[openstack-dev] [neutron][rootwrap] Performance considerations, sudo?

Miguel Angel Ajo majopela at redhat.com
Fri Mar 7 12:52:54 UTC 2014

I thought of this option, but didn't consider it, as It's somehow
risky to expose an RPC end executing priviledged (even filtered) commands.

If I'm not wrong, once you have credentials for messaging, you can
send messages to any end, even filtered, I somehow see this as a higher
risk option.

And btw, if we add RPC in the middle, it's possible that all those
system call delays increase, or don't decrease all it'll be desirable.

On 03/07/2014 10:06 AM, Yuriy Taraday wrote:
> Another option would be to allow rootwrap to run in daemon mode and
> provide RPC interface. This way Neutron can spawn rootwrap (with its
> CPython startup overhead) once and send new commands to be run later
> over UNIX socket.

> This way we won't need learn new language (C/C++), adopt new toolchain
> (RPython, Cython, whatever else) and still get secure way to run
> commands with root priviledges.

More information about the OpenStack-dev mailing list