yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #11636
[Bug 1292598] [NEW] rootwrap massive overhead limits neutron scalability
Public bug reported:
Permission elevation via rootwrap, has a massive impact on the network nodes,
increasing setup time 2.5 times compared to plain sudo. [2] [3]
A network node with 192 private networks + 192 routers takes:
- 24 minutes to setup with rootwrap
- 10 minutes to setup with just sudo
Rootwrap need is clear, from the security point of view, but an optimization is required
from the performance point of view [1]
Appendix:
[1] https://etherpad.openstack.org/p/neutron-agent-exec-performance
[2] mail list discussions:
a) http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.html
b) http://lists.openstack.org/pipermail/openstack-dev/2013-July/012539.html
[3]
[root@rhos4-neutron2 ~]# time neutron-rootwrap --help
/usr/bin/neutron-rootwrap: No command specified
real 0m0.309s
user 0m0.128s
sys 0m0.037s
[root@rhos4-neutron2 ~]# time python -c'import sys;sys.exit(0)'
real 0m0.057s
user 0m0.016s
sys 0m0.011s
[root@rhos4-neutron2 ~]# time sudo bash -c 'exit 0'
real 0m0.032s
user 0m0.010s
sys 0m0.019s
[root@rhos4-neutron2 ~]# echo "int main() { return 0; }" > test.c
[root@rhos4-neutron2 ~]# gcc test.c -o test
[root@rhos4-neutron2 ~]# time test # to time process invocation on this machine
real 0m0.000s
user 0m0.000s
sys 0m0.000s
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
- Permission elevation via rootwrap, has a massive impact on the network nodes,
+ Permission elevation via rootwrap, has a massive impact on the network nodes,
increasing setup time 2.5 times compared to plain sudo. [2] [3]
A network node with 192 private networks + 192 routers takes:
- - 24 minutes to setup with rootwrap
- - 10 minutes to setup with just sudo
+ - 24 minutes to setup with rootwrap
+ - 10 minutes to setup with just sudo
- Rootwrap need is clear, from the security point of view, but an optimization is required
+ Rootwrap need is clear, from the security point of view, but an optimization is required
from the performance point of view [1]
-
Appendix:
[1] https://etherpad.openstack.org/p/neutron-agent-exec-performance
- [2] mail list discussions:
- a) http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.html
- b) http://lists.openstack.org/pipermail/openstack-dev/2013-July/012539.html
+ [2] mail list discussions:
+ a) http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.html
+ b) http://lists.openstack.org/pipermail/openstack-dev/2013-July/012539.html
[3]
[root@rhos4-neutron2 ~]# time neutron-rootwrap --help
/usr/bin/neutron-rootwrap: No command specified
real 0m0.309s
user 0m0.128s
sys 0m0.037s
-
[root@rhos4-neutron2 ~]# time python -c'import sys;sys.exit(0)'
real 0m0.057s
user 0m0.016s
sys 0m0.011s
[root@rhos4-neutron2 ~]# time sudo bash -c 'exit 0'
real 0m0.032s
user 0m0.010s
sys 0m0.019s
-
[root@rhos4-neutron2 ~]# echo "int main() { return 0; }" > test.c
[root@rhos4-neutron2 ~]# gcc test.c -o test
[root@rhos4-neutron2 ~]# time test # to time process invocation on this machine
real 0m0.000s
user 0m0.000s
sys 0m0.000s
** Description changed:
Permission elevation via rootwrap, has a massive impact on the network nodes,
increasing setup time 2.5 times compared to plain sudo. [2] [3]
A network node with 192 private networks + 192 routers takes:
- 24 minutes to setup with rootwrap
- 10 minutes to setup with just sudo
Rootwrap need is clear, from the security point of view, but an optimization is required
from the performance point of view [1]
Appendix:
[1] https://etherpad.openstack.org/p/neutron-agent-exec-performance
[2] mail list discussions:
- a) http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.html
- b) http://lists.openstack.org/pipermail/openstack-dev/2013-July/012539.html
+ a) http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.html
+ b) http://lists.openstack.org/pipermail/openstack-dev/2013-July/012539.html
[3]
[root@rhos4-neutron2 ~]# time neutron-rootwrap --help
/usr/bin/neutron-rootwrap: No command specified
real 0m0.309s
user 0m0.128s
sys 0m0.037s
[root@rhos4-neutron2 ~]# time python -c'import sys;sys.exit(0)'
real 0m0.057s
user 0m0.016s
sys 0m0.011s
[root@rhos4-neutron2 ~]# time sudo bash -c 'exit 0'
real 0m0.032s
user 0m0.010s
sys 0m0.019s
[root@rhos4-neutron2 ~]# echo "int main() { return 0; }" > test.c
[root@rhos4-neutron2 ~]# gcc test.c -o test
[root@rhos4-neutron2 ~]# time test # to time process invocation on this machine
real 0m0.000s
user 0m0.000s
sys 0m0.000s
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1292598
Title:
rootwrap massive overhead limits neutron scalability
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Permission elevation via rootwrap, has a massive impact on the network nodes,
increasing setup time 2.5 times compared to plain sudo. [2] [3]
A network node with 192 private networks + 192 routers takes:
- 24 minutes to setup with rootwrap
- 10 minutes to setup with just sudo
Rootwrap need is clear, from the security point of view, but an optimization is required
from the performance point of view [1]
Appendix:
[1] https://etherpad.openstack.org/p/neutron-agent-exec-performance
[2] mail list discussions:
a) http://lists.openstack.org/pipermail/openstack-dev/2014-March/029017.html
b) http://lists.openstack.org/pipermail/openstack-dev/2013-July/012539.html
[3]
[root@rhos4-neutron2 ~]# time neutron-rootwrap --help
/usr/bin/neutron-rootwrap: No command specified
real 0m0.309s
user 0m0.128s
sys 0m0.037s
[root@rhos4-neutron2 ~]# time python -c'import sys;sys.exit(0)'
real 0m0.057s
user 0m0.016s
sys 0m0.011s
[root@rhos4-neutron2 ~]# time sudo bash -c 'exit 0'
real 0m0.032s
user 0m0.010s
sys 0m0.019s
[root@rhos4-neutron2 ~]# echo "int main() { return 0; }" > test.c
[root@rhos4-neutron2 ~]# gcc test.c -o test
[root@rhos4-neutron2 ~]# time test # to time process invocation on this machine
real 0m0.000s
user 0m0.000s
sys 0m0.000s
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1292598/+subscriptions
Follow ups
References
