openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #15644
Re: [Quantum] Removing quantum-rootwrap
> From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
> Date: Thu, 09 Aug 2012 10:34:17 +0200
>
> jrd@xxxxxxxxxx wrote:
> >> From: Dan Wendlandt <dan@xxxxxxxxxx>
> >> If someone (Bob?) has the immediate cycles to make rootwrap work in Folsom with low to medium
> >> risk of disruption, I'd be open to exploring that, even if it meant inconsistent usage in quantum
> >> vs. nova/cinder.
> >
> > Hi Dan. I've been working with Bob, getting myself up to speed on
> > quantum. I've just talked it over with Bob, and I'll take a crack at
> > this one. My approach is going to be to get the quantum rootwrap
> > stuff up to parity with nova. It sounded like some further work might
> > get done in this area for Grizzly, but for the short term, this ought
> > to be fairly non-disruptive.
>
> There are a number of changes:
>
> * Switch to configuration-based filters
> This should be relatively straightforward, although Quantum makes use of
> root_helper in *many* more places than Nova/Cinder do. You can have a
> look at:
> https://github.com/openstack/cinder/commit/d2d3c9cba4a647724f75c036a1985a10c966da35
Yes, I believe that's one of the changesets I've already been looking
at. Glad to know I'm not off in the weeds :-)
>
> * Switch to rootwrap_config and deprecate root_helper
> This would fully align quantum-rootwrap with nova-rootwrap. However I'm
> not sure it's reasonable to deprecate root_helper=sudo in Folsom, given
> how little tested quantum-rootwrap seems to be on Folsom. Maybe just
> introducing rootwrap_config but leaving the deprecation message out ?
> You can have a look at:
> https://github.com/openstack/cinder/commit/2b2c97eb5ca332ce7d1f83e4fd2e81fabe0acb66
>
Ok. I did talk through this issue with Bob yesterday, but I'd be
lying if I said I understood it all yet.
Let me ask this: Since, as you say, there's not a lot of evidence of
traffic through quantum-rootwrap, is there an obvious downside to
deprecating root_helper=sudo at this stage? I'm not advocating either
way, just trying to get up to speed on all the parts of the issue.
> * Add missing filters, fix incomplete ones
> You have to audit all uses of root_helper and add the corresponding
> filter. In some cases the filter is there but the parameters are wrong
> (kill, missing -HUP as an allowed signal). I also spotted one call that
> sets environment before calling root_helper: that needs to use a
> specific filter since rootwrap filters the environment out (see how
> DnsmasqFilter works).
>
Ok. I haven't seen those, or didn't know what I was looking at, but
I'll keep attention out for that stuff.
> * Testing
> The fact that nobody filed bugs around quantum-rootwrap being unusable
> tends to show nobody actually uses Quantum with it (hence my suggestion
> to remove it). If we are to ship that option, it needs to be tested one
> way or another.
Yes. Honestly, this is the part which I feel most unsure about. But
I've decided to try to get my head around the code first, and then
understand the testing implications. I will doubtless have more
questions about that.
>
> I don't think it would be that disruptive (given that quantum-rootwrap
> doesn't really work right now anyway). It is, however, a significant
> amount of work to complete before the F3 cut Tuesday at end of day.
> Corner-case missing filters can be treated as bugs post-F3 though.
>
Ok, understood.
My goal is by end of today , or tomorrow morning latest, to have at
least a reasonably complete understanding of the changes necessary to
get the quantum-rootwrap facility up to parity with nova/cinder. If I
get to that deadline and I'm not there, I'll probably punt, as it
becomes too much of a hail-mary to get the stuff stabilized and
reviewed etc by tues.
> I'm available to help you and answer any question on the design of the
> rootwrap you may have.
Thanks very much. I will certainly have more questions as I proceed.
Follow ups
References
