[openstack-dev] Python overhead for rootwrap

Russell Bryant rbryant at redhat.com
Fri Aug 2 14:00:30 UTC 2013

On 08/02/2013 07:52 AM, Thierry Carrez wrote:
> Daniel P. Berrange wrote:
>> On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote:
>>> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote:
>>>> In my opinion:
>>>> 1. Stop using rootwrap completely and get strong argument checking support
>>>> into sudo (regex).
>>>> 2. Some sort of long lived rootwrap process, either forked by the service
>>>> that want's to shell out or a general purpose rootwrapd type thing.
>>>> I prefer #1 because it's surprising that sudo doesn't do this type of thing
>>>> already. It _must_ be something that everyone wants. But #2 may be quicker
>>>> and easier to implement, my $.02.
>>> IMHO, #1 set the discussion off in a poor direction.
>>> Who exactly is stepping up to do this work in sudo? Unless there's
>>> someone with a even prototype patch in hand, any insistence that we base
>>> our solution on this hypothetical feature is an unhelpful diversion.
>>> And even if this work was done, it will be a long time before it's in
>>> all the distros we support, so improving rootwrap or finding an
>>> alternate solution will still be an important discussion.
>> Personally I'm of the opinion that from an architectural POV, use of
>> either rootwrap or sudo is a bad solution, so arguing about which is
>> better is really missing the bigger picture. In Linux, there has been
>> a move away from use of sudo or similar approaches, towards the idea
>> of having privileged separated services. So if you wanted todo stuff
>> related to storage, you'd have some small daemon running privilegd,
>> which exposed APIs over DBus, which the non-privileged thing would
>> call to make storage changes. Operations exposed by the service would
>> have access control configured via something like PolicyKit, and/or
>> SELinux/AppArmour.
>> Of course this is alot more work than just hacking up some scripts
>> using sudo or rootwrap. That's the price you pay for properly
>> engineering formal APIs todo jobs instead of punting to random
>> shell scripts.
> And for the record, I would be supportive of any proper effort to
> implement privileged calls using a (hopefully minimal) privileged
> daemon, especially for nodes that make heavy usage of privileged calls.
> I just don't feel that going back to sudo (or claiming you can just
> introduce all rootwrap features in sudo) is the proper way to fix the
> problem.

Cool, this seems like a good approach to me, as well.  Of course, we're
back to "is anyone up for the task?"

Russell Bryant

More information about the OpenStack-dev mailing list