[openstack-dev] Python overhead for rootwrap

Thierry Carrez thierry at openstack.org
Mon Jul 29 08:37:57 UTC 2013

Thomas Goirand wrote:
> On 07/26/2013 05:43 AM, Thierry Carrez wrote:
>> I would rather support solution 3: create a single, separate  executable
>> that does those 20 things that need to be done (can be a shell script
>> with some logic in it), and have rootwrap call that *once*. That way you
>> increase speed by 20 times without dumping the security model.
> Hi Thierry,
> Does rootwrap has to be written in Python? How much work would it be to
> rewrite it in C? It doesn't seem that big to me (less than 700 lines of
> python right now). Or is it too complicated, and then too dangerous, to
> be in such no-safety-net type of language?

The trick is that we would then have to write the filters themselves as
C code. Apart from the risky side of getting Python coders to write C
code manipulating strings as root, the original plan was to have lots of
specialized filters for extremely fine-grained control of privilege
escalation. We are just starting to see those appear (EnvFilter,
PathFilter, KillFilter) and I certainly don't want to kill the
momentum... Our community speaks Python: forcing those to be written in
C would probably limit, rather than increase, the number of those
specialized filters.

It's always been a trade-off: rootwrap favored security and ease of
development over performance, as I didn't think we would ever make
enough calls for it to be a problem (compared to, say, booting an image
in KVM). Apparently I was wrong, at least for nova-network :)

Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list