USE_NAMESPACES requires sahara be run as root

Bug #1271349 reported by Matthew Farrellee on 2014-01-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Michael McCune

Bug Description

The USE_NAMESPACES code, which tells savanna-api to setup a proxy into a tenant netns for communication w/ instances, uses 'ip netns exec' as part of its implementation.

root (superuser) privileges are required to successfully run 'ip netns exec', which means savanna-api must be run with such privs instead of a preferred lower-priv daemon account.

Matthew Farrellee (mattf) wrote :

RDO workaround: sed -i 's/daemon --user savanna/daemon --user root/' /etc/init.d/openstack-savanna-api

description: updated
summary: - USE_NAMESPACE requires savanna-api be run as root
+ USE_NAMESPACES requires savanna-api be run as root
Changed in savanna:
status: New → Confirmed
importance: Undecided → Low
assignee: nobody → Jonathan Maron (jmaron)
milestone: none → icehouse-3
Changed in savanna:
importance: Low → High

It looks like a note in docs.

Changed in savanna:
importance: High → Medium
Matthew Farrellee (mattf) wrote :
Changed in savanna:
importance: Medium → High
Jonathan Maron (jmaron) wrote :

Do you mean something akin to "sudo quantum-rootwrap /etc/quantum/rootwrap.conf ip netns exec..."?

Sergey Lukjanov (slukjanov) wrote :

yup, looks like it should be used for the case when namespaces enabled.

Jonathan Maron (jmaron) wrote :
Jonathan Maron (jmaron) wrote :

I can put in the code to support rootwrap functionality, but it appears that we'll need to document the sudoers configuration for the user running the savanna server, correct?

Fix proposed to branch: master

Changed in savanna:
status: Confirmed → In Progress
Changed in savanna:
milestone: icehouse-3 → next
Changed in sahara:
assignee: Jonathan Maron (jmaron) → Michael McCune (mimccune)
Changed in sahara:
milestone: next → kilo-1
tags: added: juno-rc-potential

Change abandoned by Sergey Lukjanov (<email address hidden>) on branch: proposed/juno
Reason: It couldn't be back ported to juno due to the dep addition.

tags: removed: juno-rc-potential
summary: - USE_NAMESPACES requires savanna-api be run as root
+ USE_NAMESPACES requires sahara be run as root

Submitter: Jenkins
Branch: master

commit 04502de481bb79345adc3053dfc08e2b909f2af3
Author: Michael McCune <email address hidden>
Date: Wed Oct 1 17:57:52 2014 -0400

    Adding support for oslo.rootwrap to namespace access

    * adding configuration options for rootwrap
    * refactoring ssh connection to use rootwrap as a proxy when requested
    * adding documentation for rootwrap configuration
    * adding default rootwrap filters file
    * adding default sudoers conf file for sahara user
    * adding default rootwrap conf file for sahara-rootwrap
    * adding sahara-rootwrap cli script
    * adding requirement for oslo.rootwrap

    Change-Id: I7871400b2342a4cd1a8910ae5121b1bfdc46078d
    Closes-Bug: #1271349

Changed in sahara:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-12-17
Changed in sahara:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in sahara:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers