Ubuntu
neutron package

dnsmasq needs access to /var/lib/neutron/dhcp

Bug #1866187 reported by Albert Damen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron (Ubuntu)
Fix Released
High
Unassigned
Ubuntu ubuntu-20.03

Bug Description

I installed a fresh test cloud in focal. After creating some networks and subnets, neutron-dhcp-agent complained:

sudo journalctl -u neutron-dhcp-agent -e
Mar 05 11:43:53 network dnsmasq[13211]: failed to load names from /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad/addn_hosts: Permission denied
Mar 05 11:43:53 network dnsmasq[13211]: cannot read /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad/host: Permission denied
Mar 05 11:43:53 network dnsmasq[13211]: cannot read /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad/opts: Permission denied

dnsmasq runs as user nobody and needs to read several files under /var/lib/neutron/dhcp/<guid>

/var/lib/neutron/dhcp and /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad have mode 750

Changing UMask=0027 to UMask=0022 in /lib/systemd/system/neutron-dhcp-agent.service, deleting /var/lib/neutron/dhcp and restarting neutron-dhcp-agent solves the problem.

sudo journalctl -u neutron-dhcp-agent -e
Mar 05 13:44:49 network dnsmasq-dhcp[15266]: DHCP, static leases only on 10.101.3.0, lease time 1d
Mar 05 13:44:49 network dnsmasq-dhcp[15266]: DHCP, static leases only on 10.101.2.0, lease time 1d
Mar 05 13:44:49 network dnsmasq[15266]: read /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad/addn_hosts - 3 addresses
Mar 05 13:44:49 network dnsmasq-dhcp[15266]: read /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad/host
Mar 05 13:44:49 network dnsmasq-dhcp[15266]: read /var/lib/neutron/dhcp/10ba1f15-651e-4ef6-aced-66e7cf3effad/opts

neutron-dhcp-agent:
  Installed: 2:16.0.0~b2~git2020020712.d5b33ffc77-0ubuntu1
neutron-linuxbridge-agent:
  Installed: 2:16.0.0~b2~git2020020712.d5b33ffc77-0ubuntu1

Tags: umask
James Page (james-page)
Changed in neutron (Ubuntu):
status: New → Triaged
importance: Undecided → High
milestone: none → ubuntu-20.03
tags: added: umask
Revision history for this message
Albert Damen (albrt) wrote :

I re-installed the neutron node from scratch, with neutron 2:16.0.0~b3~git2020032420.a0e1b5804e-0ubuntu2

Now neutron-common postinst does chmod 0750 /var/lib/neutron which makes the dhcp files unreadable:

Mar 27 20:36:15 network dnsmasq[6218]: failed to load names from /var/lib/neutron/dhcp/53519892-89b9-42cc-be0d-413938ed5230/addn_hosts: Permission denied
Mar 27 20:36:15 network dnsmasq[6218]: cannot read /var/lib/neutron/dhcp/53519892-89b9-42cc-be0d-413938ed5230/host: Permission denied
Mar 27 20:36:15 network dnsmasq[6218]: cannot read /var/lib/neutron/dhcp/53519892-89b9-42cc-be0d-413938ed5230/opts: Permission denied

ubuntu@network:~$ sudo ls -la /var/lib/neutron/dhcp
total 16
drwxr-xr-x 4 neutron neutron 4096 Mar 27 20:35 .
drwxr-x--- 8 neutron neutron 4096 Mar 27 20:35 ..
drwxr-xr-x 2 neutron neutron 4096 Mar 27 20:36 2dd85a27-8ea0-4656-b872-6d2008e298c3
drwxr-xr-x 2 neutron neutron 4096 Mar 27 20:36 53519892-89b9-42cc-be0d-413938ed5230

ubuntu@network:~$ cat /var/lib/neutron/dhcp/53519892-89b9-42cc-be0d-413938ed5230/host
cat: /var/lib/neutron/dhcp/53519892-89b9-42cc-be0d-413938ed5230/host: Permission denied

After changing /var/lib/neutron/ to mode 755 (or 751) dnsmasq works fine again

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:16.0.0~b3~git2020032420.a0e1b5804e-0ubuntu4

---------------
neutron (2:16.0.0~b3~git2020032420.a0e1b5804e-0ubuntu4) focal; urgency=medium

  * d/neutron-common.postinst: Set ownership and permissions for all /var/lib
    files and directories and ensure dnsmasq has access to /var/lib/neutron/dhcp
    (LP: #1866187).

 -- Corey Bryant <email address hidden> Thu, 02 Apr 2020 15:02:51 -0400

Changed in neutron (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.