Adds a configuration option to use the root helper in the ip netns list
command executed by the IP library when checking for the existence of a
namespace. This prevents an unprivileged l3 agent from erroneously trying
to create another namespace when one already exists. This is necessary in
environments with constrained permissions on /var/run/netns via umask or
other access controls.
However, due to the overhead incurred by calling sudo every time on systems
where this restriction isn't in place, this configuration won't be desired
all of the time. So this patch also adds a sanity check that reports back
whether or not the root_helper is required for a deployment.
Reviewed: https:/ /review. openstack. org/109736 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=9833364fbd4 705fc4a563192cf 2707ffe8cf763d
Committed: https:/
Submitter: Jenkins
Branch: master
commit 9833364fbd4705f c4a563192cf2707 ffe8cf763d
Author: Kevin Benton <email address hidden>
Date: Fri Jul 25 14:27:00 2014 -0700
Option for root_helper when checking namespace
Adds a configuration option to use the root helper in the ip netns list
command executed by the IP library when checking for the existence of a
namespace. This prevents an unprivileged l3 agent from erroneously trying
to create another namespace when one already exists. This is necessary in
environments with constrained permissions on /var/run/netns via umask or
other access controls.
However, due to the overhead incurred by calling sudo every time on systems
where this restriction isn't in place, this configuration won't be desired
all of the time. So this patch also adds a sanity check that reports back
whether or not the root_helper is required for a deployment.
DocImpact
Closes-Bug: #1348812 066af0d9866e6b5 cd7c7247c33
Closes-Bug: #1311804
Change-Id: If7560161de3be6