[openstack-dev] Python overhead for rootwrap

Joe Gordon joe.gordon0 at gmail.com
Mon Jul 29 20:53:31 UTC 2013


On Mon, Jul 29, 2013 at 5:51 AM, Thierry Carrez <thierry at openstack.org>wrote:

> John Garbutt wrote:
> > I tend to agree that (option 3) aggregating all of the calls to
> > rootwrap may be impractical:
> >> Sean Dague wrote:
> >> The reason there are 20 different call outs is that they aren't all in
> the
> >> same place. There are phases that happen here, and different kind of
> errors
> >> needed. I'm skeptical that you could push it all into one place.
> >
> > However it seems like the quickest way to reduce _some_ of the impact.
> >
> > Maybe just have python command-lets, like the filters (python code
> > that runs as root) that chain a set of shell requests, and the input
> > is restricted by the filters in the usual way. I do worry that it
> > encourages larger chunks of code running as root, but that is
> > something we should be able to avoid.
>
> Running Python snippets instead of shelling out has been on the rootwrap
> feature backlog for a while. The drawback is that you lose "sudo"
> backward compat (the ability to run the same command using plain "sudo"
> instead of "sudo rootwrap...") so we were kinda waiting for a good use
> case justifying such loss.
>
> However if the run_as_root calls are scattered around and can't be
> grouped with minimal logic that will not give us a lot compared to using
> shell scripts for aggregation.
>
> Could someone post a log of the 20 calls involved so that we could check
> out how they could be grouped ? It doesn't have to be all in one call,
> even reducing those 20 to 5 or 10 would bring a significant performance
> improvement.
>


$ git grep "as_root=True" nova/network/linux_net.py | wc -l
66

Sure we can group some calls together, but then we have to move much of the
logic into whatever mechanism we are using to grouping calls together.  For
example see
https://github.com/openstack/nova/blob/master/nova/network/linux_net.py#L783


>
> --
> Thierry Carrez (ttx)
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130729/db566c9f/attachment.html>


More information about the OpenStack-dev mailing list