[openstack-dev] [Kuryr] Starting Kuryr service requires root privilege
Baohua Yang
yangbaohua at gmail.com
Tue Jan 26 09:19:45 UTC 2016
Thanks toni.
Could u help add those instructions into doc?
And we might need provide some tool to enable those CAP_NET_ADMIN cap in
the startup scripts.
On Tue, Jan 26, 2016 at 4:29 PM, Antoni Segura Puimedon <
toni+openstackml at midokura.com> wrote:
> On Tue, Jan 26, 2016 at 8:13 AM, Baohua Yang <yangbaohua at gmail.com> wrote:
> > Hi hua
> > Thanks for the suggestion!
> > Yes, root wrap is also a good candidate.
> > We will compare to choose the proper solution.
> > Thanks!
> >
> > On Tue, Jan 26, 2016 at 1:59 PM, 王华 <wanghua.humble at gmail.com> wrote:
> >>
> >> Hi Baohua,
> >>
> >> I think https://wiki.openstack.org/wiki/Rootwrap can solve this
> problem.
> >> It is used in other OpenStack projects like Nova, Neutron.
> >>
> >> Regards,
> >> Wanghua
> >>
> >> On Tue, Jan 26, 2016 at 1:07 PM, Baohua Yang <yangbaohua at gmail.com>
> wrote:
> >>>
> >>> Hi toni
> >>>
> >>> Recently we found some issue when starting kuryr service without root
> >>> privilege [1].
> >>>
> >>> Tfukushima mentioned that you have some suggestion on using capacity to
> >>> solve this?
>
> I do. I have a C launcher that allows Kuryr to run with CAP_NET_ADMIN so
> that
> any user can run it. My idea was to put it in contrib and then let the
> distros decide
> if they want to run kuryr as root or use the launcher in their packaging
> systemd
> service files.
>
> >>>
> >>> We currently make a temp workaround by suggesting using sudo to start
> the
> >>> service [2].
> >>>
> >>> Any advice?
> >>>
> >>> Thanks!
> >>>
> >>> [1] https://bugs.launchpad.net/kuryr/+bug/1516539.
> >>> [2] https://review.openstack.org/#/c/272370
> >>>
> >>> --
> >>> Best wishes!
> >>> Baohua
> >>>
> >>>
> >>>
> __________________________________________________________________________
> >>> OpenStack Development Mailing List (not for usage questions)
> >>> Unsubscribe:
> >>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>
> >>
> >>
> __________________________________________________________________________
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >
> >
> > --
> > Best wishes!
> > Baohua
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
Best wishes!
Baohua
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160126/66fa2116/attachment.html>
More information about the OpenStack-dev
mailing list