Re: [openstack-dev] Python overhead for rootwrap

Excerpts from Joshua Harlow's message of 2013-08-08 10:39:38 -0700: > A very neat option. I hadn't thought about tasks having policies on them. > > It does seem like a correct way to go, and a way that could help in some of > the rootwrap area. > > Good idea jay, the taskflow devs I think are st

Re: [openstack-dev] Python overhead for rootwrap

Berrange" mailto:berra...@redhat.com>>, OpenStack Development Mailing List mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] Python overhead for rootwrap Personally I'm of the opinion that from an architectural POV, use of either rootwrap or sudo is a ba

Re: [openstack-dev] Python overhead for rootwrap

> Personally I'm of the opinion that from an architectural POV, use of > either rootwrap or sudo is a bad solution, so arguing about which is > better is really missing the bigger picture. In Linux, there has been > a move away from use of sudo or similar approaches, towards the idea > of having pr

Re: [openstack-dev] Python overhead for rootwrap

Dan Smith wrote: >> Any solution where you need to modify sudoers every time the code >> changes is painful, because there is only one sudo configuration on a >> machine and it's owned by root. > > Hmm? At least on ubuntu there is a default /etc/sudoers.d directory, > where we could land per-servi

Re: [openstack-dev] Python overhead for rootwrap

On Fri, Aug 2, 2013 at 10:33 AM, Dan Smith wrote: > > Any solution where you need to modify sudoers every time the code > > changes is painful, because there is only one sudo configuration on a > > machine and it's owned by root. > > Hmm? At least on ubuntu there is a default /etc/sudoers.d direc

Re: [openstack-dev] Python overhead for rootwrap

> Any solution where you need to modify sudoers every time the code > changes is painful, because there is only one sudo configuration on a > machine and it's owned by root. Hmm? At least on ubuntu there is a default /etc/sudoers.d directory, where we could land per-service files like nova-compute

Re: [openstack-dev] Python overhead for rootwrap

I would like to do this because it will let me grind out details I need to cover for other tasks, but I'm in danger of over committing myself. How fast do you want it done? ... because that is a big job ... # Shawn Hartsock Russell Bryant wrote: On 08/02/2013 07:52 AM, Thierry Carrez wrote: >

Re: [openstack-dev] Python overhead for rootwrap

On 08/02/2013 07:52 AM, Thierry Carrez wrote: > Daniel P. Berrange wrote: >> On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote: >>> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: In my opinion: 1. Stop using rootwrap completely and get strong argument checking su

Re: [openstack-dev] Python overhead for rootwrap

Hi On 2 August 2013 13:14, Daniel P. Berrange wrote: > for managing VMs. Nova isn't using as much as it could do though. Nova > isn't using any of libvirt's storage or network related APIs currently, > which could obsolete some of its uses of rootwrap. That certainly sounds like a useful thing

Re: [openstack-dev] Python overhead for rootwrap

On Fri, Aug 02, 2013 at 12:50:08PM +0100, Chris Jones wrote: > Hi > > On 2 August 2013 11:15, Daniel P. Berrange wrote: > > > better is really missing the bigger picture. In Linux, there has been > > a move away from use of sudo or similar approaches, towards the idea > > of having privileged se

Re: [openstack-dev] Python overhead for rootwrap

Daniel P. Berrange wrote: > On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote: >> On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: >>> In my opinion: >>> >>> 1. Stop using rootwrap completely and get strong argument checking support >>> into sudo (regex). >>> 2. Some sort of long

Re: [openstack-dev] Python overhead for rootwrap

Hi On 2 August 2013 11:15, Daniel P. Berrange wrote: > better is really missing the bigger picture. In Linux, there has been > a move away from use of sudo or similar approaches, towards the idea > of having privileged separated services. So if you wanted todo stuff > I think it would be fair t

Re: [openstack-dev] Python overhead for rootwrap

On Fri, Aug 02, 2013 at 10:58:11AM +0100, Mark McLoughlin wrote: > On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: > > In my opinion: > > > > 1. Stop using rootwrap completely and get strong argument checking support > > into sudo (regex). > > 2. Some sort of long lived rootwrap process, eit

Re: [openstack-dev] Python overhead for rootwrap

On Thu, 2013-07-25 at 14:40 -0600, Mike Wilson wrote: > In my opinion: > > 1. Stop using rootwrap completely and get strong argument checking support > into sudo (regex). > 2. Some sort of long lived rootwrap process, either forked by the service > that want's to shell out or a general purpose roo

Re: [openstack-dev] Python overhead for rootwrap

Robert Collins wrote: > On 2 August 2013 20:05, Thierry Carrez wrote: > >> It was a bit of a maintenance nightmare (the file was maintained in >> every distribution rather than centrally in openstack). Another issue >> was that we shipped the same sudoers for every combination of nodes, >> allowi

Re: [openstack-dev] Python overhead for rootwrap

On 2 August 2013 20:05, Thierry Carrez wrote: > It was a bit of a maintenance nightmare (the file was maintained in > every distribution rather than centrally in openstack). Another issue > was that we shipped the same sudoers for every combination of nodes, > allowing for example nova-api to run

Re: [openstack-dev] Python overhead for rootwrap

Joe Gordon wrote: > Having rootwrap on by default makes nova-network scale very poorly by > default. Which doesn't sound like a good default, but not sure if no > rootwrap is a better default. If it boils down to that choice, by default I would pick security over performance. >> It will require

Re: [openstack-dev] Python overhead for rootwrap

On Aug 1, 2013 2:06 AM, "Thierry Carrez" wrote: > > Joe Gordon wrote: > > I tried > > swapping out rootwrap for sudo and that made the issue go away.So I > > think we should go back to supporting just using sudo instead of > > rootwrap, and make sure any future solutions support a sudo only op

Re: [openstack-dev] Python overhead for rootwrap

Joe Gordon wrote: > I tried > swapping out rootwrap for sudo and that made the issue go away.So I > think we should go back to supporting just using sudo instead of > rootwrap, and make sure any future solutions support a sudo only option > as well. But I am open to other ideas, I just think w

Re: [openstack-dev] Python overhead for rootwrap

On Tue, Jul 30, 2013 at 8:55 AM, Thierry Carrez wrote: > Joe Gordon wrote: > > Going forward I think we should support two approaches: > > > > 1) some faster mostly python based (because we are a python project) > > rootwrap solution, there are many good ideas proposed above. Although > > Robert

Re: [openstack-dev] Python overhead for rootwrap

Joe Gordon wrote: > Going forward I think we should support two approaches: > > 1) some faster mostly python based (because we are a python project) > rootwrap solution, there are many good ideas proposed above. Although > Robert Collins comments have yet to be addressed. About Robert's argume

Re: [openstack-dev] Python overhead for rootwrap

Jay Buffington wrote: > I haven't closely looked at rootwrap, but it seems to me that you could > use the > rootwrap config files to generate a gigantic sudoers config file which > would not > necessarily be human readable. That would have the flexibility and > maintainability of rootwrap with th

Re: [openstack-dev] Python overhead for rootwrap

I haven't closely looked at rootwrap, but it seems to me that you could use the rootwrap config files to generate a gigantic sudoers config file which would not necessarily be human readable. That would have the flexibility and maintainability of rootwrap with the speed and audibility sudo. On T

Re: [openstack-dev] Python overhead for rootwrap

; Kevin > > From: John Garbutt [j...@johngarbutt.com] > Sent: Monday, July 29, 2013 2:38 AM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Python overhead for rootwrap > > > Joe Gordon wrote: > > time python

Re: [openstack-dev] Python overhead for rootwrap

On Mon, Jul 29, 2013 at 5:51 AM, Thierry Carrez wrote: > John Garbutt wrote: > > I tend to agree that (option 3) aggregating all of the calls to > > rootwrap may be impractical: > >> Sean Dague wrote: > >> The reason there are 20 different call outs is that they aren't all in > the > >> same place

Re: [openstack-dev] Python overhead for rootwrap

Speed considerations could be driven not only by the length of the python script, but also by the number of simultaneous calls to it on a distributed (or virtualized( file system. Alternatives to running the script in normal python execution mode would be to pre-compile (and possibly pre-distri

Re: [openstack-dev] Python overhead for rootwrap

013 2:38 AM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] Python overhead for rootwrap > Joe Gordon wrote: > time python -c "print 'test'" Is this a fair test, because I assume we don't need to compile rootwrap each time? Having said that,

Re: [openstack-dev] Python overhead for rootwrap

John Garbutt wrote: > I tend to agree that (option 3) aggregating all of the calls to > rootwrap may be impractical: >> Sean Dague wrote: >> The reason there are 20 different call outs is that they aren't all in the >> same place. There are phases that happen here, and different kind of errors >> n

Re: [openstack-dev] Python overhead for rootwrap

> Joe Gordon wrote: > time python -c "print 'test'" Is this a fair test, because I assume we don't need to compile rootwrap each time? Having said that, I believe you that there is overhead in starting python. >>> Mike Wilson wrote: In my opinion: 1. Stop using rootwrap completely

Re: [openstack-dev] Python overhead for rootwrap

Thomas Goirand wrote: > On 07/26/2013 05:43 AM, Thierry Carrez wrote: >> I would rather support solution 3: create a single, separate executable >> that does those 20 things that need to be done (can be a shell script >> with some logic in it), and have rootwrap call that *once*. That way you >> i

Re: [openstack-dev] Python overhead for rootwrap

On 07/26/2013 05:43 AM, Thierry Carrez wrote: > I would rather support solution 3: create a single, separate executable > that does those 20 things that need to be done (can be a shell script > with some logic in it), and have rootwrap call that *once*. That way you > increase speed by 20 times wi

Re: [openstack-dev] Python overhead for rootwrap

On 07/26/2013 04:59 PM, Joe Gordon wrote: > > > > On Fri, Jul 26, 2013 at 11:34 AM, Jay Pipes > wrote: > > On 07/25/2013 04:21 PM, Joe Gordon wrote: > > Hi All, > > We have recently hit some performance issues with nova-network. It >

Re: [openstack-dev] Python overhead for rootwrap

On Fri, Jul 26, 2013 at 11:34 AM, Jay Pipes wrote: > On 07/25/2013 04:21 PM, Joe Gordon wrote: > >> Hi All, >> >> We have recently hit some performance issues with nova-network. It >> turns out the root cause of this was we do roughly 20 rootwrapped shell >> commands, many inside of global locks

Re: [openstack-dev] Python overhead for rootwrap

On 07/25/2013 04:21 PM, Joe Gordon wrote: Hi All, We have recently hit some performance issues with nova-network. It turns out the root cause of this was we do roughly 20 rootwrapped shell commands, many inside of global locks. (https://bugs.launchpad.net/oslo/+bug/1199433) It turns out starti

Re: [openstack-dev] Python overhead for rootwrap

On 07/25/2013 05:43 PM, Thierry Carrez wrote: Russell Bryant wrote: On 07/25/2013 04:40 PM, Mike Wilson wrote: In my opinion: 1. Stop using rootwrap completely and get strong argument checking support into sudo (regex). 2. Some sort of long lived rootwrap process, either forked by the service

Re: [openstack-dev] Python overhead for rootwrap

On 26 July 2013 09:43, Thierry Carrez wrote: > Russell Bryant wrote: >> On 07/25/2013 04:40 PM, Mike Wilson wrote: >>> In my opinion: >>> >>> 1. Stop using rootwrap completely and get strong argument checking >>> support into sudo (regex). >>> 2. Some sort of long lived rootwrap process, either fo

Re: [openstack-dev] Python overhead for rootwrap

On Fri, Jul 26, 2013 at 7:43 AM, Thierry Carrez wrote: > I would rather support solution 3: create a single, separate executable > that does those 20 things that need to be done (can be a shell script > with some logic in it), and have rootwrap call that *once*. That way you > increase speed by

Re: [openstack-dev] Python overhead for rootwrap

Russell Bryant wrote: > On 07/25/2013 04:40 PM, Mike Wilson wrote: >> In my opinion: >> >> 1. Stop using rootwrap completely and get strong argument checking >> support into sudo (regex). >> 2. Some sort of long lived rootwrap process, either forked by the >> service that want's to shell out or a g

Re: [openstack-dev] Python overhead for rootwrap

On 07/25/2013 04:40 PM, Mike Wilson wrote: > In my opinion: > > 1. Stop using rootwrap completely and get strong argument checking > support into sudo (regex). > 2. Some sort of long lived rootwrap process, either forked by the > service that want's to shell out or a general purpose rootwrapd type

Re: [openstack-dev] Python overhead for rootwrap

In my opinion: 1. Stop using rootwrap completely and get strong argument checking support into sudo (regex). 2. Some sort of long lived rootwrap process, either forked by the service that want's to shell out or a general purpose rootwrapd type thing. I prefer #1 because it's surprising that sudo