On Tue, Jul 30, 2013 at 8:55 AM, Thierry Carrez <thie...@openstack.org>wrote:
> Joe Gordon wrote: > > Going forward I think we should support two approaches: > > > > 1) some faster mostly python based (because we are a python project) > > rootwrap solution, there are many good ideas proposed above. Although > > Robert Collins comments have yet to be addressed. > > About Robert's arguments: most filters operate on command arguments > without checking state, so they don't introduce a TOCTOU race. Some > advanced filters indeed use current state of the system in their checks > so they introduce a TOCTOU race but those are not thought to be > exploitable. For example KillFilter checks the PID target before it > kills it, but since you don't control PID allocation you can't exploit > that race to gain anything. > > > 2) Also support just using sudo. > > Assuming any sort of rootwrap solution we propose will incur a non-zero > > overhead, I can imagine some users wanting to sacrifice some security > > for performance. For example if they run a private cloud where the > > tenants are mostly trusted. > > Now that's interesting, because we actually don't support running "sudo" > as the root wrapper anymore (since Folsom/Grizzly). We removed the > "root_helper" parameter (in Nova and Cinder) and use "rootwrap_config" > instead. > > You can still bypass rootwrap completely by running the component as the > root user instead of the unprivileged (nova) user, but that's about it. > Is that really a use case we want to support ? > > Note that if we add the ability to run python snippets of code in > rootwrap, we'll definitely lose the ability to run outside rootwrap. So > there seems to be a trade-off here: > > I thought we could move functions like > linux_net.initialize_gateway_device to a Python snippet library that > rootwrap would run in one go (using some artificial construct like > "nova-rootwrap /etc/nova/rootwrap.conf py initialize_gateway_device > parameters...") but then we'd lose the ability to run as the root user > and to bypass rootwrap completely (since sudo py > initialize_gateway_device wouldn't do you any good)... or maybe we can > come up with a construct that would still work when called using basic > sudo ? > So whatever solution we go with, I think we need something for Havana. As even with removing pkg_resources from the binaries ( https://review.openstack.org/#/c/38000/ ) rootwrap is still too slow to boot 50 instances at once (see https://bugs.launchpad.net/oslo/+bug/1199433for details). I tried swapping out rootwrap for sudo and that made the issue go away. So I think we should go back to supporting just using sudo instead of rootwrap, and make sure any future solutions support a sudo only option as well. But I am open to other ideas, I just think we need to implement something for Havana. > > -- > Thierry Carrez (ttx) > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
