Neutron l3 agent unable to list network namespaces

Bug #1414239 reported by Kevin Benton on 2015-01-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Ryan Moe
4.1.x
High
Ryan Moe
5.0.x
High
Ryan Moe
5.1.x
High
Ryan Moe
6.0.x
High
Ryan Moe

Bug Description

The Neutron L3 agent does not use the root_helper to check for the existence of a namespace.
The permissions on /var/run/netns do not allow non-root users to see if namespaces exist. [1]

This causes the L3 agent to throw exceptions when it tries to create a namespace that actually already exists so the interfaces don't get setup properly.[2]

Neutron Kilo will come with an option to use the root_helper for namespace reading. Unfortunately that won't be back-ported to Juno so the permissions on the namespace directory need to be adjusted to allow neutron to list the files.

1. http://paste.openstack.org/show/161056/
2. http://paste.openstack.org/show/161057/

Changed in fuel:
importance: Undecided → High
assignee: nobody → Fuel Library Team (fuel-library)
milestone: none → 6.1

Fix proposed to branch: master
Review: https://review.openstack.org/152751

Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Ryan Moe (rmoe)
status: New → In Progress
Ryan Moe (rmoe) on 2015-02-11
summary: - neutron l3 agent doesn't work in 6.0
+ Neutron l3 agent unable to list network namespaces

Reviewed: https://review.openstack.org/152751
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=5f2d498bcd3338825c3d5da83a8ea8503afa95ed
Submitter: Jenkins
Branch: master

commit 5f2d498bcd3338825c3d5da83a8ea8503afa95ed
Author: Ryan Moe <email address hidden>
Date: Tue Feb 3 16:32:32 2015 -0800

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Changed in fuel:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/156550
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=5dcf599284ab8390abc8bdd0e023bc2495c5ac77
Submitter: Jenkins
Branch: stable/6.0

commit 5dcf599284ab8390abc8bdd0e023bc2495c5ac77
Author: Vladimir Kuklin <email address hidden>
Date: Tue Feb 17 14:22:18 2015 +0300

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Reviewed: https://review.openstack.org/157473
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=cf15fe0afc87a3db2ef061d5c3bdc50291778a61
Submitter: Jenkins
Branch: stable/5.1

commit cf15fe0afc87a3db2ef061d5c3bdc50291778a61
Author: Ryan Moe <email address hidden>
Date: Tue Feb 3 16:32:32 2015 -0800

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Reviewed: https://review.openstack.org/157475
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=7f80b93b7fb742e065e5eff72b790dd1552edb62
Submitter: Jenkins
Branch: stable/5.0

commit 7f80b93b7fb742e065e5eff72b790dd1552edb62
Author: Ryan Moe <email address hidden>
Date: Tue Feb 3 16:32:32 2015 -0800

    Set umask to 0022 for OCF scripts that add network namespaces

    When ns_haproxy or ns_IPaddr2 create the first network namespace
    /var/run/netns will have permissions of 751 due to the umask
    being 0026 at that time. This will cause the problems with
    Neutron agents described in the referenced bug.

    Change-Id: Ib8d1f485272ef843e935f43b1b40d7db6b0c2e78
    Closes-bug: #1414239

Verified on MOS 6.1 ISO #429
Steps to Verify:
root@node-1:/# sudo -u neutron ip netns list
qrouter-55f0eced-af80-41e0-8afa-b31ff5bcffb8
haproxy
vrouter
root@node-1:/# ip netns list
qrouter-55f0eced-af80-41e0-8afa-b31ff5bcffb8
haproxy
vrouter

Changed in fuel:
status: Fix Committed → Fix Released

Change abandoned by Ryan Moe (<email address hidden>) on branch: stable/4.1
Review: https://review.openstack.org/157479

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers