Hi,
I have run into the following problem and maybe someone on the list can
help shed some light. Maybe this is just a misunderstaning on my behalf
and I hope that someone can help.
Openstack Quantum makes use of namespaces for the DHCP and L3 agents.
This enables one to make use of overlapping IP's. In the Fedora
packaging we create a quantum user that runs the above mentioned agents.
Each agent can create one or more namespaces. There is a sudoers file
for quantum. The contents are below:
[root@localhost sudoers.d]# cat quantum
Defaults:quantum !requiretty
quantum ALL = (root) NOPASSWD: SETENV: /usr/bin/quantum-rootwrap
When one of the agents creates a namespace the root user is unable to
access the namespace:
List of namespaces:
[root@localhost sudoers.d]# ip netns
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
Trying to read configured interfaces in namespace:
[root@localhost sudoers.d]# ip netns exec
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc ip link
seting the network namespace failed: Invalid argument
It seems that the reason for this is that the permissions are as follows:
[root@localhost ~]# ll /var/run/netns/
total 0
----------. 1 root root 0 Sep 24 09:00
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
----------. 1 root root 0 Sep 24 09:02
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
If the agents are run by a the root user and not quantum then the
permission of the files are:
-r--------. 1 root root 0 Sep 24 09:00
qdhcp-0c642a75-0402-4013-a0d0-6eb8b1b9c9cc
-r--------. 1 root root 0 Sep 24 09:02
qrouter-e4cf5693-7d63-4e9a-a8a7-6dd952394c28
And the ip link operation succeeds.
I would assume that the root should have permission to access the
namespaces directly.
Thanks
Gary
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
