Cinder and Nova already require this version,
as it provides significant performance enhancements.
Change-Id: I42623a2172ebd80a237006e880189095bc27e70f
This patch adds a Windows iSCSI connector while the following
changes will add SMBFS and Fibre Channel connectors as well.
os-win is added as a requirement, as well as ddt. Note that
both are in the global requirements list. os-win is under OpenStack
governance and already being used by multiple OpenStack projects
such as Nova and Cinder.
The patch using Windows os-brick connectors in the Hyper-V
Nova driver: https://review.openstack.org/#/c/273504/
Change-Id: I19dfc8dd2e9e8a1b17675b55c63de903804480e4
Partial-Implements: blueprint os-brick-windows-support
Currently, when creating an encrypted volume from an image, Cinder
writes raw data to the encrypted volume. When Cinder uploads an
encrypted volume to an image, it writes encrypted data to the image.
As a result, Nova cannot use these images or volumes.
To fix above problem, cinder needs to add encryptor attach/detach
layers.
As both Nova and Cinder needs to use the module, the fix is to
move it to os-brick.
It copies encryptors from Nova to os-brick, and keep all interfaces
unchanged except initialization.
Change-Id: I8044183ad02110c8b2468e20327d822c0437c772
Implements: blueprint improve-encrypted-volume
Related-bug: #1482464
Related-bug: #1465656
This change replaces all uses of rootwrap with a trivial privsep-based
equivalent. This replacement simply executes commands as the privsep
user *without any additional checks*.
There are 2 reasons why this is a reasonable thing to do:
1. We don't have a good workflow for merging rootwrap filter changes
into parent projects (nova/cinder) for a loosely-coupled library like
os-brick.
2. The previous situation was also insecure. The os-brick.filters
rootwrap config permitted commands like "dd" and "cp" with any
arguments, as root. This would have posed only a mild inconvenience
to an attacker. With privsep we can at least (in principle) limit
the commands to the privsep uid/gid and Linux
capabilities (CAP_SYS_ADMIN by default with this change).
This change addresses the urgency of (1). Later refactors will take
greater advantage of privsep to address (2).
Change-Id: I0af542eba97d2f89b1c283bf1e1e985d9690f5de
Depends-On: I90dc41bc77993bd83b80c92286e015e14f290b45
# nova: nova.conf: Set privsep_rootwrap.helper_command
Depends-On: I4e333e73ddfd45c045b9d32dac1506fc25858c4d
# nova: Add os-brick rootwrap filter for privsep
Depends-On: I8a0b1728cc66c4861f69623b1b16b1f759b57b25
# cinder: cinder.conf: Set privsep_rootwrap.helper_command
Depends-On: I3b2e337321875cf4abc0ab9b44fe17cf9327d88b
# cinder: Add os-brick rootwrap filter for privsep
Depends-On: I4299c2fc059807610f83e12a2d470e020930c64c
# privsep: Switch to msgpack for serialization
Depends-On: Ied1ef4fc945e18516b39d1f20d58425cb633dc74
# requirements: require oslo.privsep>=1.5.0 for msgpack fix