Carrez <thierry@xxxxxxxxxxxxx>]

Robert Kukura wrote:
> On 08/08/2012 09:31 AM, Thierry Carrez wrote:
>> Quantum currently contains bin/quantum-rootwrap, a copy of nova-rootwrap
>> supposed to control its privilege escalation to run commands as root.
>>
>> However quantum-rootwrap is currently non-functional, missing a lot of
>> filter definitions that are necessary for it to work correctly. 
> 
> Is missing definitions the only issue? Those may need updating for F-3,
> but this can certainly be done.

Those are the only issues I spotted. Making Quantum compatible with the
latest version of rootwrap as shipped in Nova/Cinder, though, is a lot
more work.

>> Quantum
>> is generally run with root_helper=sudo and a wildcard sudoers file.
> 
> What is your basis for this statement? The packaging of Essex Quantum
> for Fedora and RHEL/EPEL do configure root_helper to use
> quantum-rootwrap. If another distribution doesn't do this, I would
> consider that a distribution bug, not an upstream problem.

Given that quantum-rootwrap is currently non-working, I suspected that
everyone running Quantum *on Folsom* was using sudo and not the
rootwrap. If most people do that, it probably means it's a it early to
deprecate root_helper=sudo support in Folsom.

>> That
>> means Quantum is not ready to deprecate in Folsom (and remove in
>> Grizzly) its ability to run with root_helper=sudo, like Nova and Cinder do.
> 
> What's involved in deprecating this ability in Folsom? Is it that
> difficult? If Nova and Cinder are doing it, why shouldn't Quantum?

As a quick grep will show, there is much more adherence to root_helper
in Quantum than in Nova/Cinder, where it was used in a single place.
It's definitely doable, but I'd say a bit dangerous (and too late) 4
days before F3. I certainly won't have enough time for it...

> I do have an issue with Folsom dropping a capability that is being used
> in Essex. If the existing rootwrap really does more harm than good, this
> might be justified, but I don't think you can argue nobody has used it.

Fair point, it was definitely used in Essex.

We have three options at this point:

* Remove it (but is it acceptable to "lose" functionality compared to
Essex, even if Essex is not a "core" release for Quantum ?)

* Just fix it by adding missing filters (but then accept that
quantum-rootwrap doesn't behave like nova-rootwrap and cinder-rootwrap,
which is bad for consistency)

* Align quantum-rootwrap with nova-rootwrap and deprecate usage of
root_helper, by overhauling how root_helper is pervasively used
throughout Quantum code (lots of work, and introducing a lot of
disruption that late in the cycle)

Personally I think only the first two options are realistic. So this
boils down to losing functionality from Essex vs. hurting Folsom core
consistency.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack