Fuel for OpenStack

Neutron l3 agent unable to list network namespaces

Bug #1414239 reported by Kevin Benton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
High
Ryan Moe
Fuel for OpenStack 6.1
4.1.x
In Progress
High
Ryan Moe
Fuel for OpenStack 4.1.1-updates
5.0.x
Fix Committed
High
Ryan Moe
Fuel for OpenStack 5.0-updates
5.1.x
Fix Committed
High
Ryan Moe
Fuel for OpenStack 5.1.1-updates
6.0.x
Fix Committed
High
Ryan Moe
Fuel for OpenStack 6.0-updates

Bug Description

The Neutron L3 agent does not use the root_helper to check for the existence of a namespace.
The permissions on /var/run/netns do not allow non-root users to see if namespaces exist. [1]

This causes the L3 agent to throw exceptions when it tries to create a namespace that actually already exists so the interfaces don't get setup properly.[2]

Neutron Kilo will come with an option to use the root_helper for namespace reading. Unfortunately that won't be back-ported to Juno so the permissions on the namespace directory need to be adjusted to allow neutron to list the files.

1. http://paste.openstack.org/show/161056/
2. http://paste.openstack.org/show/161057/

Bartłomiej Piotrowski (bpiotrowski)
Changed in fuel:
importance: Undecided → High
assignee: nobody → Fuel Library Team (fuel-library)
milestone: none → 6.1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/152751

Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Ryan Moe (rmoe)
status: New → In Progress
Ryan Moe (rmoe)
summary: - neutron l3 agent doesn't work in 6.0
+ Neutron l3 agent unable to list network namespaces
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/152751
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=5f2d498bcd3338825c3d5da83a8ea8503afa95ed
Submitter: Jenkins
Branch: master

commit 5f2d498bcd3338825c3d5da83a8ea8503afa95ed
Author: Ryan Moe <email address hidden>
Date: Tue Feb 3 16:32:32 2015 -0800

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/6.0)

Fix proposed to branch: stable/6.0
Review: https://review.openstack.org/156550

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/6.0)

Reviewed: https://review.openstack.org/156550
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=5dcf599284ab8390abc8bdd0e023bc2495c5ac77
Submitter: Jenkins
Branch: stable/6.0

commit 5dcf599284ab8390abc8bdd0e023bc2495c5ac77
Author: Vladimir Kuklin <email address hidden>
Date: Tue Feb 17 14:22:18 2015 +0300

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/5.1)

Fix proposed to branch: stable/5.1
Review: https://review.openstack.org/157473

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/5.0)

Fix proposed to branch: stable/5.0
Review: https://review.openstack.org/157475

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/4.1)

Fix proposed to branch: stable/4.1
Review: https://review.openstack.org/157479

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/5.1)

Reviewed: https://review.openstack.org/157473
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=cf15fe0afc87a3db2ef061d5c3bdc50291778a61
Submitter: Jenkins
Branch: stable/5.1

commit cf15fe0afc87a3db2ef061d5c3bdc50291778a61
Author: Ryan Moe <email address hidden>
Date: Tue Feb 3 16:32:32 2015 -0800

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/5.0)

Reviewed: https://review.openstack.org/157475
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=7f80b93b7fb742e065e5eff72b790dd1552edb62
Submitter: Jenkins
Branch: stable/5.0

commit 7f80b93b7fb742e065e5eff72b790dd1552edb62
Author: Ryan Moe <email address hidden>
Date: Tue Feb 3 16:32:32 2015 -0800

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Revision history for this message
Alexander Nevenchannyy (anevenchannyy) wrote :

Verified on MOS 6.1 ISO #429
Steps to Verify:
root@node-1:/# sudo -u neutron ip netns list
qrouter-55f0eced-af80-41e0-8afa-b31ff5bcffb8
haproxy
vrouter
root@node-1:/# ip netns list
qrouter-55f0eced-af80-41e0-8afa-b31ff5bcffb8
haproxy
vrouter

Changed in fuel:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on fuel-library (stable/4.1)

Change abandoned by Ryan Moe (<email address hidden>) on branch: stable/4.1
Review: https://review.openstack.org/157479

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.