neutron

dom0 rootwrap filters out ip command

Bug #1185872 reported by Mate Lakat on 2013-05-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Mate Lakat	neutron 2013.2 "havana"

Bug Description

Using XenServer, the dom0's agent dies with the following, just after it's started:

2013-05-30 15:28:22.839 28018 DEBUG quantum.agent.linux.utils [-] Running command: ['/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0', '/etc/quantum/rootwrap.conf', 'ip', '-o', 'link', 'show', 'xapi1'] execute /opt/stack/quantum/quantum/agent/linux/utils.py:42
2013-05-30 15:28:23.022 28018 DEBUG quantum.agent.linux.utils [-]
Command: ['/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0', '/etc/quantum/rootwrap.conf', 'ip', '-o', 'link', 'show', 'xapi1']
Exit code: 1
Stdout: ''
Stderr: 'Traceback (most recent call last):\n File "/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0", line 119, in <module>\n print main()\n File "/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0", line 113, in main\n filter_command(exec_name, config[\'filters_path\'], user_args)\n File "/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0", line 91, in filter_command\n filter_match = wrapper.match_filter(filters, user_args)\n File "/opt/stack/quantum/quantum/rootwrap/wrapper.py", line 155, in match_filter\n raise FilterMatchNotExecutable(match=first_not_executable_filter)\nquantum.rootwrap.wrapper.FilterMatchNotExecutable\n' execute /opt/stack/quantum/quantum/agent/linux/utils.py:59
2013-05-30 15:28:23.023 28018 ERROR quantum.plugins.openvswitch.agent.ovs_quantum_agent [-] Bridge xapi1 for physical network physnet1 does not exist. Agent terminated!

Running the command manually:
stack@DevStackOSDomU:~/quantum$ /opt/stack/quantum/bin/quantum-rootwrap-xen-dom0 /etc/quantum/rootwrap.conf ip -o link show xapi1
Traceback (most recent call last):
  File "/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0", line 119, in <module>
    print main()
  File "/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0", line 113, in main
    filter_command(exec_name, config['filters_path'], user_args)
  File "/opt/stack/quantum/bin/quantum-rootwrap-xen-dom0", line 91, in filter_command
    filter_match = wrapper.match_filter(filters, user_args)
  File "/opt/stack/quantum/quantum/rootwrap/wrapper.py", line 155, in match_filter
    raise FilterMatchNotExecutable(match=first_not_executable_filter)
quantum.rootwrap.wrapper.FilterMatchNotExecutable

Config file:
stack@DevStackOSDomU:~/quantum$ cat /etc/quantum/rootwrap.conf
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/quantum/rootwrap.d

# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin

[XENAPI]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=http://10.219.10.25
xenapi_connection_username=root
xenapi_connection_password=pass

Maybe we just need to disable filtering with dom0 rootwrap ?

Tags:

Mate Lakat (mate-lakat) on 2013-05-30

Changed in quantum:
assignee:	nobody → Mate Lakat (mate-lakat)

Mate Lakat (mate-lakat) on 2013-05-30

Changed in quantum:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-30: Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/31077

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-06-14: Fix merged to quantum (master)

Reviewed: https://review.openstack.org/31077
Committed: http://github.com/openstack/quantum/commit/648d3b76bec723b24a5cbf1309e06117bdd1a980
Submitter: Jenkins
Branch: master

commit 648d3b76bec723b24a5cbf1309e06117bdd1a980
Author: Mate Lakat <email address hidden>
Date: Mon Jun 3 10:39:13 2013 +0100

xenapi: fix rootwrap

    The xenapi root wrapper did not parse the "exec_dirs" parameter, so it
    failed to execute the commands. This patch works around this problem by
    parsing the "exec_dirs".

Fixes bug 1185872

Change-Id: I10175c7df5d34e47eb6044711ffbe4fe4cee3ce2

Changed in quantum:
status:	In Progress → Fix Committed

Mark McClain (markmcclain) on 2013-06-24

Changed in quantum:
milestone:	none → havana-2
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2013-07-17

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in neutron:
milestone:	havana-2 → 2013.2

Revision history for this message

Amir Sadoughi (amir-sadoughi) wrote on 2013-11-21:

If I understand the fix for this correctly, it requires executables with the appropriate names (ip, ovs-vsctl, ovs-ofctl) installed on the compute node (available in exec_dirs). I suppose this is fine in the case of ip. In the case of not having Open vSwitch installed in the compute, it breaks.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.