[openstack-dev] Python overhead for rootwrap

Daniel P. Berrange berrange at redhat.com
Fri Aug 2 10:15:20 UTC 2013


On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote:
> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote:
> > In my opinion:
> > 
> > 1. Stop using rootwrap completely and get strong argument checking support
> > into sudo (regex).
> > 2. Some sort of long lived rootwrap process, either forked by the service
> > that want's to shell out or a general purpose rootwrapd type thing.
> > 
> > I prefer #1 because it's surprising that sudo doesn't do this type of thing
> > already. It _must_ be something that everyone wants. But #2 may be quicker
> > and easier to implement, my $.02.
> 
> IMHO, #1 set the discussion off in a poor direction.
> 
> Who exactly is stepping up to do this work in sudo? Unless there's
> someone with a even prototype patch in hand, any insistence that we base
> our solution on this hypothetical feature is an unhelpful diversion.
> 
> And even if this work was done, it will be a long time before it's in
> all the distros we support, so improving rootwrap or finding an
> alternate solution will still be an important discussion.

Personally I'm of the opinion that from an architectural POV, use of
either rootwrap or sudo is a bad solution, so arguing about which is
better is really missing the bigger picture. In Linux, there has been
a move away from use of sudo or similar approaches, towards the idea
of having privileged separated services. So if you wanted todo stuff
related to storage, you'd have some small daemon running privilegd,
which exposed APIs over DBus, which the non-privileged thing would
call to make storage changes. Operations exposed by the service would
have access control configured via something like PolicyKit, and/or
SELinux/AppArmour.

Of course this is alot more work than just hacking up some scripts
using sudo or rootwrap. That's the price you pay for properly
engineering formal APIs todo jobs instead of punting to random
shell scripts.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list