| Thread Previous • Date Previous • Date Next • Thread Next |
** Changed in: quantum
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1130735
Title:
file descriptors not closed when executing sub-processes
Status in OpenStack Quantum (virtual network service):
Fix Released
Bug description:
SELinux logs denials such as the following from the ip command (pid
3316) being executed by quantum-dhcp-agent (pid 2604) :
type=AVC msg=audit(1361296820.873:123253): avc: denied { read write } for pid=3316 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3654 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1361296820.873:123253): arch=c000003e syscall=59 success=yes exit=0 a0=14507d0 a1=127aaa0 a2=108b9b0 a3=0 items=0 ppid=2604 pid=3316 auid=4294967295 uid=164 gid=164 euid=164 suid=164 fsuid=164 egid=164 sgid=164 fsgid=164 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
In this case, it seems a file descriptor opened by eventlet does not
have FD_CLOEXEC set, so its left open and ip tries to access it, which
is blocked by SELinux. This particular denial is harmless, other than
polluting audit.log, but file descriptors other than stdin, stdout and
stderr should be closed when sub-processes are executed.
The nova.utils.execute() implementation addresses this by passing
close_fds=True to subprocess.Popen(). Quantum should do the same in
quantum.common.utils.subprocess_popen() on master and in
quantum.agent.linux.execute() on stable/folsom.
To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1130735/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
