[openstack-dev] [neutron] Linux capabilities vs sudo/rootwrap?
Thierry Carrez
thierry at openstack.org
Wed Dec 10 14:35:49 UTC 2014
Angus Lees wrote:
> How crazy would it be to just give neutron CAP_NET_ADMIN (where
> required), and allow it to make network changes via ip (netlink) calls
> directly?
I don't think that's completely crazy. Given what neutron is expected to
do, and what it is already empowered to do (through lazy and less lazy
rootwrap filters), relying on CAP_NET_ADMIN instead should have limited
security impact.
It would be worth precisely analyzing the delta (what will a
capability-enhanced neutron be able to do to the system that the
rootwrap-powered neutron can't already do), and try to get performance
numbers... That would help making the right choice, although I expect
the best gains here are in avoiding the whole external executable call
and result parsing. You could even maintain parallel code paths (use
capability if present).
Cheers,
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list