"radvd" daemon does not work by default in some containers

Bug #1844688 reported by Rodolfo Alonso on 2019-09-19
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Medium
Rodolfo Alonso

Bug Description

Since [1], the radvd daemon is spawned with parameter "-u username". This drops the root privileges and changes the user ID to "username".

In some deployments (e.g. TripleO), the "neutron" user does not have, inside the L3 agent container, the permissions to modify the host kernel interfaces (from journal.log):

wrz 13 13:08:15 controller-2 radvd[904324]: failed to set LinkMTU (1500) for qr-7befc0a3-04: Permission denied
wrz 13 13:08:15 controller-2 radvd[904324]: failed to set CurHopLimit (64) for qr-7befc0a3-04: Permission denied

This problem was found in Rocky.

[1] https://review.opendev.org/#/q/Ic5d976ba71a966a537d1f31888f82997a7ccb0de

Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
description: updated

Fix proposed to branch: master
Review: https://review.opendev.org/683207

Changed in neutron:
status: New → In Progress
tags: added: ipv6
Changed in neutron:
importance: Undecided → Medium
Brent Eagles (beagles) wrote :

If allowing the radvd_user to be specified works, that's cool. It would be worthwhile to see if we can give the neutron container user sufficient permissions to do "what it needs to do". It's a little odd that we haven't run across this issue with other services.

Reviewed: https://review.opendev.org/683207
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6a5a75d5a6d4af08310774cef1b091d2ce2551d4
Submitter: Zuul
Branch: master

commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688

Changed in neutron:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/691257
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0b13f70f57e2d567aeb8017ad2a2c81c495dc3dd
Submitter: Zuul
Branch: stable/rocky

commit 0b13f70f57e2d567aeb8017ad2a2c81c495dc3dd
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Conflicts:
          neutron/tests/unit/agent/l3/test_agent.py

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688
    (cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)
    (cherry picked from commit 5b6b040d0795959d41f136748f874040d453357f)
    (cherry picked from commit 9921c962180e641b804d48b0f6a46f7ed18fc629)

tags: added: in-stable-rocky

Reviewed: https://review.opendev.org/691256
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9921c962180e641b804d48b0f6a46f7ed18fc629
Submitter: Zuul
Branch: stable/stein

commit 9921c962180e641b804d48b0f6a46f7ed18fc629
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688
    (cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)
    (cherry picked from commit 5b6b040d0795959d41f136748f874040d453357f)

tags: added: in-stable-stein
tags: added: in-stable-train

Reviewed: https://review.opendev.org/691255
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6ec7ba869573731cfa1c25dac3737526a9e34c8c
Submitter: Zuul
Branch: stable/train

commit 6ec7ba869573731cfa1c25dac3737526a9e34c8c
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688
    (cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)

This issue was fixed in the openstack/tripleo-heat-templates 12.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers