[openstack-dev] Python overhead for rootwrap

Joe Gordon joe.gordon0 at gmail.com
Sat Aug 3 04:28:40 UTC 2013

On Fri, Aug 2, 2013 at 10:33 AM, Dan Smith <dms at danplanet.com> wrote:

> > Any solution where you need to modify sudoers every time the code
> > changes is painful, because there is only one sudo configuration on a
> > machine and it's owned by root.
> Hmm? At least on ubuntu there is a default /etc/sudoers.d directory,
> where we could land per-service files like nova-compute.conf,
> nova-network.conf, etc. I don't think that's there by default on Fedora
> or RHEL, but adding the includedir to the base config works as expected.
> > The end result was that the sudoers file were not maintained and
> > everyone ran and tested with a convenient blanket-permission sudoers
> > file.
> Last I checked, The nova rootwrap policy includes blanket approvals for
> things like chmod, which pretty much eliminates any sort of expectation
> of reasonable security without improvement by the operator (which I
> think is unrealistic).
> I'm not sure what the right answer is here. I'm a little afraid of a
> rootwrap daemon. However, nova-network choking on 50 instances seems to
> be obviously not an option...

I agree.  The good news is that neutron does not timeout like nova-network
does here, although it makes many rootwrapped calls so it will get a
performance boost from a faster rootwrap solution.

It sounds like rootwrap isn't going anywhere in Havana, and we can explore
faster and more secure solutions for Icehouse.  But there may be some short
term solutions to make nova (with nova-network) not choke on 50 instances.
I would like to be able to say Havana, in its default config, won't choke
when trying to spawn a small number of instances.   Some possible solutions

* Make rootwrap faster --  rootwrapped calls to iptables-save are still 3
to 4x slower then without rootwrap.  but the python load time counts for
less then half of that.
* Finer grained locks, right now it looks like the iptables lock is what is
killing us, so we may be able to find a better way to use iptables-save and
* Reduce the number of rootwrapped calls when possible, I would be very
surprised if every single rootwrapped call is needed.
* See how neutron does it, it seems to work much better for them
* ???

> --Dan
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130802/5b6c9ffb/attachment.html>

More information about the OpenStack-dev mailing list