[openstack-dev] [Oslo] Code review I7ec346db: Improve usability when backdoor_port is nonzero
Ray Pekowski
pekowski at gmail.com
Thu Jun 13 21:16:26 UTC 2013
On Thu, Jun 13, 2013 at 3:25 PM, Eric Windisch <eric at cloudscaling.com>wrote:
> On June 13, 2013 at 16:18:18 , Ray Pekowski (pekowski at gmail.com) wrote:
>
> What exactly is the benefit of using Unix domain sockets? Sorry if it is
> obvious.
>
> 1. Only local users can access the backdoor, limited by filesystem/user
> permissions.
>
Since eventlet_backdoor.py only listens on localhost, it shares the same
local user only benefit, but probably doesn't have any permission
capabilities as far as I know.
> 2. Unix sockets have filenames. You can set this based on the RPC topic,
> the process ID (pid), randomly, or some other mechanism. Overall, you get
> better/more options for your namespace than port numbers which as you've
> noticed can be problematic.
>
I suppose it could be overcome, but the call to eventlet_backdoor in the
code today is done before the topic is established, so the unix socket
filename would likely be random or semi-random (process ID).
I'm not adverse to the idea. It would require some education on the part
of the users. I assume the usage is something like this:
socat <unix domain socket> <exec telnet>
Which could be scripted, a requirements of mine, so that I can script the
periodic collection of call stacks.
Getting back to the subject....
I don't see why we can't support all options other than the one that exists
today, because I truly consider it broken just from my experience. Here's
my story:
I didn't know about listening on port 0, so when I read the code and saw
what appeared to be lack of support for multiple services, I made a private
patch. It seems Matthew Treinish did the same thing. Others will too.
Those people will be wasting their time and then some number of them will
ask questions on the mailing list and waste someone else's time explaining
about port 0.
Here is what I think we could do. Have options for all of these:
- enable_backdoor (default is tcp sockets with port 0)
- enable_backdoor_ipc (unix domain sockets)
- enable_backdoor_starting_port (tcp sockets with port number hint)
Why would we not implement them all? I'm willing to take on the first and
third as a starting point. My current patch only does the third, but
adding the first would be easy.
Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130613/9e2979dc/attachment.html>
More information about the OpenStack-dev
mailing list