[openstack-dev] Python overhead for rootwrap

Thierry Carrez thierry at openstack.org
Thu Aug 1 09:04:42 UTC 2013

Joe Gordon wrote:
> I tried
> swapping out rootwrap for sudo and that made the issue go away.    So I
> think we should go back to supporting just using sudo instead of
> rootwrap, and make sure any future solutions support a sudo only option
> as well.  But I am open to other ideas, I just think we need to
> implement something for Havana.

How did you make the swap ? Patched utils.execute ? I guess we could
introduce some use_sudo_as_root_helper parameter (defaulting to False,
with security warnings) and preserve rootwrap_config as it is...

It will require a passwordless blanket sudo access for the nova user.
The trick is that this is equivalent to running Nova as the root user,
from a privilege escalation / security domain standpoint. And you can
already do that, and it will also "make the issue go away" (rootwrap is
bypassed if called from euid 0).

It's cleaner to implement it as an option though, as it will not screw
up permissions everywhere in case you want to go back to using rootwrap
at some point in the future.

Another important take-away from your comment is that we should preserve
the ability to run those commands under direct sudo... so if we want to
allow executing python snippets within rootwrap, we'd need to find a way
to do it with a call that is sudo-compatible, which might prove a bit

Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list