Ben Pfaff <b...@ovn.org> wrote on 08/02/2016 12:45:49 PM: > From: Ben Pfaff <b...@ovn.org> > To: Ryan Moats/Omaha/IBM@IBMUS > Cc: Russell Bryant <russ...@ovn.org>, ovs dev <dev@openvswitch.org> > Date: 08/02/2016 12:46 PM > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands > > On Tue, Aug 02, 2016 at 12:13:13PM -0500, Ryan Moats wrote: > > > > Russell Bryant <russ...@ovn.org> wrote on 08/02/2016 12:00:08 PM: > > > > > From: Russell Bryant <russ...@ovn.org> > > > To: Ben Pfaff <b...@ovn.org> > > > Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org> > > > Date: 08/02/2016 12:00 PM > > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands > > > > > > On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <b...@ovn.org> wrote: > > > On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote: > > > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmo...@us.ibm.com> wrote: > > > > > > > > > This commit creates wrapper scripts for the *ctl commands to use > > > > > --dry-run for those that have them, and to allow for log level > > > > > setting via ovs-appctl without allowing full access to ovs-appctl. > > > > > Tests have been added to make sure that the wrapper scripts > > > > > don't actually do anything when asked to perform a write operation. > > > > > > > > > > Signed-off-by: Ryan Moats <rmo...@us.ibm.com> > > > > > > > > > > > > > What's the motivation for all the new "read" scripts? It seems a bit > > > > confusing to install all of these. They're also not documented > > anywhere. > > > > > > My assumption had been that we'd put the options into the tree and then > > > that the one-liner redirection scripts would be an IBM customization. > > > After all, they need to customize somehow anyway to hide the read/write > > > versions in some off-$PATH place. > > > > > > +1 to this approach. > > > > > > -- > > > Russell Bryant > > > > Obviously, I think this is somewhat short-sighted (or I wouldn't have > > proposed > > the patch)... > > Everyone seems to be jumping to conclusions here really fast. Let's try > to get it right rather than just doing something. > > Can we discuss how you will hide the r/w versions? And how you give > access to those versions to the software that really needs it? For > example, libvirt might call into ovs-vsctl to add ports (unless it has > direct OVSDB bindings--I doubt it), and XenServer definitely does, so if > they're not working and in $PATH then they'll break.
That was what I was alluding to in my "mumble mumble sudo mumble mumble" comment a few posts back... The current plan is *not* to hide the *ctl commands off PATH, but to set up things so that the sockets require privileged access and then to only allow privileged access from a terminal shell to the RO versions via sudo. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
