Angus Lees wrote: > How crazy would it be to just give neutron CAP_NET_ADMIN (where > required), and allow it to make network changes via ip (netlink) calls > directly?
I don't think that's completely crazy. Given what neutron is expected to do, and what it is already empowered to do (through lazy and less lazy rootwrap filters), relying on CAP_NET_ADMIN instead should have limited security impact. It would be worth precisely analyzing the delta (what will a capability-enhanced neutron be able to do to the system that the rootwrap-powered neutron can't already do), and try to get performance numbers... That would help making the right choice, although I expect the best gains here are in avoiding the whole external executable call and result parsing. You could even maintain parallel code paths (use capability if present). Cheers, -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
