[openstack-dev] Python overhead for rootwrap

Clint Byrum clint at fewbar.com
Thu Aug 8 19:03:36 UTC 2013

Excerpts from Joshua Harlow's message of 2013-08-08 10:39:38 -0700:
> A very neat option. I hadn't thought about tasks having policies on them.
> It does seem like a correct way to go, and a way that could help in some of the rootwrap area.
> Good idea jay, the taskflow devs I think are starting to consider this idea and how it might be possible.
> There is as u said a long road, but I think this is just the way it goes, for better or worse.

This is a neat option, and it is actually quite similar to the proposed
"use DBUS" solution.

Basically we can achieve the goal two similar ways:

1) Write a python taskflow worker that runs as root and exposes
"run_XXXCMDXXX_as_root_on_node_105058" as a capability which the
nova-compute will then eventually ask for. This will require security
in taskflow that has perhaps not been considered up until now.

2) DBUS enable iptables/brctl/ovs/etc. -- Longer time to develop,
but tighter security and more universal benefit/contribution from the
greater Linux community.

Doing these are not mutually exclusive. We can do 1 and then improve
performance and security by attacking the pieces that make sense for
solution 2 (thus relieving the need for run_XXXCMDXXX_as_root).

More information about the OpenStack-dev mailing list