[openstack-dev] [Kuryr] Starting Kuryr service requires root privilege
Antoni Segura Puimedon
toni+openstackml at midokura.com
Tue Jan 26 10:04:17 UTC 2016
On Tue, Jan 26, 2016 at 10:19 AM, Baohua Yang <yangbaohua at gmail.com> wrote:
> Thanks toni.
> Could u help add those instructions into doc?
> And we might need provide some tool to enable those CAP_NET_ADMIN cap in the
> startup scripts.
I'll send a wip patch today or tomorrow.
>
> On Tue, Jan 26, 2016 at 4:29 PM, Antoni Segura Puimedon
> <toni+openstackml at midokura.com> wrote:
>>
>> On Tue, Jan 26, 2016 at 8:13 AM, Baohua Yang <yangbaohua at gmail.com> wrote:
>> > Hi hua
>> > Thanks for the suggestion!
>> > Yes, root wrap is also a good candidate.
>> > We will compare to choose the proper solution.
>> > Thanks!
>> >
>> > On Tue, Jan 26, 2016 at 1:59 PM, 王华 <wanghua.humble at gmail.com> wrote:
>> >>
>> >> Hi Baohua,
>> >>
>> >> I think https://wiki.openstack.org/wiki/Rootwrap can solve this
>> >> problem.
>> >> It is used in other OpenStack projects like Nova, Neutron.
>> >>
>> >> Regards,
>> >> Wanghua
>> >>
>> >> On Tue, Jan 26, 2016 at 1:07 PM, Baohua Yang <yangbaohua at gmail.com>
>> >> wrote:
>> >>>
>> >>> Hi toni
>> >>>
>> >>> Recently we found some issue when starting kuryr service without root
>> >>> privilege [1].
>> >>>
>> >>> Tfukushima mentioned that you have some suggestion on using capacity
>> >>> to
>> >>> solve this?
>>
>> I do. I have a C launcher that allows Kuryr to run with CAP_NET_ADMIN so
>> that
>> any user can run it. My idea was to put it in contrib and then let the
>> distros decide
>> if they want to run kuryr as root or use the launcher in their packaging
>> systemd
>> service files.
>>
>> >>>
>> >>> We currently make a temp workaround by suggesting using sudo to start
>> >>> the
>> >>> service [2].
>> >>>
>> >>> Any advice?
>> >>>
>> >>> Thanks!
>> >>>
>> >>> [1] https://bugs.launchpad.net/kuryr/+bug/1516539.
>> >>> [2] https://review.openstack.org/#/c/272370
>> >>>
>> >>> --
>> >>> Best wishes!
>> >>> Baohua
>> >>>
>> >>>
>> >>>
>> >>> __________________________________________________________________________
>> >>> OpenStack Development Mailing List (not for usage questions)
>> >>> Unsubscribe:
>> >>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>
>> >>
>> >>
>> >>
>> >> __________________________________________________________________________
>> >> OpenStack Development Mailing List (not for usage questions)
>> >> Unsubscribe:
>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>
>> >
>> >
>> >
>> > --
>> > Best wishes!
>> > Baohua
>> >
>> >
>> > __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> --
> Best wishes!
> Baohua
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list