Open Stack

Joe Gordon wrote:
> Having rootwrap on by default makes nova-network scale very poorly by
> default.  Which doesn't sound like a good default, but not sure if no
> rootwrap is a better default.

If it boils down to that choice, by default I would pick security over
performance.

>> It will require a passwordless blanket sudo access for the nova user.
> 
> Can't we go back to having a sudoers file white listing which binaries
> it can call, like before?

It was a bit of a maintenance nightmare (the file was maintained in
every distribution rather than centrally in openstack). Another issue
was that we shipped the same sudoers for every combination of nodes,
allowing for example nova-api to run stuff as root it should never be
allowed to run. See [1] for the limitations of using sudo which
triggered another solution in the first place.

[1]
https://fnords.wordpress.com/2011/11/23/improving-nova-privilege-escalation-model-part-1/

-- 
Thierry Carrez (ttx)