Monty Taylor wrote: >> On Wed, Feb 04, 2015 at 11:58:03AM +0100, Thierry Carrez wrote: >>> (2) bite the bullet and accept that some types of nodes actually need >>> root rights for so many different things, they should just run as root >>> anyway. I know a few distributions which won't be very pleased by such a >>> prospect, but that would be a more honest approach (rather than claiming >>> we provide efficient isolation when we really don't). An added benefit >>> is that we could replace a number of shell calls by Python code, which >>> would simplify the code and increase performance. > > I'm actually the biggest fan of this solution (even more than Daniel's > suggestion below) because it's the thing that is closest to reality. > > Security isn't a useful concept in a vacuum - it's something we do to > prevent access to or damage resources that we don't want accessed by the > wrong people. > > On compute nodes, the main valuable thing are the VMs themselves- and > I'd expect the most interested target of an attack to be interested in > manipulating, stealing data from or deleting the VMs. > > No amount of rootwrap or privileges are going to prevent nova-compute > from performing unwanted actions on the VMs in its control - for the > reason that it's job in life is to manipulate those things. > > Is it a security hole in the traditional distro sense - that we want to > be able to install all of these things with apt-get or yum on a single > server and have the actions of one service not affect the state of > another? Sure. Is it in the real world? No. You're not going to use this > to manage VMs on a laptop - you're going to use virtualbox or > virt-manager. You're going to use nova-compute to manage compute hosts > in a cloud - and in almost all circumstances the only thing that's going > to be running on your compute hosts is going to be nova-compute.
You make a good point when you mention "traditional distro" here. I would argue that containers are slightly changing the rules of the don't-run-as-root game. Solution (2) aligns pretty well with container-powered OpenStack deployments -- running compute nodes as root in a container (and embracing abovementioned simplicity/performance gains) sounds like a pretty strong combo. -- Thierry Carrez (ttx) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev