neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
My /etc/neutron/rootwrap.d/rootwrap.filters fail contains:
# Command filters to allow privsep daemon to be started via rootwrap.
#
# This file should be owned by (and only-writeable by) the root user
[Filters]
# By installing the following, the local admin is asserting that:
#
# 1. The python module load path used by privsep-helper
# command as root (as started by sudo/rootwrap) is trusted.
# 2. Any oslo.config files matching the --config-file
# arguments below are trusted.
# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
# also allowed to invoke python "entrypoint" functions from
# --privsep_context with the additional (possibly root) privileges
# configured for that context.
#
# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
#
# In particular, the oslo.config and python module path must not
# be writeable by the unprivileged user.
# NOTE: A second `--config-file` arg can also be added above. Since
# many neutron components are installed like that (eg: by devstack).
# Adjust to suit local requirements.
My /etc/neutron/rootwrap.conf fail contains :
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/etc/neutron/kill_scripts
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
# Rootwrap daemon exits after this seconds of inactivity
daemon_timeout=600
# Rootwrap daemon limits itself to that many file descriptors (Linux only)
rlimit_nofile=1024
In neutron config I have this :
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
I am not sure if it is neutron error or oslo.privsep error.
I have neutron manual installation on ubuntu server 22.04.
Everything was working fine before I rebooted the machine.
Now I have this error:
2023-07-05 12:20:55.449 48258 ERROR oslo_service. periodic_ task [None req-835bfb24- 967b-44a4- 849a-c661efe0c7 e5 - - - - - -] Error during L3NATAgentWithS tateReport. periodic_ sync_routers_ task: PermissionError: [Errno 13] Permission denied periodic_ task Traceback (most recent call last): periodic_ task File "/usr/lib/ python3/ dist-packages/ oslo_service/ periodic_ task.py" , line 216, in run_periodic_tasks periodic_ task task(self, context) periodic_ task File "/usr/lib/ python3/ dist-packages/ neutron/ agent/l3/ agent.py" , line 887, in periodic_ sync_routers_ task periodic_ task with self.namespaces _manager as ns_manager: periodic_ task File "/usr/lib/ python3/ dist-packages/ neutron/ agent/l3/ namespace_ manager. py", line 71, in __enter__ periodic_ task self._all_ namespaces = self.list_all() periodic_ task File "/usr/lib/ python3/ dist-packages/ neutron/ agent/l3/ namespace_ manager. py", line 117, in list_all periodic_ task namespaces = ip_lib. list_network_ namespaces( ) periodic_ task File "/usr/lib/ python3/ dist-packages/ neutron/ agent/linux/ ip_lib. py", line 963, in list_network_ namespaces periodic_ task return privileged. list_netns( **kwargs) periodic_ task File "/usr/lib/ python3/ dist-packages/ oslo_privsep/ priv_context. py", line 271, in _wrap periodic_ task return self.channel. remote_ call(name, args, kwargs, periodic_ task File "/usr/lib/ python3/ dist-packages/ oslo_privsep/ daemon. py", line 215, in remote_call periodic_ task raise exc_type( *result[ 2]) periodic_ task PermissionError: [Errno 13] Permission denied periodic_ task
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
2023-07-05 12:20:55.449 48258 ERROR oslo_service.
My /etc/sudoers. d/neutron_ sudoers fail contains :
Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/ neutron- rootwrap /etc/neutron/ rootwrap. conf *
My /etc/neutron/ rootwrap. d/rootwrap. filters fail contains:
# Command filters to allow privsep daemon to be started via rootwrap.
#
# This file should be owned by (and only-writeable by) the root user
[Filters]
# By installing the following, the local admin is asserting that:
#
# 1. The python module load path used by privsep-helper
# command as root (as started by sudo/rootwrap) is trusted.
# 2. Any oslo.config files matching the --config-file
# arguments below are trusted.
# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
# also allowed to invoke python "entrypoint" functions from
# --privsep_context with the additional (possibly root) privileges
# configured for that context.
#
# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
#
# In particular, the oslo.config and python module path must not
# be writeable by the unprivileged user.
# PRIVSEP privileged. default, sock_path, /
# oslo.privsep default neutron context
privsep: PathFilter, privsep-helper, root,
--config-file, /etc/(?!\.\.).*,
--privsep_context, neutron.
--privsep_
# NOTE: A second `--config-file` arg can also be added above. Since
# many neutron components are installed like that (eg: by devstack).
# Adjust to suit local requirements.
# DEBUG
sleep: RegExpFilter, sleep, root, sleep, \d+
# EXECUTE COMMANDS IN A NAMESPACE
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# METADATA PROXY
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
haproxy_env: EnvFilter, env, root, PROCESS_TAG=, haproxy, -f, .*
# DHCP
dnsmasq: CommandFilter, dnsmasq, root
dnsmasq_env: EnvFilter, env, root, PROCESS_TAG=, dnsmasq
# DIBBLER
dibbler-client: CommandFilter, dibbler-client, root
dibbler-client_env: EnvFilter, env, root, PROCESS_TAG=, dibbler-client
# L3 state_change: CommandFilter, neutron- keepalived- state-change, root state_change_ env: EnvFilter, env, root, PROCESS_TAG=, neutron- keepalived- state-change
radvd: CommandFilter, radvd, root
radvd_env: EnvFilter, env, root, PROCESS_TAG=, radvd
keepalived: CommandFilter, keepalived, root
keepalived_env: EnvFilter, env, root, PROCESS_TAG=, keepalived
keepalived_
keepalived_
# OPEN VSWITCH
ovs-ofctl: CommandFilter, ovs-ofctl, root
ovsdb-client: CommandFilter, ovsdb-client, root
My /etc/neutron/ rootwrap. conf fail contains :
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT] path=/etc/ neutron/ rootwrap. d,/usr/ share/neutron/ rootwrap
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_
# List of directories to search executables in, in case filters do not /sbin,/ usr/sbin, /bin,/usr/ bin,/usr/ local/bin, /usr/local/ sbin,/etc/ neutron/ kill_scripts
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use. log_facility= syslog
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_
# Which messages to log. log_level= ERROR
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_
# Rootwrap daemon exits after this seconds of inactivity
daemon_timeout=600
# Rootwrap daemon limits itself to that many file descriptors (Linux only)
rlimit_nofile=1024
In neutron config I have this : neutron- rootwrap /etc/neutron/ rootwrap. conf"
[agent]
root_helper = "sudo /usr/bin/
I am not sure if it is neutron error or oslo.privsep error.