[openstack-dev] [neutron][rootwrap] Performance considerations, sudo?

Yuriy Taraday yorik.sar at gmail.com
Tue Mar 18 15:38:50 UTC 2014


Hello, Thierry.

On Mon, Mar 17, 2014 at 6:04 PM, Thierry Carrez <thierry at openstack.org>wrote:

> Note that the whole concept behind rootwrap is to limit the amount of
> code that runs with elevated privileges. If you end up running a full
> service as root which imports as many libraries as the rest of OpenStack
> services, then you should seriously consider switching to running your
> root-heavy service as root directly, because it won't make that much of
> a difference.
>
> I'm not closing the door to a persistent implementation... Just saying
> that in order to be useful, it needs to be as minimal as possible (both
> in amount of code written and code imported) and as simple as possible
> (so that its security model can be easily proven safe).
>

I'm aiming at ~100 new lines of code for daemon. Of course I'll use some
batteries included with Python stdlib but they should be safe already.
It should be rather easy to audit them.

-- 

Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140318/42b40914/attachment.html>


More information about the OpenStack-dev mailing list