yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1823192] [NEW] Lack of documentation for rootwrap and privsep in nova docs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date: Thu, 04 Apr 2019 14:32:42 -0000
Reply-to: Bug 1823192 <1823192@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Regarding rootwrap, this is the only mention in the nova docs:

https://docs.openstack.org/nova/stein/cli/nova-rootwrap.html

And privsep isn't much better:

https://docs.openstack.org/nova/stein/search.html?q=privsep

There is no documentation really about how rootwrap should be deployed
during an install, what compute.filters is or what's in it, there is no
links to privsep documentation or how rootwrap is configured with the
privsep-helper (which is necessary during deployment if you want nova-
compute to work).

At the very least we should have something in the compute service
install guide about deploying the privsep files (maybe this is missing
because deployment packages take care of this for us and we don't have
dedicated docs on installing nova from source packages).

It would probably also be worth noting the known issue with bug 1715374
where SIGHUP'ing the nova-compute service makes nova-compute unusable
because the privsep-helper child processes are gone so anything that
needs root access after that (which is most things when you're creating
a VM with the libvirt driver) will fail.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: docs privsep

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1823192

Title:
  Lack of documentation for rootwrap and privsep in nova docs

Status in OpenStack Compute (nova):
  New

Bug description:
  Regarding rootwrap, this is the only mention in the nova docs:

  https://docs.openstack.org/nova/stein/cli/nova-rootwrap.html

  And privsep isn't much better:

  https://docs.openstack.org/nova/stein/search.html?q=privsep

  There is no documentation really about how rootwrap should be deployed
  during an install, what compute.filters is or what's in it, there is
  no links to privsep documentation or how rootwrap is configured with
  the privsep-helper (which is necessary during deployment if you want
  nova-compute to work).

  At the very least we should have something in the compute service
  install guide about deploying the privsep files (maybe this is missing
  because deployment packages take care of this for us and we don't have
  dedicated docs on installing nova from source packages).

  It would probably also be worth noting the known issue with bug
  1715374 where SIGHUP'ing the nova-compute service makes nova-compute
  unusable because the privsep-helper child processes are gone so
  anything that needs root access after that (which is most things when
  you're creating a VM with the libvirt driver) will fail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1823192/+subscriptions