neutron

privsep: lack of capabilities on kernel 4.15

Bug #1800157 reported by Oleg Bondarev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Oleg Bondarev

Bug Description

l3 and dhcp agents are not functioning on kernel 4.15 due to privsep errors:

2018-10-25 09:10:38,747.747 24060 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/neutron/l3_agent.ini', '--config-file', '/etc/neutron/fwaas_driver.ini', '--config-file', '/etc/neutron/neutron.conf', '--privsep_context', 'neutron.privileged.default', '--privsep_sock_path', '/tmp/tmpS5k5y2/privsep.sock']
2018-10-25 09:10:39,361.361 24060 WARNING oslo.privsep.daemon [-] privsep log: Error in sys.excepthook:
2018-10-25 09:10:39,363.363 24060 WARNING oslo.privsep.daemon [-] privsep log: Traceback (most recent call last):
2018-10-25 09:10:39,363.363 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/dist-packages/oslo_log/log.py", line 193, in logging_excepthook
2018-10-25 09:10:39,364.364 24060 WARNING oslo.privsep.daemon [-] privsep log: getLogger(product_name).critical('Unhandled error', **extra)
2018-10-25 09:10:39,365.365 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/__init__.py", line 1481, in critical
2018-10-25 09:10:39,365.365 24060 WARNING oslo.privsep.daemon [-] privsep log: self.logger.critical(msg, *args, **kwargs)
2018-10-25 09:10:39,366.366 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/__init__.py", line 1212, in critical
2018-10-25 09:10:39,366.366 24060 WARNING oslo.privsep.daemon [-] privsep log: self._log(CRITICAL, msg, args, **kwargs)
2018-10-25 09:10:39,367.367 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/__init__.py", line 1286, in _log
2018-10-25 09:10:39,367.367 24060 WARNING oslo.privsep.daemon [-] privsep log: self.handle(record)
2018-10-25 09:10:39,368.368 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/__init__.py", line 1296, in handle
2018-10-25 09:10:39,368.368 24060 WARNING oslo.privsep.daemon [-] privsep log: self.callHandlers(record)
2018-10-25 09:10:39,369.369 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/__init__.py", line 1336, in callHandlers
2018-10-25 09:10:39,370.370 24060 WARNING oslo.privsep.daemon [-] privsep log: hdlr.handle(record)
2018-10-25 09:10:39,370.370 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/__init__.py", line 759, in handle
2018-10-25 09:10:39,371.371 24060 WARNING oslo.privsep.daemon [-] privsep log: self.emit(record)
2018-10-25 09:10:39,371.371 24060 WARNING oslo.privsep.daemon [-] privsep log: File "/usr/lib/python2.7/logging/handlers.py", line 414, in emit
2018-10-25 09:10:39,372.372 24060 WARNING oslo.privsep.daemon [-] privsep log: sres = os.stat(self.baseFilename)
2018-10-25 09:10:39,372.372 24060 WARNING oslo.privsep.daemon [-] privsep log: OSError: [Errno 13] Permission denied: '/var/log/neutron/neutron.log'
...
24060 ERROR neutron.agent.l3.agent FailedToDropPrivileges: Privsep daemon failed to start

Revision history for this message
Oleg Bondarev (obondarev) wrote :

current neutron privsep capabilities: capabilities=[caps.CAP_SYS_ADMIN, caps.CAP_NET_ADMIN]

in nova it's: capabilities=[capabilities.CAP_CHOWN,
                  capabilities.CAP_DAC_OVERRIDE,
                  capabilities.CAP_DAC_READ_SEARCH,
                  capabilities.CAP_FOWNER,
                  capabilities.CAP_NET_ADMIN,
                  capabilities.CAP_SYS_ADMIN]

adding CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH to neutron fixes the issue.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/613591

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/613591
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=32cc8b63d7bbe5cfc83b82a058d1c5832980f290
Submitter: Zuul
Branch: master

commit 32cc8b63d7bbe5cfc83b82a058d1c5832980f290
Author: Oleg Bondarev <email address hidden>
Date: Fri Oct 26 18:02:27 2018 +0400

    Add capabilities for privsep

    CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH were added
    (like in nova) to fix agents on kernel 4.15.
    Please see bug for details

    Change-Id: Ieed6f5f6906036cdeaf2c3d96350eeae9559c0c7
    Closes-Bug: #1800157

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/613884

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/613886

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/613887

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/613908

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.openstack.org/613884
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a3d471bc101488d575cf3505e8e99b8acd1508cd
Submitter: Zuul
Branch: stable/rocky

commit a3d471bc101488d575cf3505e8e99b8acd1508cd
Author: Oleg Bondarev <email address hidden>
Date: Fri Oct 26 18:02:27 2018 +0400

    Add capabilities for privsep

    CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH were added
    (like in nova) to fix agents on kernel 4.15.
    Please see bug for details

    Change-Id: Ieed6f5f6906036cdeaf2c3d96350eeae9559c0c7
    Closes-Bug: #1800157
    (cherry picked from commit 32cc8b63d7bbe5cfc83b82a058d1c5832980f290)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/613886
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=545925c66cb3ee005aa7e497ad4b3c97eb2f410b
Submitter: Zuul
Branch: stable/queens

commit 545925c66cb3ee005aa7e497ad4b3c97eb2f410b
Author: Oleg Bondarev <email address hidden>
Date: Fri Oct 26 18:02:27 2018 +0400

    Add capabilities for privsep

    CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH were added
    (like in nova) to fix agents on kernel 4.15.
    Please see bug for details

    Change-Id: Ieed6f5f6906036cdeaf2c3d96350eeae9559c0c7
    Closes-Bug: #1800157
    (cherry picked from commit 32cc8b63d7bbe5cfc83b82a058d1c5832980f290)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/613908
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=145f690c0d03b19b35e9d3a22b8c53fb9f4c4af6
Submitter: Zuul
Branch: stable/ocata

commit 145f690c0d03b19b35e9d3a22b8c53fb9f4c4af6
Author: Oleg Bondarev <email address hidden>
Date: Fri Oct 26 18:02:27 2018 +0400

    Add capabilities for privsep

    CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH were added
    (like in nova) to fix agents on kernel 4.15.
    Please see bug for details

    Change-Id: Ieed6f5f6906036cdeaf2c3d96350eeae9559c0c7
    Closes-Bug: #1800157
    (cherry picked from commit 32cc8b63d7bbe5cfc83b82a058d1c5832980f290)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/613887
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=663d6486a3ebff863ef9f8567867cc46f3fb99c0
Submitter: Zuul
Branch: stable/pike

commit 663d6486a3ebff863ef9f8567867cc46f3fb99c0
Author: Oleg Bondarev <email address hidden>
Date: Fri Oct 26 18:02:27 2018 +0400

    Add capabilities for privsep

    CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH were added
    (like in nova) to fix agents on kernel 4.15.
    Please see bug for details

    Change-Id: Ieed6f5f6906036cdeaf2c3d96350eeae9559c0c7
    Closes-Bug: #1800157
    (cherry picked from commit 32cc8b63d7bbe5cfc83b82a058d1c5832980f290)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.2

This issue was fixed in the openstack/neutron 13.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.5

This issue was fixed in the openstack/neutron 12.0.5 release.

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Slawek Kaplonski (slaweq)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.0.0b1

This issue was fixed in the openstack/neutron 14.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.7

This issue was fixed in the openstack/neutron 11.0.7 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron ocata-eol

This issue was fixed in the openstack/neutron ocata-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.