)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ab8c9034163b1c948ec2bdbdf4d0adea54888119","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"7faddb67_57fcb071","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"updated":"2019-08-22 23:30:53.000000000","message":"nova is not a good example of how to use privsep corerctly.\n\nin nova generic prialadged fucntion are groups into a privsep module and called from different parts fo the code.\n\nthis is an antipattern and we should not follow that in cyborg. the better approch is to place privadged fuction in the same module as the code that uses them.\n\nmark all privaldges function with privaldge in there name.\n\nand make privdtes fucntions targeted to a spcifc task and not generic.\n\nthat does not mean you cannot reuse the same privileged function form multiple places but they should not be grouped together\n\ne.g.\n\"import cyborg.privsep.lspci as lspci\" is bad as it hide the fact the function is eleveatd. in calling code it will just be lspci and you will not see it is privileged\n\nthe correct design is to do the following \n\n\"from cyborg.pci import lspci_privileged\"\n\nthis way calling code always know if a function is privileged or not.\n\n\nwhile i would like to be able to point you to os-vif as an example of this we actully do not add \"privileged\" to all our privileged function as much of this code was imported form nova and we did not rename them. we do however only try to have no public generic privileged functions and limit the privsep context we use to just cap net admin\n\nhttps://github.com/openstack/os-vif/blob/master/vif_plug_ovs/privsep.py","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"9d10dc3e76bbc53311e68d9ef98f642670d0dfea","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"5faad753_801dac67","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"in_reply_to":"5faad753_25ebaab0","updated":"2019-09-11 10:43:38.000000000","message":"This way doesn\u0027t force you to have \u0027privileged\u0027 in your invocation, since future consumers can \"forget\" to do the aliasing. Having \u0027privileged\u0027 in the method name is better enforcement.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"14368eb2a8e8978db69381c54229b27e1d189c6d","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"5faad753_e5091231","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"in_reply_to":"5faad753_25ebaab0","updated":"2019-09-11 10:43:13.000000000","message":"no that is still a bad partica unles you write tooling to enforece it.\n\nwe shoudl no have a cyborg.privsep.* sub module at all\n\njust a top level cyborg/privsep.py module that create the context and the privileged function should be in normal modules with privileged appended as a prefix or suffix.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"e1617ad9a0dd9567593783d63478c30e90c357a3","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"5faad753_b50b3022","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"in_reply_to":"5faad753_801dac67","updated":"2019-09-12 09:46:41.000000000","message":"Thanks Eric. Done. Please see the update.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"e1617ad9a0dd9567593783d63478c30e90c357a3","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"5faad753_d5002c04","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"in_reply_to":"5faad753_e5091231","updated":"2019-09-12 09:46:41.000000000","message":"Thanks! Sean. I have moved privileged lspci to the invocation part. pls help to review again.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"9830751912582b29695bd8c1bf04c17e5710e29e","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"5faad753_25ebaab0","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"in_reply_to":"7faddb67_57fcb071","updated":"2019-09-11 10:39:47.000000000","message":"what about rename to \"import cyborg.privsep.lspci as lspci_privileged\" at the invocation part?","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"b35c3e729362bee6d740e1f4e6e3f7d010ea3a62","unresolved":false,"context_lines":[{"line_number":10,"context_line":"privsep to run something as root, specifically the gpu driver. FPGA"},{"line_number":11,"context_line":"and other drivers should implement as well in the future."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This code is modelled strongly on how nova and cinder[0] has chosen"},{"line_number":14,"context_line":"to use privsep."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[0]:https://review.opendev.org/#/c/566479/4"},{"line_number":17,"context_line":"For reference:https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":9,"id":"5faad753_c5a3b69d","line":14,"range":{"start_line":13,"start_character":0,"end_line":14,"end_character":15},"updated":"2019-09-11 10:27:36.000000000","message":"This should probably be removed (at least the nova part - I haven\u0027t looked at cinder) since you definitely *don\u0027t* want to model after what nova currently has.","commit_id":"c536cd732b03bfc541bdf8719d9a72fdd14c3b9f"}],"cyborg/accelerator/drivers/gpu/utils.py":[{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"6fac32030dfab985bf7a08cfbfdfb3fcfb3a3e30","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_log import log as logging"},{"line_number":20,"context_line":"from oslo_serialization import jsonutils"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"import cyborg.privsep.lsgpu as lsgpu"},{"line_number":23,"context_line":"import re"},{"line_number":24,"context_line":"import subprocess"},{"line_number":25,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_f7cd035d","line":22,"updated":"2019-08-01 09:07:25.000000000","message":"nit: move it to L29","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"b35c3e729362bee6d740e1f4e6e3f7d010ea3a62","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"5faad753_45902644","updated":"2019-09-11 10:27:36.000000000","message":"I think Sean meant you should have \u0027privileged\u0027 in the name of the *method*, not in the import alias.\n\nSo you don\u0027t need to define the method in a cyborg.privsep.* module -- you can define it anywhere that makes sense -- but you should name it e.g. \nprivileged_get_pci_devices","commit_id":"c536cd732b03bfc541bdf8719d9a72fdd14c3b9f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"47709f676b4e8c4e35595eb429ef3ed861c94d92","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"5faad753_a5c1da30","in_reply_to":"5faad753_45902644","updated":"2019-09-11 10:39:17.000000000","message":"yes if you do that you dont need the hacking check to prevent you from aliasing privileged methods.","commit_id":"c536cd732b03bfc541bdf8719d9a72fdd14c3b9f"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"6e1b687bcc52fad5acf9ebf225d4d686b5d335cb","unresolved":false,"context_lines":[{"line_number":47,"context_line":"    cmd \u003d [\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027]"},{"line_number":48,"context_line":"    return processutils.execute(*cmd)"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"def get_pci_devices(pci_flags, vendor_id\u003d\"\"):"},{"line_number":51,"context_line":"    device_for_vendor_out \u003d []"},{"line_number":52,"context_line":"    all_device_out \u003d []"},{"line_number":53,"context_line":"    lspci_out \u003d lspci_privileged()[0].split(\u0027\\n\u0027)"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_14192e84","line":50,"range":{"start_line":50,"start_character":31,"end_line":50,"end_character":43},"updated":"2019-09-19 02:16:53.000000000","message":"Could we have vendor_id\u003dNone here?","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"2c5e4571d5f1c28d8c78a8c45f7d0754e21c23ff","unresolved":false,"context_lines":[{"line_number":47,"context_line":"    cmd \u003d [\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027]"},{"line_number":48,"context_line":"    return processutils.execute(*cmd)"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"def get_pci_devices(pci_flags, vendor_id\u003d\"\"):"},{"line_number":51,"context_line":"    device_for_vendor_out \u003d []"},{"line_number":52,"context_line":"    all_device_out \u003d []"},{"line_number":53,"context_line":"    lspci_out \u003d lspci_privileged()[0].split(\u0027\\n\u0027)"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_c69e8506","line":50,"range":{"start_line":50,"start_character":31,"end_line":50,"end_character":43},"in_reply_to":"3fa7e38b_14192e84","updated":"2019-09-20 10:31:48.000000000","message":"Done","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"4e68bf3e3c29f1d6f388c11912d0e2e4c91924d8","unresolved":false,"context_lines":[{"line_number":50,"context_line":"def get_pci_devices(pci_flags, vendor_id\u003d\"\"):"},{"line_number":51,"context_line":"    device_for_vendor_out \u003d []"},{"line_number":52,"context_line":"    all_device_out \u003d []"},{"line_number":53,"context_line":"    lspci_out \u003d lspci_privileged()[0].split(\u0027\\n\u0027)"},{"line_number":54,"context_line":"    for i in range(len(lspci_out)):"},{"line_number":55,"context_line":"        if any(x in lspci_out[i] for x in pci_flags):"},{"line_number":56,"context_line":"            all_device_out.append(lspci_out[i])"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_a4734980","line":53,"updated":"2019-09-19 05:08:26.000000000","message":"processutils.execute can raise exceptions. Should we not catch them and raise meaningful errors?","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"2c5e4571d5f1c28d8c78a8c45f7d0754e21c23ff","unresolved":false,"context_lines":[{"line_number":50,"context_line":"def get_pci_devices(pci_flags, vendor_id\u003d\"\"):"},{"line_number":51,"context_line":"    device_for_vendor_out \u003d []"},{"line_number":52,"context_line":"    all_device_out \u003d []"},{"line_number":53,"context_line":"    lspci_out \u003d lspci_privileged()[0].split(\u0027\\n\u0027)"},{"line_number":54,"context_line":"    for i in range(len(lspci_out)):"},{"line_number":55,"context_line":"        if any(x in lspci_out[i] for x in pci_flags):"},{"line_number":56,"context_line":"            all_device_out.append(lspci_out[i])"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_2728a232","line":53,"in_reply_to":"3fa7e38b_a4734980","updated":"2019-09-20 10:31:48.000000000","message":"yes, processutils.execute can raise exceptions and report errors where necessary. IMHO, I think that\u0027s enough for now. :)","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"6e1b687bcc52fad5acf9ebf225d4d686b5d335cb","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"def discover_vendors():"},{"line_number":63,"context_line":"    vendors \u003d set()"},{"line_number":64,"context_line":"    gpus \u003d get_pci_devices(GPU_FLAGS)"},{"line_number":65,"context_line":"    for gpu in gpus:"},{"line_number":66,"context_line":"        m \u003d GPU_INFO_PATTERN.match(gpu)"},{"line_number":67,"context_line":"        if m:"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_af124757","line":64,"range":{"start_line":64,"start_character":11,"end_line":64,"end_character":37},"updated":"2019-09-19 02:16:53.000000000","message":"redundant use of get_pci_devices, here and discover_gpus. Can we get rid of it, for example, let lspci_privileged() return both vendor and gpus.","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"2c5e4571d5f1c28d8c78a8c45f7d0754e21c23ff","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"def discover_vendors():"},{"line_number":63,"context_line":"    vendors \u003d set()"},{"line_number":64,"context_line":"    gpus \u003d get_pci_devices(GPU_FLAGS)"},{"line_number":65,"context_line":"    for gpu in gpus:"},{"line_number":66,"context_line":"        m \u003d GPU_INFO_PATTERN.match(gpu)"},{"line_number":67,"context_line":"        if m:"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_e7f84ac5","line":64,"range":{"start_line":64,"start_character":11,"end_line":64,"end_character":37},"in_reply_to":"3fa7e38b_af124757","updated":"2019-09-20 10:31:48.000000000","message":"Thanks, Xinran! Please correct me if I misunderstood your comments. IMHO, I don\u0027t see it as a redundant use, because get_pci_device() returns either [1]all gpus or [2]gpus of one vendor, which will be used by discover_vendors() and discover_gpus() respectively.  if we let lspci_privileged() return both vendors and gpus, we will still need to call once in discover_vendors() to get vendors and call again in discover_gpus() to extract gpus of one vendor. we cannot avoid involking it twice.","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":25738,"name":"Xinran WANG","email":"xin-ran.wang@intel.com","username":"Xinran"},"change_message_id":"09278d94067d20e2427c6e6fd34185c86eb16ccb","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"def discover_vendors():"},{"line_number":63,"context_line":"    vendors \u003d set()"},{"line_number":64,"context_line":"    gpus \u003d get_pci_devices(GPU_FLAGS)"},{"line_number":65,"context_line":"    for gpu in gpus:"},{"line_number":66,"context_line":"        m \u003d GPU_INFO_PATTERN.match(gpu)"},{"line_number":67,"context_line":"        if m:"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_03bf68b0","line":64,"range":{"start_line":64,"start_character":11,"end_line":64,"end_character":37},"in_reply_to":"3fa7e38b_e7f84ac5","updated":"2019-09-24 06:22:26.000000000","message":"Thanks for your explanation,  we need get_device_devices for both discover vendor and discover gpus, if we can not avoid invoking it twice, it is ok for me.","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":14107,"name":"zhurong","email":"aaronzhu1121@gmail.com","username":"zhurong"},"change_message_id":"909ada0696abfa3a0e6f2741b482d376109bd427","unresolved":false,"context_lines":[{"line_number":49,"context_line":"    return processutils.execute(*cmd)"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"def get_pci_devices(pci_flags, vendor_id\u003d\"\"):"},{"line_number":53,"context_line":"    device_for_vendor_out \u003d []"},{"line_number":54,"context_line":"    all_device_out \u003d []"},{"line_number":55,"context_line":"    lspci_out \u003d lspci_privileged()[0].split(\u0027\\n\u0027)"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_d13d93dd","line":52,"range":{"start_line":52,"start_character":31,"end_line":52,"end_character":43},"updated":"2019-09-24 10:58:22.000000000","message":"You didn\u0027t change vendor_id\u003dNone here","commit_id":"00705e303a2f1a8394a3c6a891738040de18ff89"}],"cyborg/conf/default.py":[{"author":{"_account_id":14107,"name":"zhurong","email":"aaronzhu1121@gmail.com","username":"zhurong"},"change_message_id":"0d4be7e89636d60eee9ccc799de96ff38f9c9b88","unresolved":false,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"DEFAULT_OPTS \u003d (exc_log_opts + service_opts + path_opts)"},{"line_number":109,"context_line":"PLACEMENT_OPTS \u003d (placement_opts)"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"def list_opts():"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_d5317bee","line":109,"range":{"start_line":109,"start_character":0,"end_line":109,"end_character":33},"updated":"2019-09-17 07:27:58.000000000","message":"unreleated change","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"2c5e4571d5f1c28d8c78a8c45f7d0754e21c23ff","unresolved":false,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"DEFAULT_OPTS \u003d (exc_log_opts + service_opts + path_opts)"},{"line_number":109,"context_line":"PLACEMENT_OPTS \u003d (placement_opts)"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"def list_opts():"}],"source_content_type":"text/x-python","patch_set":13,"id":"3fa7e38b_e6606135","line":109,"range":{"start_line":109,"start_character":0,"end_line":109,"end_character":33},"in_reply_to":"3fa7e38b_d5317bee","updated":"2019-09-20 10:31:48.000000000","message":"Done","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"}],"cyborg/privsep/__init__.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ab8c9034163b1c948ec2bdbdf4d0adea54888119","unresolved":false,"context_lines":[{"line_number":20,"context_line":"    \u0027cyborg\u0027,"},{"line_number":21,"context_line":"    cfg_section\u003d\u0027cyborg_sys_admin\u0027,"},{"line_number":22,"context_line":"    pypath\u003d__name__ + \u0027.sys_admin_pctxt\u0027,"},{"line_number":23,"context_line":"    capabilities\u003d[capabilities.CAP_CHOWN,"},{"line_number":24,"context_line":"                  capabilities.CAP_DAC_OVERRIDE,"},{"line_number":25,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":26,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":27,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":28,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":29,"context_line":")"}],"source_content_type":"text/x-python","patch_set":8,"id":"7faddb67_170ab826","line":28,"range":{"start_line":23,"start_character":3,"end_line":28,"end_character":46},"updated":"2019-08-22 23:30:53.000000000","message":"this is way to many capablities.\n\nyou ideally should have multiple privsep context.\n\ncurrently cybog does not do any networking so there is no reason for CAP_NET_ADMIN\n\nwith the curren set you can read/write/execution any file as well as modify networking and other namespcase. this is effectivly full root acess and is not secure at all.\n\nos-vif need CAP_NET_ADMIN and nothing else\n\nhttps://github.com/openstack/os-vif/blob/master/vif_plug_ovs/privsep.py\n\nif we need another capablity we would define a second privsep context.\n\nto achive best secureity you would want to break this into at least 3 context\n\nfile capablities\n  capabilities\u003d[capabilities.CAP_CHOWN,\n                  capabilities.CAP_DAC_OVERRIDE,\n                  capabilities.CAP_DAC_READ_SEARCH,\n                  capabilities.CAP_FOWNER,\n               ],\n\nnetwork (cyborg proably does not need this)\n  capabilities\u003d[capabilities.CAP_NET_ADMIN,]\n\nsystem capabilities.\ncapabilities\u003d[capabilities.CAP_SYS_ADMIN],\n\nif you avoid notting else form nova you should avoid following novas example here and create miniamly privaldaged context form teh start rather then trying to lock it down later. which we are going to have to do in nova soon.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"9830751912582b29695bd8c1bf04c17e5710e29e","unresolved":false,"context_lines":[{"line_number":20,"context_line":"    \u0027cyborg\u0027,"},{"line_number":21,"context_line":"    cfg_section\u003d\u0027cyborg_sys_admin\u0027,"},{"line_number":22,"context_line":"    pypath\u003d__name__ + \u0027.sys_admin_pctxt\u0027,"},{"line_number":23,"context_line":"    capabilities\u003d[capabilities.CAP_CHOWN,"},{"line_number":24,"context_line":"                  capabilities.CAP_DAC_OVERRIDE,"},{"line_number":25,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":26,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":27,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":28,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":29,"context_line":")"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_859ffe5d","line":28,"range":{"start_line":23,"start_character":3,"end_line":28,"end_character":46},"in_reply_to":"7faddb67_170ab826","updated":"2019-09-11 10:39:47.000000000","message":"Thanks! Sean. You are so right! cyborg does not need CAP_NET_ADMIN now, I will delete it and add in the future if necessary. and also add a TODO(separate privsep context) here first. and to discuss with others to see if we need separate now or later.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"47709f676b4e8c4e35595eb429ef3ed861c94d92","unresolved":false,"context_lines":[{"line_number":20,"context_line":"    \u0027cyborg\u0027,"},{"line_number":21,"context_line":"    cfg_section\u003d\u0027cyborg_sys_admin\u0027,"},{"line_number":22,"context_line":"    pypath\u003d__name__ + \u0027.sys_admin_pctxt\u0027,"},{"line_number":23,"context_line":"    # TODO(yumeng):"},{"line_number":24,"context_line":"    # CAP_SYS_ADMIN has a lot of scary powers, so"},{"line_number":25,"context_line":"    # consider breaking this out into a separate minimal context."},{"line_number":26,"context_line":"    capabilities\u003d[capabilities.CAP_CHOWN,"},{"line_number":27,"context_line":"                  capabilities.CAP_DAC_OVERRIDE,"},{"line_number":28,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"}],"source_content_type":"text/x-python","patch_set":9,"id":"5faad753_05846ed3","line":25,"range":{"start_line":23,"start_character":2,"end_line":25,"end_character":65},"updated":"2019-09-11 10:39:17.000000000","message":"ya i woudl proable make this two seperate contexts\n\nsys admin on its own \nand then the rest as a file context.\n\n\nthe other caps without sys admin already allow you to read and write any stadared file on the filesystem that is owned by any user.\n\nit wont allow you to write to some virtual file system files which need cap sys admin or some ore caps that cap sys admin need\n\ne.g. i dont think you can write to fils in /proc/sys without cap sys admin but you can write to anytihng in /etc\n\nwith the current contxt you can do most of what root can do but you can moify host networking which is an improvment.\n\nwell unless you modify network manager/ systemd service files..\n\nsmall contexts are better but this is better then granting everthing","commit_id":"c536cd732b03bfc541bdf8719d9a72fdd14c3b9f"}],"cyborg/privsep/lsgpu.py":[{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"956c88624841b01a366934f7f1408d99d26468d0","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_concurrency import processutils"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"import cyborg.privsep"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_379abb61","line":22,"updated":"2019-08-01 09:01:00.000000000","message":"and we can also change the lsgpu.py to lspci, :)","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"542723f13dcea1b70179bd29f76f2152711986d1","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_concurrency import processutils"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"import cyborg.privsep"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_deaec22c","line":22,"in_reply_to":"7faddb67_379abb61","updated":"2019-08-03 00:33:48.000000000","message":"In fact, this file could be used for executing any command in a secure way, including FPGA commands. Can we call it commands.py or something like that?","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"1945443b05eb6967cd8078387fb7179b652f778c","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_concurrency import processutils"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"import cyborg.privsep"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_a994e08b","line":22,"in_reply_to":"7faddb67_379abb61","updated":"2019-08-05 12:41:31.000000000","message":"thx Yikun, lspci.py is better than lsgpu.py since we can also reuse it to discover FPGA devices.\ndone","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"82c221050486c297e3965e4c85e48b108b8f7ae7","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_concurrency import processutils"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"import cyborg.privsep"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_a977f29f","line":22,"in_reply_to":"7faddb67_65004435","updated":"2019-08-06 06:26:26.000000000","message":"ok. Thanks Sundar","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"13ac0764a4d0d92491db8bcbeca6dc232b289ee2","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_concurrency import processutils"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"import cyborg.privsep"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_65004435","line":22,"in_reply_to":"7faddb67_a96620ec","updated":"2019-08-05 19:17:30.000000000","message":"I had suggested a more general name than lspci.py, such as commands.py. :) But that is ok -- we could also have separate files for FPGA programming. So, we can leave this file as \u0027lspci.py\u0027.","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"1945443b05eb6967cd8078387fb7179b652f778c","unresolved":false,"context_lines":[{"line_number":19,"context_line":"from oslo_concurrency import processutils"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"import cyborg.privsep"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_a96620ec","line":22,"in_reply_to":"7faddb67_deaec22c","updated":"2019-08-05 12:41:31.000000000","message":"Yes, exactly! Thx Sundar.\nDone","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"bc799a18f526ee946bd692d0ffab0d32eba3bcec","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_97eccff4","line":25,"range":{"start_line":25,"start_character":4,"end_line":25,"end_character":13},"updated":"2019-08-01 08:57:32.000000000","message":"Could we change it to a common function to get pci devices?\n\nlike:\n\ndef list_pci(PCI_FLAGS):\n    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,\n                         \u0027-E\u0027, \u0027%s\u0027 % PCI_FLAGS)","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"6fac32030dfab985bf7a08cfbfdfb3fcfb3a3e30","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_37015b6b","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":23},"updated":"2019-08-01 09:07:25.000000000","message":"The FLAGS can be a tuple like\nFLAGS\u003d()\nand \nprocessutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,\n                         \u0027-E\u0027, \"|\".join(GPU_FLAGS))","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":21672,"name":"Sundar Nadathur","email":"sundar.nadathur@intel.com","username":"nsundar"},"change_message_id":"542723f13dcea1b70179bd29f76f2152711986d1","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_fe437e6a","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":23},"in_reply_to":"7faddb67_37015b6b","updated":"2019-08-03 00:33:48.000000000","message":"+1","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"1945443b05eb6967cd8078387fb7179b652f778c","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_69b82810","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":23},"in_reply_to":"7faddb67_37015b6b","updated":"2019-08-05 12:41:31.000000000","message":"sorry, I didn\u0027t see much difference between changing to a tuple and keeping as a list. Could you explain the motivation?","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"ff06f11ff99ba28d30eb2591978ad0f996dcabfe","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_5cb3a198","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":23},"in_reply_to":"7faddb67_5c8ac1be","updated":"2019-08-06 03:45:39.000000000","message":"and my idea is only for the pci_flags can be expand in list_pci(\"|\".join(xxx)), this arg is not the default.\n\nSo, the list and tuple are also okay to me","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"6fe84fecf38677430028286a4904704201d3cc5a","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_5c8ac1be","line":25,"range":{"start_line":25,"start_character":14,"end_line":25,"end_character":23},"in_reply_to":"7faddb67_69b82810","updated":"2019-08-06 03:41:51.000000000","message":"I guess the sundar\u0027s +1 is also based on the rules like:\n\nhttp://pylint-messages.wikidot.com/messages:w0102","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"1945443b05eb6967cd8078387fb7179b652f778c","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":25,"context_line":"def list_gpus(GPU_FLAGS):"},{"line_number":26,"context_line":"    processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":27,"context_line":"                         \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS)"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_09ebb412","line":25,"range":{"start_line":25,"start_character":4,"end_line":25,"end_character":13},"in_reply_to":"7faddb67_97eccff4","updated":"2019-08-05 12:41:31.000000000","message":"Done","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":20722,"name":"Yikun Jiang","email":"yikunkero@gmail.com","username":"yikunkero"},"change_message_id":"bc799a18f526ee946bd692d0ffab0d32eba3bcec","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":31,"context_line":"def get_gpus_for_vendor(GPU_FLAGS, vendor_id):"},{"line_number":32,"context_line":"        processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":33,"context_line":"                             \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":34,"context_line":"                             vendor_id)"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_b7e9cbe3","line":31,"updated":"2019-08-01 08:57:32.000000000","message":"ditto","commit_id":"d89540ce96fcf8408389804510e6e41558611854"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"1945443b05eb6967cd8078387fb7179b652f778c","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"@cyborg.privsep.sys_admin_pctxt.entrypoint"},{"line_number":31,"context_line":"def get_gpus_for_vendor(GPU_FLAGS, vendor_id):"},{"line_number":32,"context_line":"        processutils.execute(\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":33,"context_line":"                             \u0027-E\u0027, \u0027%s\u0027 % GPU_FLAGS, \u0027|\u0027, \u0027grep\u0027,"},{"line_number":34,"context_line":"                             vendor_id)"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_49520ce0","line":31,"in_reply_to":"7faddb67_b7e9cbe3","updated":"2019-08-05 12:41:31.000000000","message":"Done","commit_id":"d89540ce96fcf8408389804510e6e41558611854"}],"cyborg/privsep/lspci.py":[{"author":{"_account_id":28748,"name":"chenker","email":"chen.ke14@zte.com.cn","username":"chenke"},"change_message_id":"ce529ec86a100b8069513ab01078d740281ffc60","unresolved":false,"context_lines":[{"line_number":27,"context_line":"    return processutils.execute(*cmd)"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"def get_pci_devices(PCI_FLAGS):"},{"line_number":31,"context_line":"    out \u003d []"},{"line_number":32,"context_line":"    lspci_out \u003d cyborg.privsep.lspci.lspci()[0].split(\u0027\\n\u0027)"},{"line_number":33,"context_line":"    for i in range(len(lspci_out)):"}],"source_content_type":"text/x-python","patch_set":7,"id":"7faddb67_f4d7cfed","line":30,"range":{"start_line":30,"start_character":20,"end_line":30,"end_character":29},"updated":"2019-08-08 11:28:34.000000000","message":"Hi, Yumeng. Why not use pci_flags, This var seems not the const var.","commit_id":"2b3f598e9a66cb67439e53c7b8db9ab209dc342f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ab8c9034163b1c948ec2bdbdf4d0adea54888119","unresolved":false,"context_lines":[{"line_number":26,"context_line":"    cmd \u003d [\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027]"},{"line_number":27,"context_line":"    return processutils.execute(*cmd)"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"def get_pci_devices(pci_flags):"},{"line_number":31,"context_line":"    out \u003d []"},{"line_number":32,"context_line":"    lspci_out \u003d cyborg.privsep.lspci.lspci()[0].split(\u0027\\n\u0027)"},{"line_number":33,"context_line":"    for i in range(len(lspci_out)):"},{"line_number":34,"context_line":"        if any(x in lspci_out[i] for x in pci_flags):"},{"line_number":35,"context_line":"            out.append(lspci_out[i])"},{"line_number":36,"context_line":"        else:"},{"line_number":37,"context_line":"            continue"},{"line_number":38,"context_line":"    return out"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"def get_pci_devices_for_vendor(pci_flags, vendor_id):"},{"line_number":42,"context_line":"    out \u003d []"},{"line_number":43,"context_line":"    devices_out \u003d cyborg.privsep.lspci.get_pci_devices(pci_flags)"},{"line_number":44,"context_line":"    for i in range(len(devices_out)):"},{"line_number":45,"context_line":"        if vendor_id in devices_out[i]:"},{"line_number":46,"context_line":"            out.append(devices_out[i])"},{"line_number":47,"context_line":"        else:"},{"line_number":48,"context_line":"            continue"},{"line_number":49,"context_line":"    return out"}],"source_content_type":"text/x-python","patch_set":8,"id":"7faddb67_1a0f3f30","line":49,"range":{"start_line":29,"start_character":0,"end_line":49,"end_character":14},"updated":"2019-08-22 23:30:53.000000000","message":"note that test function call privileged funciton but are not themselves privileged\n\nthis is actully how you should use privsep but these should not be under a cyborg.privsep module.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"9830751912582b29695bd8c1bf04c17e5710e29e","unresolved":false,"context_lines":[{"line_number":26,"context_line":"    cmd \u003d [\u0027lspci\u0027, \u0027-nnn\u0027, \u0027-D\u0027]"},{"line_number":27,"context_line":"    return processutils.execute(*cmd)"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"def get_pci_devices(pci_flags):"},{"line_number":31,"context_line":"    out \u003d []"},{"line_number":32,"context_line":"    lspci_out \u003d cyborg.privsep.lspci.lspci()[0].split(\u0027\\n\u0027)"},{"line_number":33,"context_line":"    for i in range(len(lspci_out)):"},{"line_number":34,"context_line":"        if any(x in lspci_out[i] for x in pci_flags):"},{"line_number":35,"context_line":"            out.append(lspci_out[i])"},{"line_number":36,"context_line":"        else:"},{"line_number":37,"context_line":"            continue"},{"line_number":38,"context_line":"    return out"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"def get_pci_devices_for_vendor(pci_flags, vendor_id):"},{"line_number":42,"context_line":"    out \u003d []"},{"line_number":43,"context_line":"    devices_out \u003d cyborg.privsep.lspci.get_pci_devices(pci_flags)"},{"line_number":44,"context_line":"    for i in range(len(devices_out)):"},{"line_number":45,"context_line":"        if vendor_id in devices_out[i]:"},{"line_number":46,"context_line":"            out.append(devices_out[i])"},{"line_number":47,"context_line":"        else:"},{"line_number":48,"context_line":"            continue"},{"line_number":49,"context_line":"    return out"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_658e822f","line":49,"range":{"start_line":29,"start_character":0,"end_line":49,"end_character":14},"in_reply_to":"7faddb67_1a0f3f30","updated":"2019-09-11 10:39:47.000000000","message":"Done","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"}],"etc/cyborg/rootwrap.d/acceleration.filters":[{"author":{"_account_id":14107,"name":"zhurong","email":"aaronzhu1121@gmail.com","username":"zhurong"},"change_message_id":"909ada0696abfa3a0e6f2741b482d376109bd427","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# cyborg-rootwrap command filters for acceleration nodes"},{"line_number":2,"context_line":"# This file should be owned by (and only-writeable by) the root user"}],"source_content_type":"application/octet-stream","patch_set":15,"id":"3fa7e38b_312c27ab","side":"PARENT","line":1,"updated":"2019-09-24 10:58:22.000000000","message":"this file will be delete in https://review.opendev.org/#/c/684213/ this patch","commit_id":"04bbd98e862f283e35b6c9a67214da95db3235af"}],"releasenotes/notes/switch_to_oslo_privsep-4fc6e15360c92772.yaml":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ab8c9034163b1c948ec2bdbdf4d0adea54888119","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Privsep transitions. Cyborg is transitioning from using the older"},{"line_number":5,"context_line":"    style rootwrap privilege escalation path to the new style Oslo privsep"},{"line_number":6,"context_line":"    path. This should improve performance and security of Cyborg"},{"line_number":7,"context_line":"    in the long term."},{"line_number":8,"context_line":"  - |"},{"line_number":9,"context_line":"    Privsep daemons are now started by Cyborg when required. These"},{"line_number":10,"context_line":"    daemons can be started via rootwrap if required. rootwrap configs"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"7faddb67_77e8ccb2","line":7,"range":{"start_line":4,"start_character":4,"end_line":7,"end_character":21},"updated":"2019-08-22 23:30:53.000000000","message":"privsep predates cyborg so im really not sure why cyborge has ever used rootwrap","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"47709f676b4e8c4e35595eb429ef3ed861c94d92","unresolved":false,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Privsep transitions. Cyborg is transitioning from using the older"},{"line_number":5,"context_line":"    style rootwrap privilege escalation path to the new style Oslo privsep"},{"line_number":6,"context_line":"    path. This should improve performance and security of Cyborg"},{"line_number":7,"context_line":"    in the long term."},{"line_number":8,"context_line":"  - |"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"5faad753_a5555a1f","line":5,"range":{"start_line":5,"start_character":10,"end_line":5,"end_character":43},"updated":"2019-09-11 10:39:17.000000000","message":"i dont think cyborge actully used rootwarp before by the way. ye were just calling sudo directly but had not rootwap configs","commit_id":"c536cd732b03bfc541bdf8719d9a72fdd14c3b9f"},{"author":{"_account_id":14107,"name":"zhurong","email":"aaronzhu1121@gmail.com","username":"zhurong"},"change_message_id":"0d4be7e89636d60eee9ccc799de96ff38f9c9b88","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Privsep transitions. Cyborg is transitioning from using the older"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"3fa7e38b_5574ab99","line":1,"updated":"2019-09-17 07:27:58.000000000","message":"pls also change this releasenote file name","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"2c5e4571d5f1c28d8c78a8c45f7d0754e21c23ff","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Privsep transitions. Cyborg is transitioning from using the older"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"3fa7e38b_e6ee2187","line":1,"in_reply_to":"3fa7e38b_5574ab99","updated":"2019-09-20 10:31:48.000000000","message":"Done","commit_id":"0af51302a4fe0fc03b6d3b3664d70067ca843716"}],"requirements.txt":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ab8c9034163b1c948ec2bdbdf4d0adea54888119","unresolved":false,"context_lines":[{"line_number":20,"context_line":"oslo.utils\u003e\u003d3.33.0 # Apache-2.0"},{"line_number":21,"context_line":"oslo.versionedobjects\u003e\u003d1.31.2 # Apache-2.0"},{"line_number":22,"context_line":"oslo.policy\u003e\u003d0.5.0 # Apache-2.0"},{"line_number":23,"context_line":"oslo.rootwrap\u003e\u003d5.8.0 # Apache-2.0"},{"line_number":24,"context_line":"SQLAlchemy\u003e\u003d0.9.0,!\u003d1.1.5,!\u003d1.1.6,!\u003d1.1.7,!\u003d1.1.8 # MIT"},{"line_number":25,"context_line":"alembic\u003e\u003d0.8.10 # MIT"},{"line_number":26,"context_line":"stevedore\u003e\u003d1.5.0 # Apache-2.0"}],"source_content_type":"text/plain","patch_set":8,"id":"7faddb67_57aef081","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":33},"updated":"2019-08-22 23:30:53.000000000","message":"rootwap was intended to be replace by privsep.\nnew project should not use it.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"9830751912582b29695bd8c1bf04c17e5710e29e","unresolved":false,"context_lines":[{"line_number":20,"context_line":"oslo.utils\u003e\u003d3.33.0 # Apache-2.0"},{"line_number":21,"context_line":"oslo.versionedobjects\u003e\u003d1.31.2 # Apache-2.0"},{"line_number":22,"context_line":"oslo.policy\u003e\u003d0.5.0 # Apache-2.0"},{"line_number":23,"context_line":"oslo.rootwrap\u003e\u003d5.8.0 # Apache-2.0"},{"line_number":24,"context_line":"SQLAlchemy\u003e\u003d0.9.0,!\u003d1.1.5,!\u003d1.1.6,!\u003d1.1.7,!\u003d1.1.8 # MIT"},{"line_number":25,"context_line":"alembic\u003e\u003d0.8.10 # MIT"},{"line_number":26,"context_line":"stevedore\u003e\u003d1.5.0 # Apache-2.0"}],"source_content_type":"text/plain","patch_set":8,"id":"5faad753_05854e08","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":33},"in_reply_to":"7faddb67_57aef081","updated":"2019-09-11 10:39:47.000000000","message":"Done","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"}],"setup.cfg":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ab8c9034163b1c948ec2bdbdf4d0adea54888119","unresolved":false,"context_lines":[{"line_number":38,"context_line":"    cyborg-dbsync \u003d cyborg.cmd.dbsync:main"},{"line_number":39,"context_line":"    cyborg-agent \u003d cyborg.cmd.agent:main"},{"line_number":40,"context_line":"    cyborg-status \u003d cyborg.cmd.status:main"},{"line_number":41,"context_line":"    cyborg-rootwrap \u003d oslo_rootwrap.cmd:main"},{"line_number":42,"context_line":"wsgi_scripts \u003d"},{"line_number":43,"context_line":"    cyborg-wsgi-api \u003d cyborg.api.wsgi_app:init_application"},{"line_number":44,"context_line":""}],"source_content_type":"text/x-ttcn-cfg","patch_set":8,"id":"7faddb67_b7b964cc","line":41,"range":{"start_line":41,"start_character":4,"end_line":41,"end_character":44},"updated":"2019-08-22 23:30:53.000000000","message":"rootwrap should not be used anymore.","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"},{"author":{"_account_id":24872,"name":"YumengBao","email":"yumeng_bao@yahoo.com","username":"Yumeng_Bao"},"change_message_id":"9830751912582b29695bd8c1bf04c17e5710e29e","unresolved":false,"context_lines":[{"line_number":38,"context_line":"    cyborg-dbsync \u003d cyborg.cmd.dbsync:main"},{"line_number":39,"context_line":"    cyborg-agent \u003d cyborg.cmd.agent:main"},{"line_number":40,"context_line":"    cyborg-status \u003d cyborg.cmd.status:main"},{"line_number":41,"context_line":"    cyborg-rootwrap \u003d oslo_rootwrap.cmd:main"},{"line_number":42,"context_line":"wsgi_scripts \u003d"},{"line_number":43,"context_line":"    cyborg-wsgi-api \u003d cyborg.api.wsgi_app:init_application"},{"line_number":44,"context_line":""}],"source_content_type":"text/x-ttcn-cfg","patch_set":8,"id":"5faad753_c57e5618","line":41,"range":{"start_line":41,"start_character":4,"end_line":41,"end_character":44},"in_reply_to":"7faddb67_b7b964cc","updated":"2019-09-11 10:39:47.000000000","message":"Done","commit_id":"a93a951aa067700644b9266eb53d17ae60312c98"}]}