On Fri Feb 13 2015 at 10:35:49 PM Miguel Ángel Ajo majop...@redhat.com
wrote:
We have an ongoing effort in neutron to move to rootwrap-daemon.
https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bp/rootwrap-daemon-mode,n,z
Thanks for replying. I
On Fri Feb 13 2015 at 5:45:36 PM Eric Windisch e...@windisch.us wrote:
ᐧ
from neutron.agent.privileged.commands import ip_lib as priv_ip
def foo():
# Need to create a new veth interface pair - that usually
requires root/NET_ADMIN
priv_ip.CreateLink('veth', 'veth0',
We have an ongoing effort in neutron to move to rootwrap-daemon.
https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bp/rootwrap-daemon-mode,n,z
To speed up multiple system calls, and be able to spawn daemons inside
namespaces.
I have to read a bit what
Angus Lees wrote:
So inspired by the Rootwrap on root-intensive nodes thread, I went and
wrote a proof-of-concept privsep daemon for
neutron: https://review.openstack.org/#/c/155631
Nice work! Trying to check where the security model is actually weaker
than the one provided by rootwrap here...
So inspired by the Rootwrap on root-intensive nodes thread, I went and
wrote a proof-of-concept privsep daemon for neutron:
https://review.openstack.org/#/c/155631
There's nothing neutron-specific in the core mechanism and it could easily
be moved out into a common (oslo) library and reused across
On 13 Feb 2015 17:42, Angus Lees g...@inodes.org wrote:
So inspired by the Rootwrap on root-intensive nodes thread, I went and
wrote a proof-of-concept privsep daemon for neutron:
https://review.openstack.org/#/c/155631
There's nothing neutron-specific in the core mechanism and it could
easily
ᐧ
from neutron.agent.privileged.commands import ip_lib as priv_ip
def foo():
# Need to create a new veth interface pair - that usually requires
root/NET_ADMIN
priv_ip.CreateLink('veth', 'veth0', peer='veth1')
Because we now have elevated privileges directly (on the
On Fri Feb 13 2015 at 4:05:33 PM Robert Collins robe...@robertcollins.net
wrote:
On 13 Feb 2015 17:42, Angus Lees g...@inodes.org wrote:
So inspired by the Rootwrap on root-intensive nodes thread, I went and
wrote a proof-of-concept privsep daemon for neutron: