[openstack-dev] [Ironic][Agent]
Vladimir Kozhukalov
vkozhukalov at mirantis.com
Fri Apr 4 12:19:41 UTC 2014
Hello, everyone,
I'd like to involve more people to express their opinions about the way how
we are going to run Ironic-python-agent. I mean should we run it with root
privileges or not.
>From the very beginning agent is supposed to run under ramdisk OS and it is
intended to make disk partitioning, RAID configuring, firmware updates and
other stuff according to installing OS. Looks like we always will run agent
with root privileges. Right? There are no reasons to limit agent
permissions.
On the other hand, it is easy to imagine a situation when you want to run
agent on every node of your cluster after installing OS. It could be useful
to keep hardware info consistent (for example, many hardware configurations
allow one to add hard drives in run time). It also could be useful for "on
the fly" firmware updates. It could be useful for "on the fly"
manipulations with lvm groups/volumes and so on.
Frankly, I am not even sure that we need to run agent with root privileges
even in ramdisk OS, because, for example, there are some system default
limitations such as number of connections, number of open files, etc. which
are different for root and ordinary user and potentially can influence
agent behaviour. Besides, it is possible that some vulnerabilities will be
found in the future and they potentially could be used to compromise agent
and damage hardware configuration.
Consequently, it is better to run agent under ordinary user even under
ramdisk OS and use rootwrap if agent needs to run commands with root
privileges. I know that rootwrap has some performance issues
http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.htmlbut
it is still pretty suitable for ironic agent use case.
It would be great to hear as many opinions as possible according to this
case.
Vladimir Kozhukalov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140404/79bfabab/attachment.html>
More information about the OpenStack-dev
mailing list