neutron

"radvd" daemon does not work by default in some containers

Bug #1844688 reported by Rodolfo Alonso
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Rodolfo Alonso

Bug Description

Since [1], the radvd daemon is spawned with parameter "-u username". This drops the root privileges and changes the user ID to "username".

In some deployments (e.g. TripleO), the "neutron" user does not have, inside the L3 agent container, the permissions to modify the host kernel interfaces (from journal.log):

wrz 13 13:08:15 controller-2 radvd[904324]: failed to set LinkMTU (1500) for qr-7befc0a3-04: Permission denied
wrz 13 13:08:15 controller-2 radvd[904324]: failed to set CurHopLimit (64) for qr-7befc0a3-04: Permission denied

This problem was found in Rocky.

[1] https://review.opendev.org/#/q/Ic5d976ba71a966a537d1f31888f82997a7ccb0de

See original description
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/683207

Changed in neutron:
status: New → In Progress
YAMAMOTO Takashi (yamamoto)
tags: added: ipv6
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
Brent Eagles (beagles) wrote :

If allowing the radvd_user to be specified works, that's cool. It would be worthwhile to see if we can give the neutron container user sufficient permissions to do "what it needs to do". It's a little odd that we haven't run across this issue with other services.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/683207
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6a5a75d5a6d4af08310774cef1b091d2ce2551d4
Submitter: Zuul
Branch: master

commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/691255

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/691256

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/691257

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/691257
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0b13f70f57e2d567aeb8017ad2a2c81c495dc3dd
Submitter: Zuul
Branch: stable/rocky

commit 0b13f70f57e2d567aeb8017ad2a2c81c495dc3dd
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Conflicts:
          neutron/tests/unit/agent/l3/test_agent.py

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688
    (cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)
    (cherry picked from commit 5b6b040d0795959d41f136748f874040d453357f)
    (cherry picked from commit 9921c962180e641b804d48b0f6a46f7ed18fc629)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/691256
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9921c962180e641b804d48b0f6a46f7ed18fc629
Submitter: Zuul
Branch: stable/stein

commit 9921c962180e641b804d48b0f6a46f7ed18fc629
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688
    (cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)
    (cherry picked from commit 5b6b040d0795959d41f136748f874040d453357f)

tags: added: in-stable-stein
tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/691255
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6ec7ba869573731cfa1c25dac3737526a9e34c8c
Submitter: Zuul
Branch: stable/train

commit 6ec7ba869573731cfa1c25dac3737526a9e34c8c
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Sep 19 17:12:59 2019 +0000

    Add radvd_user config option

    In some deployments, the "neutron" user does not have the permissions
    to modify the kernel interfaces. In those cases the radvd user should
    be defined. This patch introduces a new config option: "radvd_user".

    This config option is the username passed to radvd, used to drop root
    privileges and change user ID to username and group ID to the primary
    group of username. If no user specified (by default is an empty string),
    the user executing the L3 agent will be passed. If "root" specified,
    because radvd is spawned as root, no "username" parameter will be
    passed.

    Change-Id: Ie9a6fbf04d453a3c1c0bddf9ecaa3d4d6467e8ff
    Closes-Bug: #1844688
    (cherry picked from commit 6a5a75d5a6d4af08310774cef1b091d2ce2551d4)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 12.0.0

This issue was fixed in the openstack/tripleo-heat-templates 12.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-neutron 16.0.0

This issue was fixed in the openstack/puppet-neutron 16.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.6.2

This issue was fixed in the openstack/tripleo-heat-templates 10.6.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.6

This issue was fixed in the openstack/neutron 13.0.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.4

This issue was fixed in the openstack/neutron 14.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.1

This issue was fixed in the openstack/neutron 15.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.3.1

This issue was fixed in the openstack/tripleo-heat-templates 11.3.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.0.0.0b1

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates rocky-eol

This issue was fixed in the openstack/tripleo-heat-templates rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-neutron rocky-eol

This issue was fixed in the openstack/puppet-neutron rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-neutron stein-eol

This issue was fixed in the openstack/puppet-neutron stein-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.