)]}'
{"ironic/common/utils.py":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"95f473c299a2ddc93329d148c52adcdeaf4cd01f","unresolved":false,"context_lines":[{"line_number":324,"context_line":"    :raises: processutils.ProcessExecutionError if it failed"},{"line_number":325,"context_line":"        to run the process."},{"line_number":326,"context_line":"    \"\"\""},{"line_number":327,"context_line":"    ironic.privsep.fs.mount(loc, *args)"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":""},{"line_number":330,"context_line":"def check_dir(directory_to_check\u003dNone, required_space\u003d1):"}],"source_content_type":"text/x-python","patch_set":4,"id":"9f560f44_07dabd1b","line":327,"range":{"start_line":327,"start_character":22,"end_line":327,"end_character":27},"updated":"2020-10-05 21:24:09.000000000","message":"this should be umount?","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"}],"ironic/privsep/__init__.py":[{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"34a6758825b11cc817d6fe24ac40bf443e352df0","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    \u0027ironic\u0027,"},{"line_number":20,"context_line":"    cfg_section\u003d\u0027ironic_sys_admin\u0027,"},{"line_number":21,"context_line":"    pypath\u003d__name__ + \u0027.sys_admin_pctxt\u0027,"},{"line_number":22,"context_line":"    capabilities\u003d[capabilities.CAP_CHOWN,"},{"line_number":23,"context_line":"                  capabilities.CAP_DAC_OVERRIDE,"},{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"}],"source_content_type":"text/x-python","patch_set":1,"id":"ff570b3c_a6410f3c","line":22,"range":{"start_line":22,"start_character":4,"end_line":22,"end_character":16},"updated":"2020-05-18 16:31:03.000000000","message":"Still going to check he capabilities \u003d)","commit_id":"a491884c2862d775d4f4528c4b7e05f8df32a7e6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"312496ff46732318e6c4765396309e30e53d013c","unresolved":false,"context_lines":[{"line_number":23,"context_line":"                  capabilities.CAP_DAC_OVERRIDE,"},{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":26,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":27,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":28,"context_line":")"}],"source_content_type":"text/x-python","patch_set":4,"id":"ff570b3c_4860f9cf","line":26,"updated":"2020-06-02 20:04:24.000000000","message":"shouldn\u0027t this also be CAP_NET_BIND_SERVICE instead of net admin?","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"0cc93fc0b69e4e3fb5e955eb82f2c506a97cfabb","unresolved":false,"context_lines":[{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":26,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":27,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":28,"context_line":")"}],"source_content_type":"text/x-python","patch_set":4,"id":"ff570b3c_29bdddb6","line":27,"range":{"start_line":27,"start_character":16,"end_line":27,"end_character":46},"updated":"2020-06-01 23:10:52.000000000","message":"This is functionally root right. Is this right?","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"8f3e0decda206b896f5a839b84d4201ce851f4ab","unresolved":false,"context_lines":[{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":26,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":27,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":28,"context_line":")"}],"source_content_type":"text/x-python","patch_set":4,"id":"9f560f44_075f5d75","line":27,"range":{"start_line":27,"start_character":16,"end_line":27,"end_character":46},"in_reply_to":"9f560f44_350c8741","updated":"2020-10-05 21:29:35.000000000","message":"according to man 2 mount, mount only requires CAP_SYS_ADMIN","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"1339895c785567709f61033f44862d5660e6d902","unresolved":false,"context_lines":[{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":26,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":27,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":28,"context_line":")"}],"source_content_type":"text/x-python","patch_set":4,"id":"ff570b3c_3a534f3b","line":27,"range":{"start_line":27,"start_character":16,"end_line":27,"end_character":46},"in_reply_to":"ff570b3c_29bdddb6","updated":"2020-06-02 19:09:11.000000000","message":"Yeah, I\u0027m not 100% sure if we will need since according to [1] \" this capability is overloaded \" ( I probably need to figure out a way to test what capabilities are required by the commands)\n\n[1] https://man7.org/linux/man-pages/man7/capabilities.7.html","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"74599fd2d53d82d370727fd0e9fc535ba399df66","unresolved":false,"context_lines":[{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":26,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":27,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":28,"context_line":")"}],"source_content_type":"text/x-python","patch_set":4,"id":"ff570b3c_98b6aef8","line":27,"range":{"start_line":27,"start_character":16,"end_line":27,"end_character":46},"in_reply_to":"ff570b3c_3a534f3b","updated":"2020-06-05 07:48:18.000000000","message":"Just a recommendation, if this kind of capabilities are needed (net_admin or sys_admin): use two privsep contexts, one for mount/umount and another one for iscsiadm.","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f32bea9bc643e0e23c77a8677e752044c43a31e3","unresolved":false,"context_lines":[{"line_number":24,"context_line":"                  capabilities.CAP_DAC_READ_SEARCH,"},{"line_number":25,"context_line":"                  capabilities.CAP_FOWNER,"},{"line_number":26,"context_line":"                  capabilities.CAP_NET_ADMIN,"},{"line_number":27,"context_line":"                  capabilities.CAP_SYS_ADMIN],"},{"line_number":28,"context_line":")"}],"source_content_type":"text/x-python","patch_set":4,"id":"9f560f44_350c8741","line":27,"range":{"start_line":27,"start_character":16,"end_line":27,"end_character":46},"in_reply_to":"ff570b3c_98b6aef8","updated":"2020-08-13 21:34:05.000000000","message":"++","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"}],"ironic/privsep/iscsi.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"b054f70ee1c43f1e9ed10c077a5c95f159630bd8","unresolved":false,"context_lines":[{"line_number":19,"context_line":"def discovery(portal_address, portal_port):"},{"line_number":20,"context_line":"    utils.execute(\u0027iscsiadm\u0027,"},{"line_number":21,"context_line":"                  \u0027-m\u0027, \u0027discovery\u0027,"},{"line_number":22,"context_line":"                  \u0027-t\u0027"},{"line_number":23,"context_line":"                  \u0027-p\u0027, \u0027%s:%s\u0027 % (utils.wrap_ipv6(portal_address),"},{"line_number":24,"context_line":"                                   portal_port),"},{"line_number":25,"context_line":"                  run_as_root\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":2,"id":"ff570b3c_8cab1a73","line":22,"updated":"2020-05-20 15:23:38.000000000","message":"a comma is missing there\n\nthis will execute:\niscsiadm -m discovery -t-p 10.1.0.14:3260\n\ninstead of:\niscsiadm -m discovery -t  -p 10.1.0.14:3260","commit_id":"018f256c735c6f917320400f659e164d2113a81e"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"885905086eb3e10099aae5d7934419132ade6a50","unresolved":false,"context_lines":[{"line_number":19,"context_line":"def discovery(portal_address, portal_port):"},{"line_number":20,"context_line":"    utils.execute(\u0027iscsiadm\u0027,"},{"line_number":21,"context_line":"                  \u0027-m\u0027, \u0027discovery\u0027,"},{"line_number":22,"context_line":"                  \u0027-t\u0027"},{"line_number":23,"context_line":"                  \u0027-p\u0027, \u0027%s:%s\u0027 % (utils.wrap_ipv6(portal_address),"},{"line_number":24,"context_line":"                                   portal_port),"},{"line_number":25,"context_line":"                  run_as_root\u003dTrue,"}],"source_content_type":"text/x-python","patch_set":2,"id":"ff570b3c_4c2742cb","line":22,"in_reply_to":"ff570b3c_8cab1a73","updated":"2020-05-20 15:37:16.000000000","message":"Done","commit_id":"018f256c735c6f917320400f659e164d2113a81e"}],"releasenotes/notes/privsep-for-iscsi-9fe6a47b7bd1be82.yaml":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"0cc93fc0b69e4e3fb5e955eb82f2c506a97cfabb","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Ironic is transitioning from using the older style rootwrap privilege to"},{"line_number":5,"context_line":"    oslo privsep. This should improve security of Ironic in the long term."},{"line_number":6,"context_line":"  - |"},{"line_number":7,"context_line":"    Privsep daemons are now started by Ironic when required. These daemons can"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"ff570b3c_a97a8d20","line":4,"range":{"start_line":4,"start_character":10,"end_line":4,"end_character":14},"updated":"2020-06-01 23:10:52.000000000","message":"Would it not be \"has transitioned\" ?","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"1339895c785567709f61033f44862d5660e6d902","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Ironic is transitioning from using the older style rootwrap privilege to"},{"line_number":5,"context_line":"    oslo privsep. This should improve security of Ironic in the long term."},{"line_number":6,"context_line":"  - |"},{"line_number":7,"context_line":"    Privsep daemons are now started by Ironic when required. These daemons can"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"ff570b3c_fa15653e","line":4,"range":{"start_line":4,"start_character":10,"end_line":4,"end_character":14},"in_reply_to":"ff570b3c_a97a8d20","updated":"2020-06-02 19:09:11.000000000","message":"It\u0027s because I haven\u0027t pushed qemu-img code here\n\nhttps://github.com/openstack/ironic/blob/master/etc/ironic/rootwrap.d/ironic-images.filters","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"95f473c299a2ddc93329d148c52adcdeaf4cd01f","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Ironic is transitioning from using the older style rootwrap privilege to"},{"line_number":5,"context_line":"    oslo privsep. This should improve security of Ironic in the long term."},{"line_number":6,"context_line":"  - |"},{"line_number":7,"context_line":"    Privsep daemons are now started by Ironic when required. These daemons can"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"9f560f44_67361952","line":4,"range":{"start_line":4,"start_character":10,"end_line":4,"end_character":14},"in_reply_to":"ff570b3c_fa15653e","updated":"2020-10-05 21:24:09.000000000","message":"This file doesn\u0027t exist anymore, so it looks like this change converts everything required to remove rootwrap","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"0cc93fc0b69e4e3fb5e955eb82f2c506a97cfabb","unresolved":false,"context_lines":[{"line_number":10,"context_line":"security:"},{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    The following commands are no longer required to be listed in the rootwrap"},{"line_number":13,"context_line":"    filters: `mount`, `unmount` and `iscsiadm`"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"ff570b3c_699a3562","line":13,"updated":"2020-06-01 23:10:52.000000000","message":"You should likely duplicate this in the upgrade section.","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"},{"author":{"_account_id":15519,"name":"Iury Gregory Melo Ferreira","display_name":"Iury Gregory","email":"iurygregory@gmail.com","username":"iurygregory"},"change_message_id":"1339895c785567709f61033f44862d5660e6d902","unresolved":false,"context_lines":[{"line_number":10,"context_line":"security:"},{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    The following commands are no longer required to be listed in the rootwrap"},{"line_number":13,"context_line":"    filters: `mount`, `unmount` and `iscsiadm`"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"ff570b3c_5a28d184","line":13,"in_reply_to":"ff570b3c_699a3562","updated":"2020-06-02 19:09:11.000000000","message":"Ack","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"}],"requirements.txt":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"95f473c299a2ddc93329d148c52adcdeaf4cd01f","unresolved":false,"context_lines":[{"line_number":20,"context_line":"oslo.config\u003e\u003d5.2.0 # Apache-2.0"},{"line_number":21,"context_line":"oslo.context\u003e\u003d2.19.2 # Apache-2.0"},{"line_number":22,"context_line":"oslo.db\u003e\u003d4.40.0 # Apache-2.0"},{"line_number":23,"context_line":"oslo.rootwrap\u003e\u003d5.8.0 # Apache-2.0"},{"line_number":24,"context_line":"oslo.log\u003e\u003d3.36.0 # Apache-2.0"},{"line_number":25,"context_line":"oslo.middleware\u003e\u003d3.31.0 # Apache-2.0"},{"line_number":26,"context_line":"oslo.policy\u003e\u003d1.30.0 # Apache-2.0"}],"source_content_type":"text/plain","patch_set":4,"id":"9f560f44_c74565b6","line":23,"updated":"2020-10-05 21:24:09.000000000","message":"Can we remove this in the same change?","commit_id":"8e9d7b2b3cf34276f516108d0b89d53943108df6"}]}