"ping" prepended to ip netns commands

Bug #1864186 reported by Lucian Petrut
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Critical
Lucian Petrut

Bug Description

A recent patch[1] updated rootwrap filters so that ping may be used within a network namespace. The issue is that now all ip netns commands get altered, the "ip" command being replaced with "ping":
http://paste.openstack.org/raw/789845/

In particular, this seems to affect the IpNetnsExecFilter filter.

This seems to be caused by the fact that the executable from the original command gets replaced with the one from the filter [2].

[1] Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
[2] https://github.com/openstack/oslo.rootwrap/blob/6.0.0/oslo_rootwrap/filters.py#L71-L75

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/709100

Changed in neutron:
assignee: nobody → Lucian Petrut (petrutlucian94)
status: New → In Progress
description: updated
description: updated
Changed in neutron:
importance: Undecided → Critical
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/709100
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=caa34c279756164357bbcb9900aee36d0501d73f
Submitter: Zuul
Branch: master

commit caa34c279756164357bbcb9900aee36d0501d73f
Author: Lucian Petrut <email address hidden>
Date: Fri Feb 21 13:21:20 2020 +0200

    Drop invalid rootwrap filters

    A recent change introduced a couple of rootwrap filters that are
    supposed to allow running ping within a network namespace.

    Those filters will actually replace the "ip" command with "ping",
    which leads to an invalid command.

    Since those two filters are now superfluous, we're going to drop
    them.

    Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
    Closes-Bug: #1864186

Changed in neutron:
status: In Progress → Fix Released
tags: added: neutron-proactive-backport-potential
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/755551

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/755555

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/755551
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fa5967012d201a7bc3a407280fd7481f5dc81574
Submitter: Zuul
Branch: stable/train

commit fa5967012d201a7bc3a407280fd7481f5dc81574
Author: Lucian Petrut <email address hidden>
Date: Fri Feb 21 13:21:20 2020 +0200

    Drop invalid rootwrap filters

    A recent change introduced a couple of rootwrap filters that are
    supposed to allow running ping within a network namespace.

    Those filters will actually replace the "ip" command with "ping",
    which leads to an invalid command.

    Since those two filters are now superfluous, we're going to drop
    them.

    Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
    Closes-Bug: #1864186
    (cherry picked from commit caa34c279756164357bbcb9900aee36d0501d73f)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/755555
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b3582e1ae3627bc0a8b35238dddc90647a5f9d89
Submitter: Zuul
Branch: stable/stein

commit b3582e1ae3627bc0a8b35238dddc90647a5f9d89
Author: Lucian Petrut <email address hidden>
Date: Fri Feb 21 13:21:20 2020 +0200

    Drop invalid rootwrap filters

    A recent change introduced a couple of rootwrap filters that are
    supposed to allow running ping within a network namespace.

    Those filters will actually replace the "ip" command with "ping",
    which leads to an invalid command.

    Since those two filters are now superfluous, we're going to drop
    them.

    Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
    Closes-Bug: #1864186
    (cherry picked from commit caa34c279756164357bbcb9900aee36d0501d73f)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/757105

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/757106

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/757106
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=96dfd5edda213d4a06466120b753e835f022b084
Submitter: Zuul
Branch: stable/queens

commit 96dfd5edda213d4a06466120b753e835f022b084
Author: Lucian Petrut <email address hidden>
Date: Fri Feb 21 13:21:20 2020 +0200

    Drop invalid rootwrap filters

    A recent change introduced a couple of rootwrap filters that are
    supposed to allow running ping within a network namespace.

    Those filters will actually replace the "ip" command with "ping",
    which leads to an invalid command.

    Since those two filters are now superfluous, we're going to drop
    them.

    Conflicts:
        etc/neutron/rootwrap.d/debug.filters

    Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
    Closes-Bug: #1864186

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/757105
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=be7043a7e2931678c1dc182c654bf70a73c5de2a
Submitter: Zuul
Branch: stable/rocky

commit be7043a7e2931678c1dc182c654bf70a73c5de2a
Author: Lucian Petrut <email address hidden>
Date: Fri Feb 21 13:21:20 2020 +0200

    Drop invalid rootwrap filters

    A recent change introduced a couple of rootwrap filters that are
    supposed to allow running ping within a network namespace.

    Those filters will actually replace the "ip" command with "ping",
    which leads to an invalid command.

    Since those two filters are now superfluous, we're going to drop
    them.

    Conflicts:
        etc/neutron/rootwrap.d/debug.filters

    Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
    Closes-Bug: #1864186

tags: added: in-stable-rocky
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers