<div dir="ltr"><div>I haven't closely looked at rootwrap, but it seems to me that you could use the</div><div>rootwrap config files to generate a gigantic sudoers config file which would not</div><div>necessarily be human readable. That would have the flexibility and </div>
<div>maintainability of rootwrap with the speed and audibility sudo.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 25, 2013 at 1:21 PM, Joe Gordon <span dir="ltr"><<a href="mailto:joe.gordon0@gmail.com" target="_blank">joe.gordon0@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi All,<div><br></div><div>We have recently hit some performance issues with nova-network. It turns out the root cause of this was we do roughly 20 rootwrapped shell commands, many inside of global locks. (<a href="https://bugs.launchpad.net/oslo/+bug/1199433" target="_blank">https://bugs.launchpad.net/oslo/+bug/1199433</a>)</div>
<div><br></div><div>It turns out starting python itself, has a fairly significant overhead when compared to the run time of many of the binary commands we execute.</div><div><br></div><div>For example:<br><div><br></div>
<div>
<div>$ time python -c "print 'test'"</div><div>test</div><div><br></div><div>real<span style="white-space:pre-wrap"> </span>0m0.023s</div><div>user<span style="white-space:pre-wrap"> </span>0m0.016s</div>
<div>sys<span style="white-space:pre-wrap"> </span>0m0.004s</div></div><div><br></div><div><br></div><div>$ time ip a</div><div><...></div><div><br></div><div><div>real<span style="white-space:pre-wrap"> </span>0m0.003s</div>
<div>user<span style="white-space:pre-wrap"> </span>0m0.000s</div><div>sys<span style="white-space:pre-wrap"> </span>0m0.000s</div></div></div><div><br></div><div><br></div><div>While we have removed the extra overhead of using entry points, we are now hitting the overhead of just shelling out to python.</div>
<div><br></div><div><br></div><div>While there are many possible ways to reduce this issue, such as reducing the number of rootwrapped calls and making locks finer grain, I think its worth exploring alternates to the current rootwrap model.</div>
<div><br></div><div>Any ideas? I am sending this email out to get the discussion started.</div><div><br></div><div><br></div><div>best,</div><div>Joe Gordon</div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>