| stephenfin | fungi: I wasn't at the TC/PTL session on Monday, but what was the context of the rootwrap to privsep migration? | 15:16 |
|---|---|---|
| gouthamr | it came up because eventlet-removal requires a migration to privsep | 15:16 |
| fungi | stephenfin: whether it was "done" | 15:17 |
| stephenfin | I ask as I see a link to os-brick there. I started work on migrating os-brick to privsep years ago, but it never got reviewed and I grew tired of rebasing it | 15:17 |
| stephenfin | https://review.opendev.org/q/project:openstack/os-brick+owner:stephenfin@redhat.com+branch:master (there wasn't a consistent topic) | 15:18 |
| fungi | and the goal basically has two halves, one is moving off rootwrap but the other is actually using privsep more securely than what rootwrap allowed (and basically no projects have done the latter half) | 15:18 |
| stephenfin | ah, yes, one of sean-k-mooney's favourite hills to die to on 😄 | 15:19 |
| stephenfin | s/die to/die/ | 15:19 |
| fungi | moving off rootwrap was mostly pointless if we simply moved the existing security design risks into a privsep policy | 15:19 |
| stephenfin | except now there's an eventlet aspect also? | 15:20 |
| fungi | which i think was a bit of a happy accident | 15:21 |
| stephenfin | indeed | 15:21 |
| stephenfin | well I'm guessing you figured this out Monday (it's not clear from the notes) but os-brick is not migrated and still needs to be done | 15:22 |
| fungi | my brain is mush at this point, but i do think that came up, yes | 15:22 |
| fungi | hopefully someone else remembers better than i | 15:23 |
| stephenfin | 😄 Isn't everyone's. Good to know. Thanks for the context | 15:23 |
| sean-k-mooney | fungi: os-vif kind of does it right | 15:45 |
| sean-k-mooney | the problem with many context is it increase memory usage | 15:46 |
| sean-k-mooney | but haveing a small number is a good thing | 15:46 |
| sean-k-mooney | the split i wanted to do in nova was file operatiosn, network operation and everythign else | 15:46 |
| sean-k-mooney | we shoudl nto relaly have a single prive sep call that need the ablity to read/write any file on the systme while also recofniging netowrk interfaces | 15:47 |
| sean-k-mooney | so there are some natual split that can/should be done | 15:47 |
| fungi | sean-k-mooney: yeah, it was more that i wasn't aware of any that did (and had forgotten about os-vif, a great albeit small example) | 15:54 |
| sean-k-mooney | well even os-vif does it on plugin | 15:55 |
| sean-k-mooney | but its a networkign lib so really we dont have diffent type of prive calls | 15:55 |
| sean-k-mooney | but ya services have diffent types in general | 15:56 |
| sean-k-mooney | the other thing is bubblewrap and other tools exist | 15:56 |
| sean-k-mooney | so they more secure approch really is not to just have rootwap ro privsep | 15:57 |
| sean-k-mooney | its defence in dept with selinx and sandboxes and contiaenr ectra | 15:57 |
| clarkb | sean-k-mooney: the memory usage ballooning is likely solveable too fwiw. I can't imaging that we actually need to consume several hudnred megabytes of memory just to shuttle a few byes around. It seems likely that buffers are bloating because we're not formally buffering things and shuttling it around so python lets them grow? | 16:01 |
| clarkb | but yes the memory consumption is a problem and ideally it would get addressed | 16:01 |
| fungi | i think it was related to forking off the parent carrying the entire context in with it | 16:04 |
| fungi | if memory serves we discussed possible mitigations for that | 16:05 |
| sean-k-mooney | its becasue each contenxt need a diffent privsep process today and each one need to improt the relevent set of python module with the code to run i.e. a subset of nova | 16:05 |
| sean-k-mooney | fungi: yes it is | 16:05 |
| sean-k-mooney | with that said haveing 2-3 context per service as i descibe above | 16:06 |
| sean-k-mooney | is likely workabel | 16:06 |
| sean-k-mooney | but with all that said libvirt runs as root an ovs used too by default | 16:07 |
| clarkb | if the issue is forking wouldn't the unused pages all get marked as unused and things wouldn't be resident? | 16:07 |
| sean-k-mooney | they just rely on selinux ectra | 16:07 |
| sean-k-mooney | so to a degree i think the sandboxing can be external | 16:07 |
| sean-k-mooney | as long as it not inheritnly insecure without it | 16:07 |
| clarkb | anyway there are profiling tools that can be used to provide concrete data and if that info is collected I'm pretty certain improvements could be made | 16:07 |
| mnasiadka | Well, Kolla uses rootwrap to run privsep-helper (I assume that’s some… interim path), wonder if other deployment projects do the same - so whatever is the plan it should probably include deployment projects | 19:28 |
| fungi | from a security perspective that's likely just fine, as long as services are only calling into privsep that's what's providing the isolation layer | 19:51 |
| fungi | but from a being able to finally retire and get rid of rootwrap perspective, less great of course | 19:52 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!