[openstack-dev] Python overhead for rootwrap

Thierry Carrez thierry at openstack.org
Mon Jul 29 12:51:39 UTC 2013

John Garbutt wrote:
> I tend to agree that (option 3) aggregating all of the calls to
> rootwrap may be impractical:
>> Sean Dague wrote:
>> The reason there are 20 different call outs is that they aren't all in the
>> same place. There are phases that happen here, and different kind of errors
>> needed. I'm skeptical that you could push it all into one place.
> However it seems like the quickest way to reduce _some_ of the impact.
> Maybe just have python command-lets, like the filters (python code
> that runs as root) that chain a set of shell requests, and the input
> is restricted by the filters in the usual way. I do worry that it
> encourages larger chunks of code running as root, but that is
> something we should be able to avoid.

Running Python snippets instead of shelling out has been on the rootwrap
feature backlog for a while. The drawback is that you lose "sudo"
backward compat (the ability to run the same command using plain "sudo"
instead of "sudo rootwrap...") so we were kinda waiting for a good use
case justifying such loss.

However if the run_as_root calls are scattered around and can't be
grouped with minimal logic that will not give us a lot compared to using
shell scripts for aggregation.

Could someone post a log of the 20 calls involved so that we could check
out how they could be grouped ? It doesn't have to be all in one call,
even reducing those 20 to 5 or 10 would bring a significant performance

Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list