OpenStack Compute (nova)

Transition nova to privsep (partial)

Registered by Michael Still on 2017-09-14

Transition away from using rootwrap for escalated permissions, and use privsep instead.

Discussion happened at the Queens PTG: https://etherpad.openstack.org/p/nova-ptg-queens

Blueprint information

Status:
Complete
Approver:
Michael Still
Priority:
Low
Drafter:
Michael Still
Direction:
Approved
Assignee:
Michael Still
Definition:
Approved
Series goal:
Accepted for queens
Implementation:
Implemented
Milestone target:
milestone icon queens-rc1
Started by
Matt Riedemann on 2017-09-14
Completed by
Matt Riedemann on 2018-01-27

Related branches

Sprints

Whiteboard

https://review.openstack.org/#/q/project:openstack/nova+topic:hurrah-for-privsep

Gerrit topic: https://review.openstack.org/#q,topic:hurrah-for-privsep,n,z

Addressed by: https://review.openstack.org/500351
    Move nbd commands to privsep.

Addressed by: https://review.openstack.org/495516
    Move lvm handling to privsep.

Addressed by: https://review.openstack.org/495538
    Move xend existence probes to privsep.

Addressed by: https://review.openstack.org/495537
    Move shred to privsep.

Addressed by: https://review.openstack.org/494423
    Cleanup mount / umount and associated rmdir calls

Addressed by: https://review.openstack.org/495542
    WIP / Aspirational: we don't need rootwrap any more.

Addressed by: https://review.openstack.org/492326
    Don't shell out to mkdir, use ensure_tree()

Addressed by: https://review.openstack.org/495664
    Move loopback setup and removal to privsep.

Addressed by: https://review.openstack.org/492325
    Move ploop commands to privsep.

Addressed by: https://review.openstack.org/495541
    Move the idmapshift binary into privsep.

Addressed by: https://review.openstack.org/500354
    Move kpartx calls to privsep.

Addressed by: https://review.openstack.org/490737
    Move libvirts dmcrypt support to privsep.

Addressed by: https://review.openstack.org/500398
    Move blkid calls to privsep.

Addressed by: https://review.openstack.org/504193
    Use symbolic names for capabilities, expand sys_admin context.

Addressed by: https://review.openstack.org/504194
    Move the dac_admin privsep code to a new location.

Addressed by: https://review.openstack.org/504195
    Squash dac_admin privsep context.

Addressed by: https://review.openstack.org/504805
    Squash dacnet_admin privsep context.

Gerrit topic: https://review.openstack.org/#q,topic:507569,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bp/hurrah-for-privsep,n,z

Addressed by: https://review.openstack.org/489486
    Read from console ptys using privsep.

Addressed by: https://review.openstack.org/507848
    Move libvirts qemu-img support to privsep.

Addressed by: https://review.openstack.org/509409
    test_mount_unmount cleanup

Addressed by: https://review.openstack.org/515196
    Convert IVS VIF plugging / unplugging to privsep.

Addressed by: https://review.openstack.org/515197
    Move infiniband vif plugging to privsep.

Addressed by: https://review.openstack.org/515198
    Move midonet vif plugging to privsep.

Addressed by: https://review.openstack.org/515336
    Move plumgrid vif plugging to privsep.

Addressed by: https://review.openstack.org/515916
    Move control vif plugging to privsep.

Addressed by: https://review.openstack.org/517516
    Convert ext filesystem resizes to privsep.

Addressed by: https://review.openstack.org/519010
    Move flushing block devices to privsep.

Addressed by: https://review.openstack.org/519011
    Start moving users of parted to privsep.

Addressed by: https://review.openstack.org/519483
    Move remaining uses of parted to privsep.

Addressed by: https://review.openstack.org/519484
    Convert users of tune2fs to privsep.

Addressed by: https://review.openstack.org/527510
    Move makefs to privsep

There are still some outstanding changes for this but we're past the feature freeze for Queens so I'm going to mark this as complete for Queens and we can open a blueprint for Rocky for continuing the work if someone is going to do so. -- mriedem 20180127

Addressed by: https://review.openstack.org/551921
    Move configurable mkfs to privsep.

Addressed by: https://review.openstack.org/552241
    Move xenapi xenstore_read's to privsep.

Addressed by: https://review.openstack.org/552242
    Move xenapi disk resizing to privsep.

Addressed by: https://review.openstack.org/553605
    Move xenapi partition copies to privsep.

Addressed by: https://review.openstack.org/554437
    Move image conversion to privsep.

Addressed by: https://review.openstack.org/554438
    We no longer need rootwrap.

Addressed by: https://review.openstack.org/554439
    We don't need utils.trycmd any more.

Addressed by: https://review.openstack.org/554078
    Sync xenapi and libvirt on what flags to pass e2fsck.

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.