<div dir="ltr"><div>Thanks toni.</div><div>Could u help add those instructions into doc?</div><div>And we might need provide some tool to enable those CAP_NET_ADMIN cap in the startup scripts.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 26, 2016 at 4:29 PM, Antoni Segura Puimedon <span dir="ltr"><<a href="mailto:toni+openstackml@midokura.com" target="_blank">toni+openstackml@midokura.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Jan 26, 2016 at 8:13 AM, Baohua Yang <<a href="mailto:yangbaohua@gmail.com">yangbaohua@gmail.com</a>> wrote:<br>
> Hi hua<br>
> Thanks for the suggestion!<br>
> Yes, root wrap is also a good candidate.<br>
> We will compare to choose the proper solution.<br>
> Thanks!<br>
><br>
> On Tue, Jan 26, 2016 at 1:59 PM, 王华 <<a href="mailto:wanghua.humble@gmail.com">wanghua.humble@gmail.com</a>> wrote:<br>
>><br>
>> Hi Baohua,<br>
>><br>
>> I think <a href="https://wiki.openstack.org/wiki/Rootwrap" rel="noreferrer" target="_blank">https://wiki.openstack.org/wiki/Rootwrap</a> can solve this problem.<br>
>> It is used in other OpenStack projects like Nova, Neutron.<br>
>><br>
>> Regards,<br>
>> Wanghua<br>
>><br>
>> On Tue, Jan 26, 2016 at 1:07 PM, Baohua Yang <<a href="mailto:yangbaohua@gmail.com">yangbaohua@gmail.com</a>> wrote:<br>
>>><br>
>>> Hi toni<br>
>>><br>
>>> Recently we found some issue when starting kuryr service without root<br>
>>> privilege [1].<br>
>>><br>
>>> Tfukushima mentioned that you have some suggestion on using capacity to<br>
>>> solve this?<br>
<br>
</span>I do. I have a C launcher that allows Kuryr to run with CAP_NET_ADMIN so that<br>
any user can run it. My idea was to put it in contrib and then let the<br>
distros decide<br>
if they want to run kuryr as root or use the launcher in their packaging systemd<br>
service files.<br>
<div class="HOEnZb"><div class="h5"><br>
>>><br>
>>> We currently make a temp workaround by suggesting using sudo to start the<br>
>>> service [2].<br>
>>><br>
>>> Any advice?<br>
>>><br>
>>> Thanks!<br>
>>><br>
>>> [1] <a href="https://bugs.launchpad.net/kuryr/+bug/1516539" rel="noreferrer" target="_blank">https://bugs.launchpad.net/kuryr/+bug/1516539</a>.<br>
>>> [2] <a href="https://review.openstack.org/#/c/272370" rel="noreferrer" target="_blank">https://review.openstack.org/#/c/272370</a><br>
>>><br>
>>> --<br>
>>> Best wishes!<br>
>>> Baohua<br>
>>><br>
>>><br>
>>> __________________________________________________________________________<br>
>>> OpenStack Development Mailing List (not for usage questions)<br>
>>> Unsubscribe:<br>
>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>><br>
>><br>
>><br>
>> __________________________________________________________________________<br>
>> OpenStack Development Mailing List (not for usage questions)<br>
>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> Best wishes!<br>
> Baohua<br>
><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><font color="#999999">Best wishes!<br>Baohua<br></font></div>
</div>