2024-01-04 10:05:57 |
Alexey 'Fenuks' Rusetsky |
description |
On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with room-only privileges:
srwxr-x--- 1 root root 0 08-07 04:25 /var/run/openvswitch/db.sock
kuryr-libnetwork can not connect to it, throwing errors:
ERROR kuryr_libnetwork.controllers [-] ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)
One possible fix is to use network socket:
--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@
INT_BRIDGE="br-int"
HYBRID_PLUG="'ovs_hybrid_plug': True"
+DB='--db=tcp:127.0.0.1:6640'
OPERATION=$1
PORT=$2
@@ -22,7 +23,7 @@
ovs_bind_port() {
echo "plugging veth $VETH (Neutron port $PORT)..."
- ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+ ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
set interface $VETH external_ids:attached-mac=$MAC_ADDRESS \
external_ids:iface-id=$PORT external_ids:vm-uuid=$CONTAINER_UUID \
external_ids:iface-status=active external_ids:owner=kuryr
@@ -30,14 +31,14 @@
ovs_unbind_port() {
echo "unplugging port $PORT..."
- MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+ MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
find interface external_ids:iface-id=$PORT \
external_ids:owner=kuryr`
if [ -z "$MYPORT" ]; then
echo >&2 "Failed to find port $PORT."
exit 1
fi
- ovs-vsctl del-port $INT_BRIDGE $MYPORT
+ ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
}
ovs_hybrid_bind_port() {
@@ -63,7 +64,7 @@
ip link set $br_name up
# connect one end to the ovs integration bridge
- ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+ ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
set interface $veth_ovs external_ids:attached-mac=$MAC_ADDRESS \
external_ids:iface-id=$PORT external_ids:vm-id=$CONTAINER_UUID \
external_ids:iface-status=active external_ids:owner=kuryr
@@ -79,7 +80,7 @@
veth_ovs="qvo"${PORT:0:11}
ip link set dev $veth_lb nomaster
- ovs-vsctl del-port $veth_ovs
+ ovs-vsctl ${DB} del-port $veth_ovs
ip link delete $veth_lb type veth
ip link set $br_name down |
Zun and Kiryr installed using openstack-ansible for 2023.1. Kuryr service is run as unprivileged user kuryr.
On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with root-only privileges:
srwxr-x--- 1 root root 0 08-07 04:25 /var/run/openvswitch/db.sock
kuryr-libnetwork can not connect to it, throwing errors:
ERROR kuryr_libnetwork.controllers [-] ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)
One possible fix is to use network socket:
--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@
INT_BRIDGE="br-int"
HYBRID_PLUG="'ovs_hybrid_plug': True"
+DB='--db=tcp:127.0.0.1:6640'
OPERATION=$1
PORT=$2
@@ -22,7 +23,7 @@
ovs_bind_port() {
echo "plugging veth $VETH (Neutron port $PORT)..."
- ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+ ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
set interface $VETH external_ids:attached-mac=$MAC_ADDRESS \
external_ids:iface-id=$PORT external_ids:vm-uuid=$CONTAINER_UUID \
external_ids:iface-status=active external_ids:owner=kuryr
@@ -30,14 +31,14 @@
ovs_unbind_port() {
echo "unplugging port $PORT..."
- MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+ MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
find interface external_ids:iface-id=$PORT \
external_ids:owner=kuryr`
if [ -z "$MYPORT" ]; then
echo >&2 "Failed to find port $PORT."
exit 1
fi
- ovs-vsctl del-port $INT_BRIDGE $MYPORT
+ ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
}
ovs_hybrid_bind_port() {
@@ -63,7 +64,7 @@
ip link set $br_name up
# connect one end to the ovs integration bridge
- ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+ ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
set interface $veth_ovs external_ids:attached-mac=$MAC_ADDRESS \
external_ids:iface-id=$PORT external_ids:vm-id=$CONTAINER_UUID \
external_ids:iface-status=active external_ids:owner=kuryr
@@ -79,7 +80,7 @@
veth_ovs="qvo"${PORT:0:11}
ip link set dev $veth_lb nomaster
- ovs-vsctl del-port $veth_ovs
+ ovs-vsctl ${DB} del-port $veth_ovs
ip link delete $veth_lb type veth
ip link set $br_name down |
|