[openstack-dev] Python overhead for rootwrap
Michael Still
mikal at stillhq.com
Thu Jul 25 23:52:47 UTC 2013
On Fri, Jul 26, 2013 at 7:43 AM, Thierry Carrez <thierry at openstack.org> wrote:
> I would rather support solution 3: create a single, separate executable
> that does those 20 things that need to be done (can be a shell script
> with some logic in it), and have rootwrap call that *once*. That way you
> increase speed by 20 times without dumping the security model.
I worry about this script getting out of date compared with the nova
binary. What about an abstraction class around shell commands where
you specify what commands you want to run, then it exports a generated
shell script and executes it with root-wrap?
We'd of course have to pay attention to using secure temporary files
for the generated scripts, but we could ask for an OSSG bench audit of
those bits.
Michael
--
Rackspace Australia
More information about the OpenStack-dev
mailing list