[openstack-dev] [neutron][rootwrap] Performance considerations, sudo?

Sean Dague sean at dague.net
Fri Mar 21 11:40:51 UTC 2014

On 03/21/2014 05:42 AM, Thierry Carrez wrote:
> Yuriy Taraday wrote:
>> On Thu, Mar 20, 2014 at 5:41 PM, Miguel Angel Ajo <majopela at redhat.com
>> <mailto:majopela at redhat.com>> wrote:
>>>        If this coupled to neutron in a way that it can be accepted for
>>>     Icehouse (we're killing a performance bug), or that at least it can
>>>     be y backported, you'd be covering both the short & long term needs.
>> As I said on the meeting I plan to provide change request to Neutron
>> with some integration with this patch.
>> I'm also going to engage people involved in rootwrap about my change
>> request.
> Temporarily removing my rootwrap maintainer hat and putting on my
> OpenStack release manager hat: as you probably know we are well into
> Icehouse feature freeze at this point, and there is no way I would
> consider such a significant change for inclusion in the Icehouse release
> at this point.
> The work on both the daemon and the shedskin stuff is very promising,
> but the nature of this beast makes it necessary to undergo a lot of
> testing and security audits before it can be accepted. Not exactly
> something I'd consider 4 weeks before a final release.
> Frankly, this issue has been on the table forever and this is just the
> wrong timing to rush a new implementation to fix it.
> I filed a rootwrap session for the Juno Design summit -- ideally we'll
> have various solutions ready by then and we'd make the final choice for
> early integration in Juno, leaving plenty of time to catch the weird
> regressions (or security holes) that it may cause.

Sounds great. One of the things I hope happens with this is a look at
some place rootwrap is used with such an open policy, that it's
completely moot. For instance the nova-cpu policy includes tee & dd with
no arg limitting (which has been that way forever from my look in git

Which is basically game over.

So in the nova-cpu case I really think we should remove rootwrap as it's
got to do so many things as root that being a limitted user really isn't
an option.


Sean Dague
Samsung Research America
sean at dague.net / sean.dague at samsung.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140321/42ffbe44/attachment.pgp>

More information about the OpenStack-dev mailing list