[openstack-dev] Python overhead for rootwrap

Joe Gordon joe.gordon0 at gmail.com
Thu Aug 1 16:27:20 UTC 2013


On Aug 1, 2013 2:06 AM, "Thierry Carrez" <thierry at openstack.org> wrote:
>
> Joe Gordon wrote:
> > I tried
> > swapping out rootwrap for sudo and that made the issue go away.    So I
> > think we should go back to supporting just using sudo instead of
> > rootwrap, and make sure any future solutions support a sudo only option
> > as well.  But I am open to other ideas, I just think we need to
> > implement something for Havana.
>
> How did you make the swap ? Patched utils.execute ? I guess we could
> introduce some use_sudo_as_root_helper parameter (defaulting to False,
> with security warnings) and preserve rootwrap_config as it is...
>

Yes, or something like that.  Hopefully it would be something in Oslo so
other projects have this option. If they use rootwrap as well.

Having rootwrap on by default makes nova-network scale very poorly by
default.  Which doesn't sound like a good default, but not sure if no
rootwrap is a better default. So we may need a better story for deployers
...

I haven't tried neutron perf yet but that may be better?  But it won't be
default until icehouse it looks like.

> It will require a passwordless blanket sudo access for the nova user.

Can't we go back to having a sudoers file white listing which binaries it
can call, like before?

> The trick is that this is equivalent to running Nova as the root user,
> from a privilege escalation / security domain standpoint. And you can
> already do that, and it will also "make the issue go away" (rootwrap is
> bypassed if called from euid 0).
>
> It's cleaner to implement it as an option though, as it will not screw
> up permissions everywhere in case you want to go back to using rootwrap
> at some point in the future.
>
> Another important take-away from your comment is that we should preserve
> the ability to run those commands under direct sudo... so if we want to
> allow executing python snippets within rootwrap, we'd need to find a way
> to do it with a call that is sudo-compatible, which might prove a bit
> tricky.
>
> --
> Thierry Carrez (ttx)
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130801/076ec94f/attachment.html>


More information about the OpenStack-dev mailing list