Runing kuryr-libnetworks not from root user fails
Bug #1852105 reported by
Dmitriy Rabotyagov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kuryr |
In Progress
|
High
|
Unassigned | ||
| kuryr-libnetwork |
In Progress
|
High
|
Unassigned | ||
Bug Description
I'm trying to run kuryr-libnetwork as not privileged user (kuryr) with systemd-service, by setting AmbientCapabilities and CapabilityBound
However, when I try to verify it's operation I have the following trace: http://
AFAIK, using oslo_concurrency execute as root requires setting rootwrap, which is not the case: https:/
But running kuryr as root is not really secure IMO especially when rootwrap is used everywhere.
Revision history for this message
| Andrew Bonney (andrewbonney) wrote | #1 |
| Changed in kuryr: | |
| status: | New → In Progress |
| Changed in kuryr-libnetwork: | |
| status: | New → In Progress |
| importance: | Undecided → High |
| Changed in kuryr: | |
| importance: | Undecided → High |
Revision history for this message
| Andrew Bonney (andrewbonney) wrote | #2 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kuryr 2.3.0 | #3 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kuryr 2.0.1 | #4 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kuryr 2.1.1 | #5 |
To post a comment you must log in.
I've pushed a change to https:/
I had a go at a couple of alternatives with root helpers or privsep too, but this doesn't appear to avoid the need for an ambient capability due to what happens within the 'pyroute2' library:
- https:/
- https:/