I thought of this option, but didn't consider it, as It's somehow risky to expose an RPC end executing priviledged (even filtered) commands.
If I'm not wrong, once you have credentials for messaging, you can send messages to any end, even filtered, I somehow see this as a higher risk option. And btw, if we add RPC in the middle, it's possible that all those system call delays increase, or don't decrease all it'll be desirable. On 03/07/2014 10:06 AM, Yuriy Taraday wrote:
Another option would be to allow rootwrap to run in daemon mode and provide RPC interface. This way Neutron can spawn rootwrap (with its CPython startup overhead) once and send new commands to be run later over UNIX socket.
This way we won't need learn new language (C/C++), adopt new toolchain (RPython, Cython, whatever else) and still get secure way to run commands with root priviledges.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
