kuryr-libnetwork

Bug #2048064
Comment #0

Comment 0 for bug 2048064

Revision history for this message

Alexey 'Fenuks' Rusetsky (fenuks-uh) wrote on 2024-01-04:

On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with room-only privileges:

srwxr-x--- 1 root root 0 08-07 04:25 /var/run/openvswitch/db.sock

kuryr-libnetwork can not connect to it, throwing errors:

ERROR kuryr_libnetwork.controllers [-] ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)

One possible fix is to use network socket:

--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@

INT_BRIDGE="br-int"
HYBRID_PLUG="'ovs_hybrid_plug': True"
+DB='--db=tcp:127.0.0.1:6640'

OPERATION=$1
PORT=$2
@@ -22,7 +23,7 @@

ovs_bind_port() {
     echo "plugging veth $VETH (Neutron port $PORT)..."
- ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+ ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
         set interface $VETH external_ids:attached-mac=$MAC_ADDRESS \
         external_ids:iface-id=$PORT external_ids:vm-uuid=$CONTAINER_UUID \
         external_ids:iface-status=active external_ids:owner=kuryr
@@ -30,14 +31,14 @@

ovs_unbind_port() {
     echo "unplugging port $PORT..."
- MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+ MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
         find interface external_ids:iface-id=$PORT \
         external_ids:owner=kuryr`
     if [ -z "$MYPORT" ]; then
         echo >&2 "Failed to find port $PORT."
         exit 1
     fi
- ovs-vsctl del-port $INT_BRIDGE $MYPORT
+ ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
}

ovs_hybrid_bind_port() {
@@ -63,7 +64,7 @@
ip link set $br_name up

     # connect one end to the ovs integration bridge
- ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+ ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
         set interface $veth_ovs external_ids:attached-mac=$MAC_ADDRESS \
         external_ids:iface-id=$PORT external_ids:vm-id=$CONTAINER_UUID \
         external_ids:iface-status=active external_ids:owner=kuryr
@@ -79,7 +80,7 @@
     veth_ovs="qvo"${PORT:0:11}

ip link set dev $veth_lb nomaster
- ovs-vsctl del-port $veth_ovs
+ ovs-vsctl ${DB} del-port $veth_ovs
ip link delete $veth_lb type veth

ip link set $br_name down

On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with room-only privileges:

srwxr-x--- 1 root root 0 08-07 04:25 /var/run/openvswitch/db.sock

kuryr-libnetwork can not connect to it, throwing errors:

ERROR kuryr_libnetwork.controllers [-] ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)

One possible fix is to use network socket:

--- a/libexec/kuryr/ovs       2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs       2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@
 
 INT_BRIDGE="br-int"
 HYBRID_PLUG="'ovs_hybrid_plug': True"
+DB='--db=tcp:127.0.0.1:6640'
 
 OPERATION=$1
 PORT=$2
@@ -22,7 +23,7 @@
 
 ovs_bind_port() {
     echo "plugging veth $VETH (Neutron port $PORT)..."
-    ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+    ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
         set interface $VETH external_ids:attached-mac=$MAC_ADDRESS \
         external_ids:iface-id=$PORT external_ids:vm-uuid=$CONTAINER_UUID \
         external_ids:iface-status=active external_ids:owner=kuryr
@@ -30,14 +31,14 @@
 
 ovs_unbind_port() {
     echo "unplugging port $PORT..."
-    MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+    MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
         find interface external_ids:iface-id=$PORT \
         external_ids:owner=kuryr`
     if [ -z "$MYPORT" ]; then
         echo >&2 "Failed to find port $PORT."
         exit 1
     fi
-    ovs-vsctl del-port $INT_BRIDGE $MYPORT
+    ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
 }
 
 ovs_hybrid_bind_port() {
@@ -63,7 +64,7 @@
     ip link set $br_name up
 
     # connect one end to the ovs integration bridge
-    ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+    ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
         set interface $veth_ovs external_ids:attached-mac=$MAC_ADDRESS \
         external_ids:iface-id=$PORT external_ids:vm-id=$CONTAINER_UUID \
         external_ids:iface-status=active external_ids:owner=kuryr
@@ -79,7 +80,7 @@
     veth_ovs="qvo"${PORT:0:11}
 
     ip link set dev $veth_lb nomaster
-    ovs-vsctl del-port $veth_ovs
+    ovs-vsctl ${DB} del-port $veth_ovs
     ip link delete $veth_lb type veth
 
     ip link set $br_name down