[openstack-dev] [neutron][rootwrap] Performance considerations, sudo?

Yuriy Taraday yorik.sar at gmail.com
Fri Mar 7 09:06:57 UTC 2014


On Wed, Mar 5, 2014 at 6:42 PM, Miguel Angel Ajo <majopela at redhat.com>wrote:

> 2) What alternatives can we think about to improve this situation.
>    0) already being done: coalescing system calls. But I'm unsure that's
> enough. (if we coalesce 15 calls to 3 on this system we get: 192*3*0.3/60
> ~=3 minutes overhead on a 10min operation).
>    a) Rewriting rules into sudo (to the extent that it's possible), and
> live with that.
>    b) How secure is neutron about command injection to that point? How
> much is user input filtered on the API calls?
>    c) Even if "b" is ok , I suppose that if the DB gets compromised, that
> could lead to command injection.
>    d) Re-writing rootwrap into C (it's 600 python LOCs now).

   e) Doing the command filtering at neutron-side, as a library and live
> with sudo with simple filtering. (we kill the python/rootwrap startup
> overhead).

Another option would be to allow rootwrap to run in daemon mode and provide
RPC interface. This way Neutron can spawn rootwrap (with its CPython
startup overhead) once and send new commands to be run later over UNIX
This way we won't need learn new language (C/C++), adopt new toolchain
(RPython, Cython, whatever else) and still get secure way to run commands
with root priviledges.


Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140307/00a3974f/attachment.html>

More information about the OpenStack-dev mailing list