[openstack-dev] Python overhead for rootwrap

Jay Buffington me at jaybuff.com
Mon Jul 29 22:04:08 UTC 2013

I haven't closely looked at rootwrap, but it seems to me that you could use
rootwrap config files to generate a gigantic sudoers config file which
would not
necessarily be human readable.  That would have the flexibility and
maintainability of rootwrap with the speed and audibility sudo.

On Thu, Jul 25, 2013 at 1:21 PM, Joe Gordon <joe.gordon0 at gmail.com> wrote:

> Hi All,
> We have recently hit some performance issues with nova-network.  It turns
> out the root cause of this was we do roughly 20 rootwrapped shell commands,
> many inside of global locks. (https://bugs.launchpad.net/oslo/+bug/1199433
> )
> It turns out starting python itself, has a fairly significant overhead
> when compared to the run time of many of the binary commands we execute.
> For example:
>  $ time python -c "print 'test'"
> test
> real 0m0.023s
> user 0m0.016s
> sys 0m0.004s
> $ time ip a
> <...>
> real 0m0.003s
> user 0m0.000s
> sys 0m0.000s
> While we have removed the extra overhead of using entry points, we are now
> hitting the overhead of just shelling out to python.
> While there are many possible ways to reduce this issue, such as reducing
> the number of rootwrapped calls and making locks finer grain, I think its
> worth exploring alternates to the current rootwrap model.
> Any ideas?  I am sending this email out to get the discussion started.
> best,
> Joe Gordon
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130729/9568c5d7/attachment.html>

More information about the OpenStack-dev mailing list