← Back to team overview

openstack team mailing list archive

Re: [Quantum] Removing quantum-rootwrap

 

jrd@xxxxxxxxxx wrote:
>> From: Dan Wendlandt <dan@xxxxxxxxxx>
>> If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom with low to medium
>> risk of disruption, I'd be open to exploring that, even if it meant inconsistent usage in quantum
>> vs. nova/cinder.     
> 
> Hi Dan.  I've been working with Bob, getting myself up to speed on
> quantum.  I've just talked it over with Bob, and I'll take a crack at
> this one.  My approach is going to be to get the quantum rootwrap
> stuff up to parity with nova.  It sounded like some further work might
> get done in this area for Grizzly, but for the short term, this ought
> to be fairly non-disruptive.

There are a number of changes:

* Switch to configuration-based filters
This should be relatively straightforward, although Quantum makes use of
root_helper in *many* more places than Nova/Cinder do. You can have a
look at:
https://github.com/openstack/cinder/commit/d2d3c9cba4a647724f75c036a1985a10c966da35

* Switch to rootwrap_config and deprecate root_helper
This would fully align quantum-rootwrap with nova-rootwrap. However I'm
not sure it's reasonable to deprecate root_helper=sudo in Folsom, given
how little tested quantum-rootwrap seems to be on Folsom. Maybe just
introducing rootwrap_config but leaving the deprecation message out ?
You can have a look at:
https://github.com/openstack/cinder/commit/2b2c97eb5ca332ce7d1f83e4fd2e81fabe0acb66

* Add missing filters, fix incomplete ones
You have to audit all uses of root_helper and add the corresponding
filter. In some cases the filter is there but the parameters are wrong
(kill, missing -HUP as an allowed signal). I also spotted one call that
sets environment before calling root_helper: that needs to use a
specific filter since rootwrap filters the environment out (see how
DnsmasqFilter works).

* Testing
The fact that nobody filed bugs around quantum-rootwrap being unusable
tends to show nobody actually uses Quantum with it (hence my suggestion
to remove it). If we are to ship that option, it needs to be tested one
way or another.

I don't think it would be that disruptive (given that quantum-rootwrap
doesn't really work right now anyway). It is, however, a significant
amount of work to complete before the F3 cut Tuesday at end of day.
Corner-case missing filters can be treated as bugs post-F3 though.

I'm available to help you and answer any question on the design of the
rootwrap you may have.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack


Follow ups

References