neutron

custom kill scripts don't works after migration to privsep

Bug #1923198 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

It seems that custom kill scripts aren't working properly if they are in the PATH which isn't in the standard PATH now.
When we were using rootwrap to run such scripts it was fine when scripts were e.g. in default path which is /etc/neutron/kill_scripts/ as this directory is added in the rootwrap's exec_dirs: https://github.com/openstack/neutron/blob/07b7da2251fbb607d599d48e80e4a701fa6b394e/etc/rootwrap.conf#L13 and rootwrap is looking for binary to execute in the directories from that config option.

But now we moved to privsep and we have errors like:

2021-04-09 12:01:19.348 176680 DEBUG oslo.privsep.daemon [-] privsep: Exception during request[140575473731280]: [Errno 2] No such file or directory: 'dnsmasq-kill': 'dnsmasq-kill' _process_cmd /usr/lib/python3.6/site-packages/oslo_privsep/daemon.py:490
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/oslo_privsep/daemon.py", line 485, in _process_cmd
    ret = func(*f_args, **f_kwargs)
  File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 249, in _wrap
    return func(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/neutron/privileged/agent/linux/utils.py", line 56, in execute_process
    obj, cmd = _create_process(cmd, addl_env=addl_env)
  File "/usr/lib/python3.6/site-packages/neutron/privileged/agent/linux/utils.py", line 83, in _create_process
    stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  File "/usr/lib/python3.6/site-packages/eventlet/green/subprocess.py", line 58, in __init__
    subprocess_orig.Popen.__init__(self, args, 0, *argss, **kwds)
  File "/usr/lib64/python3.6/subprocess.py", line 729, in __init__
    restore_signals, start_new_session)
  File "/usr/lib64/python3.6/subprocess.py", line 1364, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'dnsmasq-kill': 'dnsmasq-kill'

Even if dnsmasq-kill script is in the /etc/neutron/kill_scripts directory.

We didn't spot it in our CI jobs as we don't run any job with those custom kill scripts. But it is used e.g. by Tripleo and they spot it in their jobs.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Patch proposed https://review.opendev.org/c/openstack/neutron/+/785638

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Fix merged

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/785606
Committed: https://opendev.org/openstack/neutron/commit/bfaf0ebc116cc5e3d5ae0fe5cd41bcc6fde58717
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit bfaf0ebc116cc5e3d5ae0fe5cd41bcc6fde58717
Author: Slawek Kaplonski <email address hidden>
Date: Fri Apr 9 15:28:41 2021 +0200

    Always use absolute path for custom kill-scripts

    When rootwrap was used to run custom kill-scripts, it worked fine with
    the executable name without full path as path was in the rootwrap's
    exec_dirs config option thus rootwrap was able to find it.

    But as we migrated to privsep it don't works like that anymore.
    It's better to use absolute path of the kill-script always and that
    patch changes to do it like that.

    Change-Id: I66d70304530935e2add3345aba6aa3c549a0a2df
    Closes-Bug: #1923198
    (cherry picked from commit e5ccfee6cfb503c3ba7cce816fae331dd017f3ce)

tags: added: in-stable-wallaby
Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Slawek Kaplonski (slaweq)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.1.0

This issue was fixed in the openstack/neutron 18.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.0.0.0rc1

This issue was fixed in the openstack/neutron 19.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.