[openstack-dev] Python overhead for rootwrap
Dan Smith
dms at danplanet.com
Fri Aug 2 17:33:39 UTC 2013
> Any solution where you need to modify sudoers every time the code
> changes is painful, because there is only one sudo configuration on a
> machine and it's owned by root.
Hmm? At least on ubuntu there is a default /etc/sudoers.d directory,
where we could land per-service files like nova-compute.conf,
nova-network.conf, etc. I don't think that's there by default on Fedora
or RHEL, but adding the includedir to the base config works as expected.
> The end result was that the sudoers file were not maintained and
> everyone ran and tested with a convenient blanket-permission sudoers
> file.
Last I checked, The nova rootwrap policy includes blanket approvals for
things like chmod, which pretty much eliminates any sort of expectation
of reasonable security without improvement by the operator (which I
think is unrealistic).
I'm not sure what the right answer is here. I'm a little afraid of a
rootwrap daemon. However, nova-network choking on 50 instances seems to
be obviously not an option...
--Dan
More information about the OpenStack-dev
mailing list