[openstack-dev] [neutron] Linux capabilities vs sudo/rootwrap?

Thierry Carrez thierry at openstack.org
Wed Dec 10 14:35:49 UTC 2014

Angus Lees wrote:
> How crazy would it be to just give neutron CAP_NET_ADMIN (where
> required), and allow it to make network changes via ip (netlink) calls
> directly?

I don't think that's completely crazy. Given what neutron is expected to
do, and what it is already empowered to do (through lazy and less lazy
rootwrap filters), relying on CAP_NET_ADMIN instead should have limited
security impact.

It would be worth precisely analyzing the delta (what will a
capability-enhanced neutron be able to do to the system that the
rootwrap-powered neutron can't already do), and try to get performance
numbers... That would help making the right choice, although I expect
the best gains here are in avoiding the whole external executable call
and result parsing. You could even maintain parallel code paths (use
capability if present).


Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list