[openstack-dev] [neutron][rootwrap] Performance considerations, sudo?
Stephen Gran
stephen.gran at theguardian.com
Fri Mar 7 13:41:58 UTC 2014
Hi,
Given that Yuriy says explicitly 'unix socket', I dont think he means
'MQ' when he says 'RPC'. I think he just means a daemon listening on a
unix socket for execution requests. This seems like a reasonably
sensible idea to me.
Cheers,
On 07/03/14 12:52, Miguel Angel Ajo wrote:
>
> I thought of this option, but didn't consider it, as It's somehow
> risky to expose an RPC end executing priviledged (even filtered) commands.
>
> If I'm not wrong, once you have credentials for messaging, you can
> send messages to any end, even filtered, I somehow see this as a higher
> risk option.
>
> And btw, if we add RPC in the middle, it's possible that all those
> system call delays increase, or don't decrease all it'll be desirable.
>
>
> On 03/07/2014 10:06 AM, Yuriy Taraday wrote:
>> Another option would be to allow rootwrap to run in daemon mode and
>> provide RPC interface. This way Neutron can spawn rootwrap (with its
>> CPython startup overhead) once and send new commands to be run later
>> over UNIX socket.
>
>> This way we won't need learn new language (C/C++), adopt new toolchain
>> (RPython, Cython, whatever else) and still get secure way to run
>> commands with root priviledges.
--
Stephen Gran
Senior Systems Integrator - theguardian.com
Please consider the environment before printing this email.
------------------------------------------------------------------
Visit theguardian.com
On your mobile, download the Guardian iPhone app theguardian.com/iphone and our iPad edition theguardian.com/iPad
Save up to 57% by subscribing to the Guardian and Observer - choose the papers you want and get full digital access.
Visit subscribe.theguardian.com
This e-mail and all attachments are confidential and may also
be privileged. If you are not the named recipient, please notify
the sender and delete the e-mail and all attachments immediately.
Do not disclose the contents to another person. You may not use
the information for any purpose, or store, or copy, it in any way.
Guardian News & Media Limited is not liable for any computer
viruses or other material transmitted with or as part of this
e-mail. You should employ virus checking software.
Guardian News & Media Limited
A member of Guardian Media Group plc
Registered Office
PO Box 68164
Kings Place
90 York Way
London
N1P 2AP
Registered in England Number 908396
--------------------------------------------------------------------------
More information about the OpenStack-dev
mailing list