settingsLogin | Registersettings

[openstack-dev] [Nova] Moving the virt_mkfs flags to privsep

0 votes

Hi,

a really really long time ago (think 2011), we added support in Nova for
configuring the mkfs commands that are run for new ephemeral disks using
the virt_mkfs command. The current implementation is in
nova/virt/disk/api.py for your reading pleasure.

I'm battling a little with how to move this code to privsep, because I have
resisted providing any method which just takes a command line and runs it
with escalated permissions, as I feel this defeats the purpose of privsep.

I could just pickup all the command line parsing code and move it into
privsep, but I am left wondering if anyone actually uses this
functionality, or if we should just deprecate it all?

I'd appreciate your thoughts.

Michael


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Nov 8, 2017 in openstack-dev by Michael_Still (16,180 points)   3 5 12

2 Responses

0 votes

On 11/8/2017 12:24 PM, Michael Still wrote:
Hi,

a really really long time ago (think 2011), we added support in Nova for
configuring the mkfs commands that are run for new ephemeral disks using
the virt_mkfs command. The current implementation is in
nova/virt/disk/api.py for your reading pleasure.

I'm battling a little with how to move this code to privsep, because I
have resisted providing any method which just takes a command line and
runs it with escalated permissions, as I feel this defeats the purpose
of privsep.

I could just pickup all the command line parsing code and move it into
privsep, but I am left wondering if anyone actually uses this
functionality, or if we should just deprecate it all?

I'd appreciate your thoughts.

Michael


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Let's deprecate it, put a warning in the logs if it's used in Queens,
deprecation release note and then remove it in Rocky.

Does that work for you?

--

Thanks,

Matt


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Nov 8, 2017 by mriedemos_at_gmail.c (15,720 points)   2 4 4
0 votes

That does work for me, except it means I'll still need to port it to
privsep to hit my goal of no rootwrap in Queens. I can live with that.

Michael

On Wed, Nov 8, 2017 at 4:54 PM, Matt Riedemann mriedemos@gmail.com wrote:

On 11/8/2017 12:24 PM, Michael Still wrote:

Hi,

a really really long time ago (think 2011), we added support in Nova for
configuring the mkfs commands that are run for new ephemeral disks using
the virt_mkfs command. The current implementation is in
nova/virt/disk/api.py for your reading pleasure.

I'm battling a little with how to move this code to privsep, because I
have resisted providing any method which just takes a command line and runs
it with escalated permissions, as I feel this defeats the purpose of
privsep.

I could just pickup all the command line parsing code and move it into
privsep, but I am left wondering if anyone actually uses this
functionality, or if we should just deprecate it all?

I'd appreciate your thoughts.

Michael



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscrib
e
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Let's deprecate it, put a warning in the logs if it's used in Queens,
deprecation release note and then remove it in Rocky.

Does that work for you?

--

Thanks,

Matt


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Nov 8, 2017 by Michael_Still (16,180 points)   3 5 12
...