[openstack-dev] Python overhead for rootwrap

Thierry Carrez thierry at openstack.org
Fri Aug 2 11:52:57 UTC 2013

Daniel P. Berrange wrote:
> On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote:
>> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote:
>>> In my opinion:
>>> 1. Stop using rootwrap completely and get strong argument checking support
>>> into sudo (regex).
>>> 2. Some sort of long lived rootwrap process, either forked by the service
>>> that want's to shell out or a general purpose rootwrapd type thing.
>>> I prefer #1 because it's surprising that sudo doesn't do this type of thing
>>> already. It _must_ be something that everyone wants. But #2 may be quicker
>>> and easier to implement, my $.02.
>> IMHO, #1 set the discussion off in a poor direction.
>> Who exactly is stepping up to do this work in sudo? Unless there's
>> someone with a even prototype patch in hand, any insistence that we base
>> our solution on this hypothetical feature is an unhelpful diversion.
>> And even if this work was done, it will be a long time before it's in
>> all the distros we support, so improving rootwrap or finding an
>> alternate solution will still be an important discussion.
> Personally I'm of the opinion that from an architectural POV, use of
> either rootwrap or sudo is a bad solution, so arguing about which is
> better is really missing the bigger picture. In Linux, there has been
> a move away from use of sudo or similar approaches, towards the idea
> of having privileged separated services. So if you wanted todo stuff
> related to storage, you'd have some small daemon running privilegd,
> which exposed APIs over DBus, which the non-privileged thing would
> call to make storage changes. Operations exposed by the service would
> have access control configured via something like PolicyKit, and/or
> SELinux/AppArmour.
> Of course this is alot more work than just hacking up some scripts
> using sudo or rootwrap. That's the price you pay for properly
> engineering formal APIs todo jobs instead of punting to random
> shell scripts.

And for the record, I would be supportive of any proper effort to
implement privileged calls using a (hopefully minimal) privileged
daemon, especially for nodes that make heavy usage of privileged calls.
I just don't feel that going back to sudo (or claiming you can just
introduce all rootwrap features in sudo) is the proper way to fix the

Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list