iproute2 (ip netns)
Gary Kotton
gkotton at redhat.com
Tue Sep 25 07:53:50 UTC 2012
Hi,
I have run into the following problem and maybe someone on the list can
help shed some light. Maybe this is just a misunderstaning on my behalf
and I hope that someone can help.
Openstack Quantum makes use of namespaces for the DHCP and L3 agents.
This enables one to make use of overlapping IP's. In the Fedora
packaging we create a quantum user that runs the above mentioned agents.
Each agent can create one or more namespaces. There is a sudoers file
for quantum. The contents are below:
[root at localhost sudoers.d]# cat quantum
Defaults:quantum !requiretty
quantum ALL = (root) NOPASSWD: SETENV: /usr/bin/quantum-rootwrap
When one of the agents creates a namespace the root user is unable to
access the namespace:
List of namespaces:
[root at localhost sudoers.d]# ip netns
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
Trying to read configured interfaces in namespace:
[root at localhost sudoers.d]# ip netns exec
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc ip link
seting the network namespace failed: Invalid argument
It seems that the reason for this is that the permissions are as follows:
[root at localhost ~]# ll /var/run/netns/
total 0
----------. 1 root root 0 Sep 24 09:00
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
----------. 1 root root 0 Sep 24 09:02
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
If the agents are run by a the root user and not quantum then the
permission of the files are:
-r--------. 1 root root 0 Sep 24 09:00
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
-r--------. 1 root root 0 Sep 24 09:02
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
And the ip link operation succeeds.
I would assume that the root should have permission to access the
namespaces directly.
Thanks
Gary
More information about the devel
mailing list