Comment 2 for bug 2026122

Hello Hristo:

When using a normal user (non-admin), to list the network namespaces no permission should be needed. But because some users have been capped, this is why we introduced the configuration variable "use_helper_for_ns_read", that is True by default. When enabled, the namespace listing [1] and the "path_exists" method [2] are wrapped inside a privsep context. But only "CAP_SYS_ADMIN" should be needed for these two operations.

I would suggest first to check the user permissions. With this user, can you execute "ip netns"? Can you read all the namespaces? You should be able.

Regards.

[1]https://github.com/openstack/neutron/blob/6b9333d8dfb78881a4368cb8716c48c45d49857f/neutron/agent/linux/ip_lib.py#L971
[2]https://github.com/openstack/neutron/blob/6b9333d8dfb78881a4368cb8716c48c45d49857f/neutron/agent/linux/ip_lib.py#L991