Angus Lees wrote:
> How crazy would it be to just give neutron CAP_NET_ADMIN (where
> required), and allow it to make network changes via ip (netlink) calls
> directly?

I don't think that's completely crazy. Given what neutron is expected to
do, and what it is already empowered to do (through lazy and less lazy
rootwrap filters), relying on CAP_NET_ADMIN instead should have limited
security impact.

It would be worth precisely analyzing the delta (what will a
capability-enhanced neutron be able to do to the system that the
rootwrap-powered neutron can't already do), and try to get performance
numbers... That would help making the right choice, although I expect
the best gains here are in avoiding the whole external executable call
and result parsing. You could even maintain parallel code paths (use
capability if present).

Cheers,

-- 
Thierry Carrez (ttx)

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to