<div>
<span style="font-size: 14px;">We have an ongoing effort in neutron to move to rootwrap-daemon.</span>
</div><div><br></div><div><a href="https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bp/rootwrap-daemon-mode,n,z">https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bp/rootwrap-daemon-mode,n,z</a></div><div><br></div><div><span style="font-size: 14px;">To speed up multiple system calls, and be able to spawn daemons inside namespaces.</span></div><div><br></div><div><span style="font-size: 14px;">I have to read a bit what are the good & bad points of privsep. </span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">The advantage of rootwrap-daemon, is that we don’t need to change all our networking libraries across neutron,</span></div><div><span style="font-size: 14px;">and we kill the sudo/rootwrap spawn for every call, yet keeping the rootwrap permission granularity.</span></div>
<div><div><br></div><div><span style="font-size: 10pt;">Miguel Ángel Ajo</span></div><div><br></div></div>
<p style="color: #A0A0A8;">On Friday, 13 de February de 2015 at 10:54, Angus Lees wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div dir="ltr"><div>On Fri Feb 13 2015 at 5:45:36 PM Eric Windisch <<a href="mailto:eric@windisch.us">eric@windisch.us</a>> wrote:<br><blockquote type="cite"><div><div dir="ltr"><div hspace="streak-pt-mark" style="max-height:1px"><img style="width:0px;max-height:0px" src="https://mailfoogae.appspot.com/t?sender=aZXJpY0B3aW5kaXNjaC51cw%3D%3D&type=zerocontent&guid=1f5b166c-c37d-4b6d-9154-2391bb2f16ee"><font color="#ffffff" size="1">ᐧ</font></div></div><div dir="ltr"><div><div><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5"> </span>from neutron.agent.privileged.commands import ip_lib as priv_ip</div><div><span style="line-height:1.5"> def foo():</span></div><div><span style="line-height:1.5"> # Need to create a new veth interface pair - that usually requires root/NET_ADMIN</span></div><div><span style="line-height:1.5"> priv_ip.CreateLink('veth', 'veth0', peer='veth1')</span></div><div><br></div><div>Because we now have elevated privileges directly (on the privileged daemon side) without having to shell out through sudo, we can do all sorts of nicer things like just using netlink directly to configure networking. This avoids the overhead of executing subcommands, the ugliness (and danger) of generating command lines and regex parsing output, and make us less reliant on specific versions of command line tools (since the kernel API should be very stable).</div></div></blockquote><div><br></div></div></div></div><div dir="ltr"><div><div><div>One of the advantages of spawning a new process is being able to use flags to clone(2) and to set capabilities. This basically means to create containers, by some definition. Anything you have in a "privileged daemon" or privileged process ideally should reduce its privilege set for any operation it performs. That might mean it clones itself and executes Python, or it may execvp an executable, but either way, the new process would have less-than-full-privilege.</div><div><br></div><div>For instance, writing a file might require root access, but does not need the ability to load kernel modules. Changing network interfaces does not need access to the filesystem, no more than changes to the filesystem needs access to the network. The capabilities and namespaces mechanisms resolve these security conundrums and simplify principle of least privilege.</div></div></div></div></div></blockquote><div><br></div><div>Agreed wholeheartedly, and I'd appreciate your thoughts on how I'm using capabilities in this change. The privsep daemon limits itself to a particular set of capabilities (and drops root). The assumption is that most OpenStack services commonly need the same small set of capabilities to perform their duties (neutron -> net_admin+sys_admin for example), so it makes sense to reuse the same privileged process.</div><div><br></div><div>If we have a single service that somehow needs to frequently use a broad swathe of capabilities then we might want to break it up further somehow between the different internal aspects (multiple privsep helpers?) - but is there such a case? There's also no problems with mixing privsep for frequent operations with the existing sudo/rootwrap approach for rare/awkward cases.</div><div><br></div><div> - Gus</div></div></div>
</div><div><div>__________________________________________________________________________</div><div>OpenStack Development Mailing List (not for usage questions)</div><div>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></div><div><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></div></div></span>
</blockquote>
<div>
<br>
</div>