iproute2 (ip netns)

[Gary Kotton]

Hi,
I have run into the following problem and maybe someone on the list can 
help shed some light. Maybe this is just a misunderstaning on my behalf 
and I hope that someone can help.

Openstack Quantum makes use of namespaces for the DHCP and L3 agents. 
This enables one to make use of overlapping IP's. In the Fedora 
packaging we create a quantum user that runs the above mentioned agents. 
Each agent can create one or more namespaces. There is a sudoers file 
for quantum. The contents are below:

[root at localhost sudoers.d]# cat quantum
Defaults:quantum !requiretty

quantum ALL = (root) NOPASSWD: SETENV: /usr/bin/quantum-rootwrap

When one of the agents creates a namespace the root user is unable to 
access the namespace:

List of namespaces:
[root at localhost sudoers.d]# ip netns
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc

Trying to read configured interfaces in namespace:
[root at localhost sudoers.d]# ip netns exec 
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc ip link
seting the network namespace failed: Invalid argument

It seems that the reason for this is that the permissions are as follows:

[root at localhost ~]# ll /var/run/netns/
total 0
----------. 1 root root 0 Sep 24 09:00 
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
----------. 1 root root 0 Sep 24 09:02 
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28

If the agents are run by a the root user and not quantum then the 
permission of the files are:
-r--------. 1 root root 0 Sep 24 09:00 
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
-r--------. 1 root root 0 Sep 24 09:02 
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
And the ip link operation succeeds.

I would assume that the root should have permission to access the 
namespaces directly.

Thanks
Gary