Excerpts from Joshua Harlow's message of 2013-08-08 10:39:38 -0700: > A very neat option. I hadn't thought about tasks having policies on them. > > It does seem like a correct way to go, and a way that could help in some of > the rootwrap area. > > Good idea jay, the taskflow devs I think are starting to consider this idea > and how it might be possible. > > There is as u said a long road, but I think this is just the way it goes, for > better or worse. >
This is a neat option, and it is actually quite similar to the proposed "use DBUS" solution. Basically we can achieve the goal two similar ways: 1) Write a python taskflow worker that runs as root and exposes "run_XXXCMDXXX_as_root_on_node_105058" as a capability which the nova-compute will then eventually ask for. This will require security in taskflow that has perhaps not been considered up until now. 2) DBUS enable iptables/brctl/ovs/etc. -- Longer time to develop, but tighter security and more universal benefit/contribution from the greater Linux community. Doing these are not mutually exclusive. We can do 1 and then improve performance and security by attacking the pieces that make sense for solution 2 (thus relieving the need for run_XXXCMDXXX_as_root). _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev