Joe Gordon wrote: > Having rootwrap on by default makes nova-network scale very poorly by > default. Which doesn't sound like a good default, but not sure if no > rootwrap is a better default.
If it boils down to that choice, by default I would pick security over performance. >> It will require a passwordless blanket sudo access for the nova user. > > Can't we go back to having a sudoers file white listing which binaries > it can call, like before? It was a bit of a maintenance nightmare (the file was maintained in every distribution rather than centrally in openstack). Another issue was that we shipped the same sudoers for every combination of nodes, allowing for example nova-api to run stuff as root it should never be allowed to run. See [1] for the limitations of using sudo which triggered another solution in the first place. [1] https://fnords.wordpress.com/2011/11/23/improving-nova-privilege-escalation-model-part-1/ -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
