neutron

Lack of root_helper call

Bug #1085534 reported by Ken'ichi Ohmichi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Ken'ichi Ohmichi

Bug Description

When I tried to start quantum-openvswitch-agent service, it failed with the following messages.

---
DEBUG:quantum.agent.linux.utils:Running command: ip -o link show br-eth2
Traceback (most recent call last):
  File "/usr/bin/quantum-openvswitch-agent", line 9, in <module>
    load_entry_point('quantum==2012.2', 'console_scripts', 'quantum-openvswitch-agent')()
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 820, in main
    reconnect_interval, rpc, enable_tunneling)
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 156, in __init__
    self.setup_physical_bridges(bridge_mappings)
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py", line 473, in setup_physical_bridges
    if not ip_lib.device_exists(bridge, self.root_helper):
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/ip_lib.py", line 365, in device_exists
    address = IPDevice(device_name, root_helper, namespace).link.address
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/ip_lib.py", line 196, in address
    return self.attributes.get('link/ether')
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/ip_lib.py", line 216, in attributes
    return self._parse_line(self._run('show', self.name, options='o'))
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/ip_lib.py", line 153, in _run
    return self._parent._run(kwargs.get('options', []), self.COMMAND, args)
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/ip_lib.py", line 33, in _run
    return self._execute(options, command, args)
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/ip_lib.py", line 56, in _execute
    root_helper=root_helper)
  File "/usr/lib/python2.6/site-packages/quantum-2012.2-py2.6.egg/quantum/agent/linux/utils.py", line 45, in execute
    env=env)
  File "/usr/lib/python2.6/site-packages/eventlet/green/subprocess.py", line 25, in __init__
    subprocess_orig.Popen.__init__(self, args, 0, *argss, **kwds)
  File "/usr/lib64/python2.6/subprocess.py", line 639, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.6/subprocess.py", line 1228, in _execute_child
    raise child_exception
OSError: [Errno 13] Permission denied
---

My quantum-openvswitch-agent service run with "quantum" user (not root user),
and root_helper is set in the configuration file.
I feel root_helper is not used at _execute() call in quantum/agent/linux/ip_lib.py.
I tried to change the code like the following, I can avoid this problem.
----
    def _run(self, options, command, args):
        if self.namespace:
            return self._as_root(options, command, args)
        else:
- return self._execute(options, command, args)
+ return self._execute(options, command, args, self.root_helper)
----

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/17297

Changed in quantum:
assignee: nobody → Ken'ichi Ohmichi (oomichi)
status: New → In Progress
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I wonder why this command requires the privilege.
ip_lib.device_exists() in ovs_agent tried to execute a command like "ip link show <bridge_name>".
In usual case this command does not require the privilege to run this command.
Can't you execute 'ip link show <bridge_name> without the privilege in your env?

Even if I specified the wrong root_wrapper is passed to device_exists(), this command returned the expected behavior.
(note that br-int exists and br-int2 does not exist in my env)

In [1]: import quantum.agent.linux.ip_lib as ip_lib

In [2]: ip_lib.device_exists('br-int', 'sudo')
Out[2]: True

In [3]: ip_lib.device_exists('br-int2', 'sudo')
Out[3]: False

In [4]: ip_lib.device_exists('br-int2', 'sudo2')
Out[4]: False

In [5]: ip_lib.device_exists('br-int', 'sudo2')
Out[5]: True

Revision history for this message
Ken'ichi Ohmichi (oomichi) wrote :

This bug report is invalid.
I'm sorry for my mistake.

In my test environment, not-root user is not allowed to run 'ip' command.
I changed 'ip' command privilege for digging another problem, and I forgot it.

Now I fix 'ip' command privilege, and I can run the quantum-openvswitch-agent service.
Sorry for my noise and thanks for your investigation, Motoki-san.

Changed in quantum:
status: In Progress → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.