On 06/14/2014 01:18 AM, Romain Chantereau wrote:
> Package: neutron-dhcp-agent
> Version: 2014.1.1-2~bpo70+1
> Severity: normal
>
> Dear Maintainer,
>
> After installing and following the OpenStack installation guide I faced an
> issue with instance not getting his IP from the DHCP server.
>
> After some investigation, syslog reported:
> /var/lib/neutron/dhcp/{id}/host : Permission denied
>
> And as the dnsmasq process is launch as "nobody", and as the /var/lib/neutron
> is only rx for owner and group (neutron) only (no right for others), the dns
> masq process was unable to read his allocable IP pool.
>
> I just done a chmod o+x /var/lib/neutron and it worked.
>
> Could you fix it in the package (finding a way to run dnsmasq as neutron user
> or setting the suffisant permission on the directory)?
>
> Thanks for your work.
> Regards,
> Romain
This is IMO a problem with Neutron upstream code, which should be
running dnsmasq as neutron user. If you do:
dnsmasq --help | grep user
then you see that there is a --user=<username> option, which isn't in
use in the spawn_process() function in neutron/agent/linux/dhcp.py. We
could simply add that option there, which would be a much better fix
than doing a chmod o+x /var/lib/neutron, which may have system wide
security implications.
Such change should of course be proposed upstream, rather than just
patched locally. I would strongly suggest opening a thread on the
OpenStack dev list. It is my experience that such unix rights change
often have security implications which are hard to foresee, and I would
hate to introduce a Debian specific security issue.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
