Open Stack

Excerpts from Vladimir Kozhukalov's message of 2014-04-04 05:19:41 -0700:
> Hello, everyone,
> 
> I'd like to involve more people to express their opinions about the way how
> we are going to run Ironic-python-agent. I mean should we run it with root
> privileges or not.
> 
> From the very beginning agent is supposed to run under ramdisk OS and it is
> intended to make disk partitioning, RAID configuring, firmware updates and
> other stuff according to installing OS. Looks like we always will run agent
> with root privileges. Right? There are no reasons to limit agent
> permissions.
> 
> On the other hand, it is easy to imagine a situation when you want to run
> agent on every node of your cluster after installing OS. It could be useful
> to keep hardware info consistent (for example, many hardware configurations
> allow one to add hard drives in run time). It also could be useful for "on
> the fly" firmware updates. It could be useful for "on the fly"
> manipulations with lvm groups/volumes and so on.
> 
> Frankly, I am not even sure that we need to run agent with root privileges
> even in ramdisk OS, because, for example, there are some system default
> limitations such as number of connections, number of open files, etc. which
> are different for root and ordinary user and potentially can influence
> agent behaviour. Besides, it is possible that some vulnerabilities will be
> found in the future and they potentially could be used to compromise agent
> and damage hardware configuration.
> 
> Consequently, it is better to run agent under ordinary user even under
> ramdisk OS and use rootwrap if agent needs to run commands with root
> privileges. I know that rootwrap has some performance issues
> http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.htmlbut
> it is still pretty suitable for ironic agent use case.
> 

My opinion: If you are going to listen for connections, do so on a low
port as root, but then drop privs immediately thereafter. Run things
with sudo, not rootwrap, as the flexibility will just become a burden
if you ever do need to squeeze more performance out, and it won't be
much of a boon to what are likely to be very straight forward commands.

Finally, as others have said, this is for the deploy ramdisk only. For
the case where you want to do an on-the-fly firmware update, there are
a bazillion options to do remote execution. Ironic is for the case where
you don't have on-the-fly capabilities.