OpenStack Neutron Dynamic Routing charm

Template files are rendered 640 root:root and cuase services to fail

Bug #1782444 reported by David Ames on 2018-07-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack AODH Charm	Fix Released	High	Liam Young	OpenStack AODH Charm 18.11
	OpenStack Neutron Dynamic Routing charm	Fix Released	High	David Ames	OpenStack Neutron Dynamic Routing charm 19.04

Bug Description

Something has changed in either reactive or charms.openstack or charm-helpers that causes template files to be written with 640 root:root permissions.

This causes OpenStack daemons to fail to be able to read these files:

Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: Traceback (most recent call last):
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: File "/usr/bin/aodh-listener", line 10, in <module>
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: sys.exit(listener())
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: File "/usr/lib/python2.7/dist-packages/aodh/cmd/alarm.py", line 43, in listener
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: conf = service.prepare_service()
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: File "/usr/lib/python2.7/dist-packages/aodh/service.py", line 87, in prepare_service
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: default_config_files=config_files)
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: File "/usr/lib/python2.7/dist-packages/oslo_config/cfg.py", line 2355, in __call__
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: self._namespace._files_permission_denied)
Jul 18 22:48:52 juju-14fa71-thedac-6 aodh-listener[22072]: oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/aodh/aodh.conf
Jul 18 22:48:53 juju-14fa71-thedac-6 systemd[1]: aodh-listener.service: Main process exited, code=exited, status=1/FAILURE
Jul 18 22:48:53 juju-14fa71-thedac-6 systemd[1]: aodh-listener.service: Unit entered failed state.
Jul 18 22:48:53 juju-14fa71-thedac-6 systemd[1]: aodh-listener.service: Failed with result 'exit-code'.
Jul 18 22:48:53 juju-14fa71-thedac-6 systemd[1]: aodh-listener.service: Service hold-off time over, scheduling restart.

I am adding aodh and neutron-dynamic-routing as targets but the fault will affect all reactive charms and likely lies outside of the charms themselves.

See original description

David Ames (thedac) on 2018-07-18

description:

updated

Revision history for this message

Liam Young (gnuoy) wrote on 2018-07-19:

https://review.openstack.org/#/c/582755/ is the cause. I think its correct to have the permissions locked down and to only open them up as required. I'll take a look at aodh now.

Changed in charm-aodh:
assignee:	nobody → Liam Young (gnuoy)
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-19: Fix proposed to charm-aodh (master)

Fix proposed to branch: master
Review: https://review.openstack.org/583937

Revision history for this message

Ryan Beisner (1chb1n) wrote on 2018-07-19:

I agree. Let's use this as a driver to evaluate permissions on files to ensure only the minimal necessary ownership/perms are declared.

David Ames (thedac) on 2018-07-19

Changed in charm-neutron-dynamic-routing:
status:	New → Triaged
importance:	Undecided → Critical
assignee:	nobody → David Ames (thedac)

OpenStack Infra (hudson-openstack) on 2018-07-19

Changed in charm-neutron-dynamic-routing:
status:	Triaged → In Progress

Revision history for this message

David Ames (thedac) wrote on 2018-07-19:

Due to intentional change to tighten permissions: https://github.com/openstack/charms.openstack/commit/51d00c45e2e3b1f25513ce4f90f35007bac15fc9

Add properties to the class to resolve:

class MyCharm(charms_openstack.charm.OpenStackCharm):
user = 'myuser'
group = 'mygroup'

For charms that use modwisgi also change the user/group in the WSGI setup similar to:
https://github.com/openstack/charm-gnocchi/commit/bc1745115b6a9c7837075a4353d60a1e5a1e2ca9

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-20: Fix merged to charm-neutron-dynamic-routing (master)

Reviewed: https://review.openstack.org/583704
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-dynamic-routing/commit/?id=ba7b42e36c1d527433852e3fbb93b64248b9f9b7
Submitter: Zuul
Branch: master

commit ba7b42e36c1d527433852e3fbb93b64248b9f9b7
Author: David Ames <email address hidden>
Date: Wed Jul 18 12:04:10 2018 -0700

Use the provider network for router id

    The router id for the dragent must be on the provider network. The
    charm was using the BGP speaker_ip which is only used for related
    test services. (i.e. quagga).

This change guarantees the router id uses the provider extra binding
IP.

It also sets the group ownership to neutron for rendered config files.

    Closes-Bug: #1782433
    Partial-Bug: #1782444
    Change-Id: I4761b4c5b80a398e13e4cdf880b773df489f53b9

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-20: Fix proposed to charm-neutron-dynamic-routing (stable/18.05)

Fix proposed to branch: stable/18.05
Review: https://review.openstack.org/584483

James Page (james-page) on 2018-07-23

Changed in charm-neutron-dynamic-routing:
importance:	Critical → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-03: Change abandoned on charm-aodh (master)

Change abandoned by Liam Young (<email address hidden>) on branch: master
Review: https://review.openstack.org/583937
Reason: Looks like someone ignored my patch and landed their own https://pastebin.canonical.com/p/DzrFvRsDgT/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-06: Fix merged to charm-neutron-dynamic-routing (stable/18.05)

Reviewed: https://review.openstack.org/584483
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-dynamic-routing/commit/?id=50014ed7147210ec89b8a9f29e1dd7c0c70b0b1d
Submitter: Zuul
Branch: stable/18.05

commit 50014ed7147210ec89b8a9f29e1dd7c0c70b0b1d
Author: David Ames <email address hidden>
Date: Wed Jul 18 12:04:10 2018 -0700

Use the provider network for router id

    The router id for the dragent must be on the provider network. The
    charm was using the BGP speaker_ip which is only used for related
    test services. (i.e. quagga).

This change guarantees the router id uses the provider extra binding
IP.

It also sets the group ownership to neutron for rendered config files.

cherry picked from commit ba7b42e36c1d527433852e3fbb93b64248b9f9b7

    Closes-Bug: #1782433
    Partial-Bug: #1782444
    Change-Id: I4761b4c5b80a398e13e4cdf880b773df489f53b9

James Page (james-page) on 2018-12-04

Changed in charm-aodh:
status:	In Progress → Fix Committed
Changed in charm-neutron-dynamic-routing:
status:	In Progress → Fix Released
Changed in charm-aodh:
status:	Fix Committed → Fix Released
milestone:	none → 18.11
Changed in charm-neutron-dynamic-routing:
milestone:	none → 19.04

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.