[ovs-dev] Read only versions of the *ctl binaries
Ryan Moats
rmoats at us.ibm.com
Fri Jul 29 21:11:00 UTC 2016
We just received a new operational requirement that we have
to restrict access to all binaries that provide RW access to
infrastructure components, but yet still have the ability to
read current state from the infrastructure.
For OVN/OVS, this means we won't be able to use the following
binaries in our production environment to read current state:
ovs-vsctl, ovs-dpctl, ovs-ofctl, ovs-appctl, ovn-nbctl, and
ovn-sbctl.
I'm thinking of meeting this by creating new binaries
ovs-vsread, ovs-dpread, ovs-ofread, ovs-appread, ovn-nbread,
and ovn-sbread that would include the show, list, and search
commands from their RW brethren, but omit the various add
and del commands.
Before I start crafting code, I wanted to see if folks can
think of a simpler way of meeting this new requirement...
Ryan
More information about the dev
mailing list