Kuryr with OVS, db.sock permission denied

Bug #2048064 reported by Alexey 'Fenuks' Rusetsky
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kuryr
New
Undecided
Unassigned
kuryr-libnetwork
New
Undecided
Unassigned

Bug Description

Zun and Kiryr installed using openstack-ansible for 2023.1. Kuryr service is run as unprivileged user kuryr.

On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with root-only privileges:

srwxr-x--- 1 root root 0 08-07 04:25 /var/run/openvswitch/db.sock

kuryr-libnetwork can not connect to it, throwing errors:

ERROR kuryr_libnetwork.controllers [-] ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)

One possible fix is to use network socket:

--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@

 INT_BRIDGE="br-int"
 HYBRID_PLUG="'ovs_hybrid_plug': True"
+DB='--db=tcp:127.0.0.1:6640'

 OPERATION=$1
 PORT=$2
@@ -22,7 +23,7 @@

 ovs_bind_port() {
     echo "plugging veth $VETH (Neutron port $PORT)..."
- ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+ ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
         set interface $VETH external_ids:attached-mac=$MAC_ADDRESS \
         external_ids:iface-id=$PORT external_ids:vm-uuid=$CONTAINER_UUID \
         external_ids:iface-status=active external_ids:owner=kuryr
@@ -30,14 +31,14 @@

 ovs_unbind_port() {
     echo "unplugging port $PORT..."
- MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+ MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
         find interface external_ids:iface-id=$PORT \
         external_ids:owner=kuryr`
     if [ -z "$MYPORT" ]; then
         echo >&2 "Failed to find port $PORT."
         exit 1
     fi
- ovs-vsctl del-port $INT_BRIDGE $MYPORT
+ ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
 }

 ovs_hybrid_bind_port() {
@@ -63,7 +64,7 @@
     ip link set $br_name up

     # connect one end to the ovs integration bridge
- ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+ ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
         set interface $veth_ovs external_ids:attached-mac=$MAC_ADDRESS \
         external_ids:iface-id=$PORT external_ids:vm-id=$CONTAINER_UUID \
         external_ids:iface-status=active external_ids:owner=kuryr
@@ -79,7 +80,7 @@
     veth_ovs="qvo"${PORT:0:11}

     ip link set dev $veth_lb nomaster
- ovs-vsctl del-port $veth_ovs
+ ovs-vsctl ${DB} del-port $veth_ovs
     ip link delete $veth_lb type veth

     ip link set $br_name down

description: updated
Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Hi there,

I think you might be able to workaround that by adjusting group/user with which kuryr is running with OSA:
https://opendev.org/openstack/openstack-ansible-os_zun/src/branch/master/defaults/main.yml#L82-L83

Given that you run kuryr as a root user - it should work as well. But not sure that it's a good idea to run services as root...

I do recall this issue being raised before couple of times with answer more or less - "you should run with root" :(

Revision history for this message
Alexey 'Fenuks' Rusetsky (fenuks-uh) wrote :

I too think it is not the best idea to run such things as root. Neutron uses rootwrap to do such things, but kuryr doesn't.

So far that was the only place where kuryr lacks privileges to do required things and it's only limited to OVS setup, I think. OVS does not provide any options to create sockets with other permissions, as far as I can see.

Not sure this should be fixed somehow, but maybe leave this report be for those who might want to keep running kuryr as regular user?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.