yahoo-eng-team team mailing list archive

[Alan Pevec <1130735@xxxxxxxxxxxxxxxxxx>]

** Changed in: quantum/folsom
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1130735

Title:
  file descriptors not closed when executing sub-processes

Status in OpenStack Quantum (virtual network service):
  Fix Released
Status in quantum folsom series:
  Fix Released

Bug description:
  SELinux logs denials such as the following from the ip command (pid
  3316) being executed by quantum-dhcp-agent (pid 2604) :

  type=AVC msg=audit(1361296820.873:123253): avc:  denied  { read write } for  pid=3316 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3654 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
  type=SYSCALL msg=audit(1361296820.873:123253): arch=c000003e syscall=59 success=yes exit=0 a0=14507d0 a1=127aaa0 a2=108b9b0 a3=0 items=0 ppid=2604 pid=3316 auid=4294967295 uid=164 gid=164 euid=164 suid=164 fsuid=164 egid=164 sgid=164 fsgid=164 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)

  In this case, it seems a file descriptor opened by eventlet does not
  have FD_CLOEXEC set, so its left open and ip tries to access it, which
  is blocked by SELinux. This particular denial is harmless, other than
  polluting audit.log, but file descriptors other than stdin, stdout and
  stderr should be closed when sub-processes are executed.

  The nova.utils.execute() implementation addresses this by passing
  close_fds=True to subprocess.Popen(). Quantum should do the same in
  quantum.common.utils.subprocess_popen() on master and in
  quantum.agent.linux.execute() on stable/folsom.

To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1130735/+subscriptions