neutron

"ping" command should be correctly supported in rootwrap filters

Bug #1863006 reported by Rodolfo Alonso
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Rodolfo Alonso

Bug Description

Some "ping" commands have failed because the rootwrap filter does not match. Example [1]:

RuntimeError: Process ['ping', '192.178.0.2', '-W', '1', '-c', '3'] hasn't been spawned in 20 seconds. Return code: 99, stdout: , sdterr: /home/zuul/src/opendev.org/openstack/neutron/.tox/dsvm-functional/bin/neutron-rootwrap: Unauthorized command: ip netns exec test-ed1ca152-40df-457f-95ea-bd1edd68baa9 ping 192.178.0.2 -W 1 -c 3 (no filter matched)

"ping" commands should always have the same parameters and in the same order.

[1] https://f686e70b9699eba6880c-12f0768fe735ff9b43e4aa64f3cfd6c9.ssl.cf2.rackcdn.com/701733/33/check/neutron-functional/36f4f9c/testr_results.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/707452

Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
status: New → In Progress
Akihiro Motoki (amotoki)
tags: added: functional-tests
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/707452
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cc3b9df4268ac339d0b7316595a4148ba4c69836
Submitter: Zuul
Branch: master

commit cc3b9df4268ac339d0b7316595a4148ba4c69836
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Feb 12 18:56:13 2020 +0000

    "ping"/"ping6" command support in rootwrap filters

    To have correct support in rootwrap, "ping"/"ping6" command should
    have the correct filters in rootwrap.

    Because "ping" command is harmless, "CommandFilter" is used to allow
    any binary call, regardless of the parameters used and the order.

    Nevertheless, this patch also proposes to use "ping"/"ping6" with
    the same parameters and a specific order, to help in the debug
    process:
    - ping[6] -W <timeout> <address>
    - ping[6] -W <timeout> -c <count> <address>
    - ping[6] -W <timeout> -c <count> -i <interval> <address>

    Those commands could be called from inside a namespace. The needed
    filter is also added in this patch.

    Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
    Closes-Bug: #1863006

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.0.0.0b1

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/749955

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/749956

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/749960

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/749961

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/749956
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6f5ebbd3de3fbe7ccfd34fdc5fd1a842308ca362
Submitter: Zuul
Branch: stable/stein

commit 6f5ebbd3de3fbe7ccfd34fdc5fd1a842308ca362
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Feb 12 18:56:13 2020 +0000

    "ping"/"ping6" command support in rootwrap filters

    To have correct support in rootwrap, "ping"/"ping6" command should
    have the correct filters in rootwrap.

    Because "ping" command is harmless, "CommandFilter" is used to allow
    any binary call, regardless of the parameters used and the order.

    Nevertheless, this patch also proposes to use "ping"/"ping6" with
    the same parameters and a specific order, to help in the debug
    process:
    - ping[6] -W <timeout> <address>
    - ping[6] -W <timeout> -c <count> <address>
    - ping[6] -W <timeout> -c <count> -i <interval> <address>

    Those commands could be called from inside a namespace. The needed
    filter is also added in this patch.

    Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
    Closes-Bug: #1863006
    (cherry picked from commit cc3b9df4268ac339d0b7316595a4148ba4c69836)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/749955
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d351ba1137d3062d9953bd1a2e45664d1dc7189d
Submitter: Zuul
Branch: stable/train

commit d351ba1137d3062d9953bd1a2e45664d1dc7189d
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Feb 12 18:56:13 2020 +0000

    "ping"/"ping6" command support in rootwrap filters

    To have correct support in rootwrap, "ping"/"ping6" command should
    have the correct filters in rootwrap.

    Because "ping" command is harmless, "CommandFilter" is used to allow
    any binary call, regardless of the parameters used and the order.

    Nevertheless, this patch also proposes to use "ping"/"ping6" with
    the same parameters and a specific order, to help in the debug
    process:
    - ping[6] -W <timeout> <address>
    - ping[6] -W <timeout> -c <count> <address>
    - ping[6] -W <timeout> -c <count> -i <interval> <address>

    Those commands could be called from inside a namespace. The needed
    filter is also added in this patch.

    Depends-On: https://review.opendev.org/754960
    Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
    Closes-Bug: #1863006
    (cherry picked from commit cc3b9df4268ac339d0b7316595a4148ba4c69836)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/749961
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4d9d77fd2e48ad68d1affd6ecca2acf42766a855
Submitter: Zuul
Branch: stable/queens

commit 4d9d77fd2e48ad68d1affd6ecca2acf42766a855
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Feb 12 18:56:13 2020 +0000

    "ping"/"ping6" command support in rootwrap filters

    To have correct support in rootwrap, "ping"/"ping6" command should
    have the correct filters in rootwrap.

    Because "ping" command is harmless, "CommandFilter" is used to allow
    any binary call, regardless of the parameters used and the order.

    Nevertheless, this patch also proposes to use "ping"/"ping6" with
    the same parameters and a specific order, to help in the debug
    process:
    - ping[6] -W <timeout> <address>
    - ping[6] -W <timeout> -c <count> <address>
    - ping[6] -W <timeout> -c <count> -i <interval> <address>

    Those commands could be called from inside a namespace. The needed
    filter is also added in this patch.

    Conflicts:
        etc/neutron/rootwrap.d/debug.filters
        neutron/tests/common/net_helpers.py

    Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
    Closes-Bug: #1863006
    (cherry picked from commit cc3b9df4268ac339d0b7316595a4148ba4c69836)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/749960
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=055484a3ab2fd6433487eac294b1bc3e00be3030
Submitter: Zuul
Branch: stable/rocky

commit 055484a3ab2fd6433487eac294b1bc3e00be3030
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Feb 12 18:56:13 2020 +0000

    "ping"/"ping6" command support in rootwrap filters

    To have correct support in rootwrap, "ping"/"ping6" command should
    have the correct filters in rootwrap.

    Because "ping" command is harmless, "CommandFilter" is used to allow
    any binary call, regardless of the parameters used and the order.

    Nevertheless, this patch also proposes to use "ping"/"ping6" with
    the same parameters and a specific order, to help in the debug
    process:
    - ping[6] -W <timeout> <address>
    - ping[6] -W <timeout> -c <count> <address>
    - ping[6] -W <timeout> -c <count> -i <interval> <address>

    Those commands could be called from inside a namespace. The needed
    filter is also added in this patch.

    Conflicts:
        etc/neutron/rootwrap.d/debug.filters
        neutron/tests/common/net_helpers.py

    Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
    Closes-Bug: #1863006
    (cherry picked from commit cc3b9df4268ac339d0b7316595a4148ba4c69836)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron queens-eol

This issue was fixed in the openstack/neutron queens-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron rocky-eol

This issue was fixed in the openstack/neutron rocky-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.