On Tue, Aug 02, 2016 at 12:59:42PM -0500, Ryan Moats wrote: > > Ben Pfaff <b...@ovn.org> wrote on 08/02/2016 12:45:49 PM: > > > From: Ben Pfaff <b...@ovn.org> > > To: Ryan Moats/Omaha/IBM@IBMUS > > Cc: Russell Bryant <russ...@ovn.org>, ovs dev <dev@openvswitch.org> > > Date: 08/02/2016 12:46 PM > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands > > > > On Tue, Aug 02, 2016 at 12:13:13PM -0500, Ryan Moats wrote: > > > > > > Russell Bryant <russ...@ovn.org> wrote on 08/02/2016 12:00:08 PM: > > > > > > > From: Russell Bryant <russ...@ovn.org> > > > > To: Ben Pfaff <b...@ovn.org> > > > > Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org> > > > > Date: 08/02/2016 12:00 PM > > > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl > commands > > > > > > > > On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <b...@ovn.org> wrote: > > > > On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote: > > > > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmo...@us.ibm.com> > wrote: > > > > > > > > > > > This commit creates wrapper scripts for the *ctl commands to use > > > > > > --dry-run for those that have them, and to allow for log level > > > > > > setting via ovs-appctl without allowing full access to > ovs-appctl. > > > > > > Tests have been added to make sure that the wrapper scripts > > > > > > don't actually do anything when asked to perform a write > operation. > > > > > > > > > > > > Signed-off-by: Ryan Moats <rmo...@us.ibm.com> > > > > > > > > > > > > > > > > What's the motivation for all the new "read" scripts? It seems a > bit > > > > > confusing to install all of these. They're also not documented > > > anywhere. > > > > > > > > My assumption had been that we'd put the options into the tree and > then > > > > that the one-liner redirection scripts would be an IBM customization. > > > > After all, they need to customize somehow anyway to hide the > read/write > > > > versions in some off-$PATH place. > > > > > > > > +1 to this approach. > > > > > > > > -- > > > > Russell Bryant > > > > > > Obviously, I think this is somewhat short-sighted (or I wouldn't have > > > proposed > > > the patch)... > > > > Everyone seems to be jumping to conclusions here really fast. Let's try > > to get it right rather than just doing something. > > > > Can we discuss how you will hide the r/w versions? And how you give > > access to those versions to the software that really needs it? For > > example, libvirt might call into ovs-vsctl to add ports (unless it has > > direct OVSDB bindings--I doubt it), and XenServer definitely does, so if > > they're not working and in $PATH then they'll break. > > That was what I was alluding to in my "mumble mumble sudo mumble mumble" > comment a few posts back... > > The current plan is *not* to hide the *ctl commands off PATH, but to > set up things so that the sockets require privileged access and then to > only > allow privileged access from a terminal shell to the RO versions via sudo.
OK. That's reasonable. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
