Hi, > Wiadomość napisana przez Matt Riedemann <mriede...@gmail.com> w dniu > 03.06.2018, o godz. 16:54: > > On 6/2/2018 1:37 AM, Chris Apsey wrote: >> This is great. I would even go so far as to say the install docs should be >> updated to capture this as the default; as far as I know there is no >> negative impact when running in daemon mode, even on very small deployments. >> I would imagine that there are operators out there who have run into this >> issue but didn't know how to work through it - making stuff like this less >> painful is key to breaking the 'openstack is hard' stigma. > > I think changing the default on the root_helper_daemon option is a good idea > if everyone is setting that anyway. There are some comments in the code next > to the option that make me wonder if there are edge cases where it might not > be a good idea, but I don't really know the details, someone from the neutron > team that knows more about it would have to speak up. > > Also, I wonder if converting to privsep in the neutron agent would eliminate > the need for this option altogether and still gain the performance benefits.
Converting L2 agents to privsep is ongoing process but it’s very slow. There is switch of ip_lib to privsep in progress: https://bugs.launchpad.net/neutron/+bug/1492714 But to completely drop rootwrap there is also tc_lib to switch to privsep for QoS, iptables module for security groups and probably also some other modules. So I would not consider it as possibly done soon :) > > -- > > Thanks, > > Matt > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators — Slawek Kaplonski Senior software engineer Red Hat _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators