Please note: This schedule is for OpenStack Active Technical Contributors participating in the Icehouse Design Summit sessions in Hong Kong. These are working sessions to determine the roadmap of the Icehouse release and make decisions across the project. To see the full OpenStack Summit schedule, including presentations, panels and workshops, go to http://openstacksummitnovember2013.sched.org.
Back To Schedule
Wednesday, November 6 • 2:50pm - 3:30pm
Rootwrap: Icehouse plans

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

During the Havana cycle we focused on getting all consuming projects (Nova, Cinder, Neutron) to use the oslo-incubator version of rootwrap.

The next step now is to look into how those projects actually use rootwrap, and make improvements to that (on both sides). The current state is a bit sad with old configuration options still being used (I'm looking at you, Neutron and processutils), unrestrictive filters (the basic "CommandFilter" is used way too often), missing granularity (all volume drivers in Cinder share the same filter file) and commands being allowed as root while not strictly necessary (can achieve the same results without running as root so much). We'll discuss where to focus our efforts (nodes that could actually avoid all escalation mechanisms) and identify who would be interested to handle which area.

We'll also use this session to discuss potential replacements to rootwrap, or how we could solve the performance bottlenecks due to executing a new python process for each command being shelled out as root.

Finally, we'll discuss how far we are from making rootwrap a standalone library, and if that's a good idea to begin with.

(Session proposed by Thierry Carrez)

Wednesday November 6, 2013 2:50pm - 3:30pm HKT
AWE Level 2, Room 201B

Attendees (0)