[openstack-dev] [nova][cinder][neutron][security] Rootwrap on root-intensive nodes

Thierry Carrez thierry at openstack.org
Wed Feb 4 15:01:21 UTC 2015


Monty Taylor wrote:
>> On Wed, Feb 04, 2015 at 11:58:03AM +0100, Thierry Carrez wrote:
>>> (2) bite the bullet and accept that some types of nodes actually need
>>> root rights for so many different things, they should just run as root
>>> anyway. I know a few distributions which won't be very pleased by such a
>>> prospect, but that would be a more honest approach (rather than claiming
>>> we provide efficient isolation when we really don't). An added benefit
>>> is that we could replace a number of shell calls by Python code, which
>>> would simplify the code and increase performance.
> 
> I'm actually the biggest fan of this solution (even more than Daniel's
> suggestion below) because it's the thing that is closest to reality.
> 
> Security isn't a useful concept in a vacuum - it's something we do to
> prevent access to or damage resources that we don't want accessed by the
> wrong people.
> 
> On compute nodes, the main valuable thing are the VMs themselves- and
> I'd expect the most interested target of an attack to be interested in
> manipulating, stealing data from or deleting the VMs.
> 
> No amount of rootwrap or privileges are going to prevent nova-compute
> from performing unwanted actions on the VMs in its control - for the
> reason that it's job in life is to manipulate those things.
> 
> Is it a security hole in the traditional distro sense - that we want to
> be able to install all of these things with apt-get or yum on a single
> server and have the actions of one service not affect the state of
> another? Sure. Is it in the real world? No. You're not going to use this
> to manage VMs on a laptop - you're going to use virtualbox or
> virt-manager. You're going to use nova-compute to manage compute hosts
> in a cloud - and in almost all circumstances the only thing that's going
> to be running on your compute hosts is going to be nova-compute.

You make a good point when you mention "traditional distro" here. I
would argue that containers are slightly changing the rules of the
don't-run-as-root game.

Solution (2) aligns pretty well with container-powered OpenStack
deployments -- running compute nodes as root in a container (and
embracing abovementioned simplicity/performance gains) sounds like a
pretty strong combo.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list