neutron

Agents don't need root to list namespaces

Bug #1293818 reported by Carl Baldwin on 2014-03-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Carl Baldwin	neutron 2014.1 "icehouse"

Bug Description

Given the expense of sudo (at scale) and rootwrap calls, agents should not be using root for commands that don't need it. Listing namespaces is one of those.

(I could have sworn I already fixed this which is why I didn't fix it until today)

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-17: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/81098

Changed in neutron:
assignee:	nobody → Carl Baldwin (carl-baldwin)
status:	New → In Progress

Revision history for this message

Miguel Angel Ajo (mangelajo) wrote on 2014-03-18:

Good catch!!

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-20: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/81098
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d37b6c9ee8ddf2cc90197e5a442ba759eca5a0c0
Submitter: Jenkins
Branch: master

commit d37b6c9ee8ddf2cc90197e5a442ba759eca5a0c0
Author: Carl Baldwin <email address hidden>
Date: Mon Mar 17 22:19:04 2014 +0000

Don't use root to list namespaces

A bit of low hanging fruit. I just noticed that this hadn't been
fixed yet.

Change-Id: Iea9210098b6acf4ab24a89287529ff82986faaad
Closes-Bug: #1293818

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

Eugene Nikanorov (enikanorov) wrote on 2014-03-21:

Apparently the fix is not correct since the code calls exactly same commands.

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2014-03-23:

A new fix is proposed: https://review.openstack.org/#/c/81537/

Changed in neutron:
status:	Fix Committed → In Progress
importance:	Undecided → Low

Revision history for this message

Carl Baldwin (carl-baldwin) wrote on 2014-03-24:

Eugene, can you elaborate? For the case that I found and for which I filed the bug this change very clearly fixed the problem in my testing. After the change, I see this in the logs. I don't see any case of running "netns list" with rootwrap.

2014-03-24 15:13:52.252 DEBUG neutron.agent.linux.utils [req-52cb3fa7-7de1-4242-9f52-2cfb92e637b1 None None] Running command: ['ip', '-o', 'netns', 'list'] from (pid=32640) create_process /opt/stack/neutron/neutron/agent/linux/utils.py:48
2014-03-24 15:13:52.260 DEBUG neutron.agent.linux.utils [req-52cb3fa7-7de1-4242-9f52-2cfb92e637b1 None None]
Command: ['ip', '-o', 'netns', 'list']
Exit code: 0

Revision history for this message

Carl Baldwin (carl-baldwin) wrote on 2014-03-24:

Eugene,

Nevermind, your logs you pasted in the review of your code answered my question. I see the problem.

Eugene Nikanorov (enikanorov) on 2014-03-24

Changed in neutron:
importance:	Low → Medium
tags:	added: icehouse-rc-potential

OpenStack Infra (hudson-openstack) on 2014-03-25

Changed in neutron:
assignee:	Carl Baldwin (carl-baldwin) → Eugene Nikanorov (enikanorov)

Mark McClain (markmcclain) on 2014-03-25

Changed in neutron:
status:	In Progress → Fix Committed
assignee:	Eugene Nikanorov (enikanorov) → Carl Baldwin (carl-baldwin)

Akihiro Motoki (amotoki) on 2014-03-27

Changed in neutron:
milestone:	none → icehouse-rc1

Thierry Carrez (ttx) on 2014-04-01

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in neutron:
milestone:	icehouse-rc1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.