John Garbutt wrote: > I tend to agree that (option 3) aggregating all of the calls to > rootwrap may be impractical: >> Sean Dague wrote: >> The reason there are 20 different call outs is that they aren't all in the >> same place. There are phases that happen here, and different kind of errors >> needed. I'm skeptical that you could push it all into one place. > > However it seems like the quickest way to reduce _some_ of the impact. > > Maybe just have python command-lets, like the filters (python code > that runs as root) that chain a set of shell requests, and the input > is restricted by the filters in the usual way. I do worry that it > encourages larger chunks of code running as root, but that is > something we should be able to avoid.
Running Python snippets instead of shelling out has been on the rootwrap feature backlog for a while. The drawback is that you lose "sudo" backward compat (the ability to run the same command using plain "sudo" instead of "sudo rootwrap...") so we were kinda waiting for a good use case justifying such loss. However if the run_as_root calls are scattered around and can't be grouped with minimal logic that will not give us a lot compared to using shell scripts for aggregation. Could someone post a log of the 20 calls involved so that we could check out how they could be grouped ? It doesn't have to be all in one call, even reducing those 20 to 5 or 10 would bring a significant performance improvement. -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
