On 06/14/2014 01:18 AM, Romain Chantereau wrote: > Package: neutron-dhcp-agent > Version: 2014.1.1-2~bpo70+1 > Severity: normal > > Dear Maintainer, > > After installing and following the OpenStack installation guide I faced an > issue with instance not getting his IP from the DHCP server. > > After some investigation, syslog reported: > /var/lib/neutron/dhcp/{id}/host : Permission denied > > And as the dnsmasq process is launch as "nobody", and as the /var/lib/neutron > is only rx for owner and group (neutron) only (no right for others), the dns > masq process was unable to read his allocable IP pool. > > I just done a chmod o+x /var/lib/neutron and it worked. > > Could you fix it in the package (finding a way to run dnsmasq as neutron user > or setting the suffisant permission on the directory)? > > Thanks for your work. > Regards, > Romain
This is IMO a problem with Neutron upstream code, which should be running dnsmasq as neutron user. If you do: dnsmasq --help | grep user then you see that there is a --user=<username> option, which isn't in use in the spawn_process() function in neutron/agent/linux/dhcp.py. We could simply add that option there, which would be a much better fix than doing a chmod o+x /var/lib/neutron, which may have system wide security implications. Such change should of course be proposed upstream, rather than just patched locally. I would strongly suggest opening a thread on the OpenStack dev list. It is my experience that such unix rights change often have security implications which are hard to foresee, and I would hate to introduce a Debian specific security issue. Your thoughts? Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org