Sahara

USE_NAMESPACES requires sahara be run as root

Bug #1271349 reported by Matthew Farrellee on 2014-01-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Sahara	Fix Released	High	Michael McCune	Sahara 2015.1.0 "kilo"

Bug Description

The USE_NAMESPACES code, which tells savanna-api to setup a proxy into a tenant netns for communication w/ instances, uses 'ip netns exec' as part of its implementation.

root (superuser) privileges are required to successfully run 'ip netns exec', which means savanna-api must be run with such privs instead of a preferred lower-priv daemon account.

See original description

Revision history for this message

Matthew Farrellee (mattf) wrote on 2014-01-21:

RDO workaround: sed -i 's/daemon --user savanna/daemon --user root/' /etc/init.d/openstack-savanna-api

Matthew Farrellee (mattf) on 2014-01-21

description:	updated
summary:	- USE_NAMESPACE requires savanna-api be run as root + USE_NAMESPACES requires savanna-api be run as root

Sergey Lukjanov (slukjanov) on 2014-01-23

Changed in savanna:
status:	New → Confirmed
importance:	Undecided → Low
assignee:	nobody → Jonathan Maron (jmaron)
milestone:	none → icehouse-3

Matthew Farrellee (mattf) on 2014-02-01

Changed in savanna:
importance:	Low → High

Revision history for this message

Sergey Lukjanov (slukjanov) wrote on 2014-02-05: Re: USE_NAMESPACES requires savanna-api be run as root

It looks like a note in docs.

Changed in savanna:
importance:	High → Medium

Revision history for this message

Matthew Farrellee (mattf) wrote on 2014-02-07:

it would be better to use https://wiki.openstack.org/wiki/Rootwrap

Changed in savanna:
importance:	Medium → High

Revision history for this message

Jonathan Maron (jmaron) wrote on 2014-02-07:

Do you mean something akin to "sudo quantum-rootwrap /etc/quantum/rootwrap.conf ip netns exec..."?

Revision history for this message

Matthew Farrellee (mattf) wrote on 2014-02-08:

pretty much, via https://pypi.python.org/pypi/oslo.rootwrap

Revision history for this message

Sergey Lukjanov (slukjanov) wrote on 2014-02-08:

yup, looks like it should be used for the case when namespaces enabled.

Revision history for this message

Jonathan Maron (jmaron) wrote on 2014-02-10:

Maybe this will play a role: https://wiki.openstack.org/wiki/Rootwrap#IpNetnsExecFilter ;)

Revision history for this message

Jonathan Maron (jmaron) wrote on 2014-02-10:

I can put in the code to support rootwrap functionality, but it appears that we'll need to document the sudoers configuration for the user running the savanna server, correct?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-13: Fix proposed to savanna (master)

Fix proposed to branch: master
Review: https://review.openstack.org/73396

Changed in savanna:
status:	Confirmed → In Progress

Sergey Lukjanov (slukjanov) on 2014-03-01

Changed in savanna:
milestone:	icehouse-3 → next

Michael McCune (mimccune) on 2014-10-01

Changed in sahara:
assignee:	Jonathan Maron (jmaron) → Michael McCune (mimccune)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-01: Fix proposed to sahara (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/125518

Alexander Ignatov (aignatov) on 2014-10-02

Changed in sahara:
milestone:	next → kilo-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-06: Fix proposed to sahara (proposed/juno)

#11

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/126431

Sergey Lukjanov (slukjanov) on 2014-10-06

tags:

added: juno-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Change abandoned on sahara (proposed/juno)

#12

Change abandoned by Sergey Lukjanov (<email address hidden>) on branch: proposed/juno
Review: https://review.openstack.org/126431
Reason: It couldn't be back ported to juno due to the dep addition.

Sergey Lukjanov (slukjanov) on 2014-10-07

tags:

removed: juno-rc-potential

Andrew Lazarev (alazarev) on 2014-10-07

summary:

- USE_NAMESPACES requires savanna-api be run as root
+ USE_NAMESPACES requires sahara be run as root

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Fix merged to sahara (master)

#13

Reviewed: https://review.openstack.org/125518
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=04502de481bb79345adc3053dfc08e2b909f2af3
Submitter: Jenkins
Branch: master

commit 04502de481bb79345adc3053dfc08e2b909f2af3
Author: Michael McCune <email address hidden>
Date: Wed Oct 1 17:57:52 2014 -0400

Adding support for oslo.rootwrap to namespace access

    Changes
    * adding configuration options for rootwrap
    * refactoring ssh connection to use rootwrap as a proxy when requested
    * adding documentation for rootwrap configuration
    * adding default rootwrap filters file
    * adding default sudoers conf file for sahara user
    * adding default rootwrap conf file for sahara-rootwrap
    * adding sahara-rootwrap cli script
    * adding requirement for oslo.rootwrap

Change-Id: I7871400b2342a4cd1a8910ae5121b1bfdc46078d
Closes-Bug: #1271349

Changed in sahara:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-12-17

Changed in sahara:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in sahara:
milestone:	kilo-1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.