[openstack-dev] Python overhead for rootwrap

Robert Collins robertc at robertcollins.net
Fri Aug 2 08:10:35 UTC 2013

On 2 August 2013 20:05, Thierry Carrez <thierry at openstack.org> wrote:

> It was a bit of a maintenance nightmare (the file was maintained in
> every distribution rather than centrally in openstack). Another issue
> was that we shipped the same sudoers for every combination of nodes,
> allowing for example nova-api to run stuff as root it should never be
> allowed to run. See [1] for the limitations of using sudo which
> triggered another solution in the first place.

There's still nothing other than handwaving suggesting that a domain
specific solution is needed. setuid binaries *should* be rare, and
sudo's goal : policy driven sudo access - is totally compatible with
all our needs.

So I propose we do the following:
 - switch back to sudo except for commands where we are not willing to
accept the security implications - case by case basis.
 - discuss with sudo upstream how to encode the business rules we need
in sudo [if a sudo gate is capable of doing them - not everything will
be like that]

I appreciate that 'a better solution is needed', but the one we came
up with has nothing fundamentally better than sudo, other than
'written in python' and 'accepts custom plugins but we aren't using
that yet' : I claim YAGNI.


Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services

More information about the OpenStack-dev mailing list