[openstack-dev] Python overhead for rootwrap

Joe Gordon joe.gordon0 at gmail.com
Mon Jul 29 20:53:31 UTC 2013

On Mon, Jul 29, 2013 at 5:51 AM, Thierry Carrez <thierry at openstack.org>wrote:

> John Garbutt wrote:
> > I tend to agree that (option 3) aggregating all of the calls to
> > rootwrap may be impractical:
> >> Sean Dague wrote:
> >> The reason there are 20 different call outs is that they aren't all in
> the
> >> same place. There are phases that happen here, and different kind of
> errors
> >> needed. I'm skeptical that you could push it all into one place.
> >
> > However it seems like the quickest way to reduce _some_ of the impact.
> >
> > Maybe just have python command-lets, like the filters (python code
> > that runs as root) that chain a set of shell requests, and the input
> > is restricted by the filters in the usual way. I do worry that it
> > encourages larger chunks of code running as root, but that is
> > something we should be able to avoid.
> Running Python snippets instead of shelling out has been on the rootwrap
> feature backlog for a while. The drawback is that you lose "sudo"
> backward compat (the ability to run the same command using plain "sudo"
> instead of "sudo rootwrap...") so we were kinda waiting for a good use
> case justifying such loss.
> However if the run_as_root calls are scattered around and can't be
> grouped with minimal logic that will not give us a lot compared to using
> shell scripts for aggregation.
> Could someone post a log of the 20 calls involved so that we could check
> out how they could be grouped ? It doesn't have to be all in one call,
> even reducing those 20 to 5 or 10 would bring a significant performance
> improvement.

$ git grep "as_root=True" nova/network/linux_net.py | wc -l

Sure we can group some calls together, but then we have to move much of the
logic into whatever mechanism we are using to grouping calls together.  For
example see

> --
> Thierry Carrez (ttx)
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130729/db566c9f/attachment.html>

More information about the OpenStack-dev mailing list