neutron

Allow to run neutron-ns-metadata-proxy as nobody

Bug #1427228 reported by Cedric Brandily
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Cedric Brandily
neutron 2015.1.0 "kilo"

Bug Description

Currently neutron-ns-metadata-proxy runs with neutron user/group permissions on l3-agent but we should allow to run it with less permissions as neutron user is allowed to run neutron-rootwrap. We should restrict as much as possible neutron-ns-metadata-proxy permissions as it's reachable from VMs.

Cedric Brandily (cbrandily)
Changed in neutron:
assignee: nobody → Cedric Brandily (cbrandily)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/161494

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/165115

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/166353

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/166353
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3106d358f1963f9f9611018ad77eadd13874242d
Submitter: Jenkins
Branch: master

commit 3106d358f1963f9f9611018ad77eadd13874242d
Author: Cedric Brandily <email address hidden>
Date: Fri Mar 20 16:11:53 2015 +0000

    Move metadata proxy shared options to neutron.conf

    This change moves metadata proxy options shared between dhcp and l3
    agents to neutron.conf. This change prepares follow-up changes allowing
    to run metadata proxy with nobody user/group

    Change-Id: I1828e322791b8a697765cad2f12857e3d6deae68
    Related-bug: #1427228

Kyle Mestery (mestery)
Changed in neutron:
importance: Undecided → High
milestone: none → kilo-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/161494
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fbc22784149cd6b3ca6d8161e360d3d7c10d94ac
Submitter: Jenkins
Branch: master

commit fbc22784149cd6b3ca6d8161e360d3d7c10d94ac
Author: Cedric Brandily <email address hidden>
Date: Tue Mar 3 22:26:52 2015 +0000

    Allow metadata proxy to log with nobody user/group

    Currently metadata proxy cannot run with nobody user/group as
    metadata proxy (as other services) uses WatchedFileHandler handler to
    log to file which does not support permissions drop (the process must
    be able to r/w after permissions drop to "watch" the file).

    This change allows to enable/disable log watch in metadata proxies with
    the new option metadata_proxy_log_watch. It should be disabled when
    metadata_proxy_user/group is not allowed to read/write metadata proxy
    log files. Option default value is deduced from metadata_proxy_user:

    * True if metadata_proxy_user is agent effective user id/name,
    * False otherwise.

    When log watch is disabled and logrotate is enabled on metadata proxy
    logging files, 'copytruncate' logrotate option must be used otherwise
    metadata proxy logs will be lost after the first log rotation.

    DocImpact
    Change-Id: I40a7bd82a2c60d9198312fdb52e3010c60db3511
    Partial-Bug: #1427228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/165115
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=80bea7a38670620934faafd5f583fe6164b9f9b3
Submitter: Jenkins
Branch: master

commit 80bea7a38670620934faafd5f583fe6164b9f9b3
Author: Cedric Brandily <email address hidden>
Date: Tue Mar 17 15:20:07 2015 +0000

    Allow metadata proxy running with nobody user/group

    Currently metadata proxy cannot run with nobody user/group as metadata
    proxy requires to connect to metadata_proxy_socket when queried.

    This change allows to run metadata proxy with nobody user/group by
    allowing to choose the metadata_proxy_socket mode with the new option
    metadata_proxy_socket_mode (4 choices) in order to adapt socket
    permissions to metadata proxy user/group.

    This change refactors also where options are defined to enable
    metadata_proxy_user/group options in the metadata agent.

    In practice:
    * if metadata_proxy_user is agent effective user or root, then:
      * metadata proxy is allowed to use rootwrap (unsecure)
      * set metadata_proxy_socket_mode = user (0o644)
    * else if metadata_proxy_group is agent effective group, then:
      * metadata proxy is not allowed to use rootwrap (secure)
      * set metadata_proxy_socket_mode = group (0o664)
      * set metadata_proxy_log_watch = false
    * else:
      * metadata proxy has lowest permissions (securest) but metadata proxy
        socket can be opened by everyone
      * set metadata_proxy_socket_mode = all (0o666)
      * set metadata_proxy_log_watch = false

    An alternative is to set metadata_proxy_socket_mode = deduce, in such
    case metadata agent uses previous rules to choose the correct mode.

    DocImpact
    Closes-Bug: #1427228
    Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-rc1 → 2015.1.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.