yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1509500] Re: novaclient stats all files in /usr/bin

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andrey Kurilin <andr.kurilin@xxxxxxxxx>
Date: Tue, 16 Feb 2016 13:35:17 -0000
Reply-to: Bug 1509500 <1509500@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: neutron
   Importance: Undecided
       Status: New

** Changed in: python-novaclient
       Status: New => In Progress

** Changed in: python-novaclient
   Importance: Undecided => Low

** Changed in: python-novaclient
     Assignee: (unassigned) => Andrey Kurilin (andreykurilin)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1509500

Title:
  novaclient stats all files in /usr/bin

Status in neutron:
  New
Status in python-novaclient:
  In Progress

Bug description:
  It appears that novaclient is searching Python's sys.path to find
  novaclient's own executable, and a side effect of this is an operating
  system security package will log hundreds of errors each time this
  happens.  For example, this stack trace:

    /usr/lib/python2.7/site-packages/neutron/manager.py(244)get_plugin()
  -> return weakref.proxy(cls.get_instance().plugin)
    /usr/lib/python2.7/site-packages/neutron/manager.py(238)get_instance()
  -> cls._create_instance()
    /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py(252)inner()
  -> return f(*args, **kwargs)
    /usr/lib/python2.7/site-packages/neutron/manager.py(224)_create_instance()
  -> cls._instance = cls()
    /usr/lib/python2.7/site-packages/neutron/manager.py(120)__init__()
  -> plugin_provider)
    /usr/lib/python2.7/site-packages/neutron/manager.py(157)_get_plugin_instance()
  -> return plugin_class()
    /usr/lib/python2.7/site-packages/neutron/quota/resource_registry.py(121)wrapper()
  -> return f(*args, **kwargs)
    /usr/lib/python2.7/site-packages/neutron/plugins/ml2/plugin.py(145)__init__()
  -> super(Ml2Plugin, self).__init__()
    /usr/lib/python2.7/site-packages/neutron/db/db_base_plugin_v2.py(103)__init__()
  -> self.nova_notifier = nova.Notifier()
    /usr/lib/python2.7/site-packages/neutron/notifiers/nova.py(98)__init__()
  -> ext for ext in nova_client.discover_extensions(NOVA_API_VERSION)
  > /usr/lib/python2.7/site-packages/novaclient/client.py(724)discover_extensions()
  -> _discover_via_contrib_path(version)

  This stack trace is during neutron server startup, a novaclient call
  is made which results in _discover_via_python_path() being invoked
  here: https://github.com/openstack/python-
  novaclient/blob/master/novaclient/client.py#L723

  This method uses pkgutil.iter_modules() which will search all of
  /usr/bin (among many other places).  An operating system security
  package such as SELinux on RedHat will log hundreds of errors like
  this to /var/log/audit/audit.log:

  type=AVC msg=audit(10/23/2015 15:41:08.766:368903) : avc:  denied  {
  getattr } for  pid=13716 comm=neutron-server path=/usr/bin/virsh
  dev="dm-5" ino=138258059 scontext=system_u:system_r:neutron_t:s0
  tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file

  One error is logged for every searched file in /usr/bin, about 1,300
  messages each time neutron-server restarts on my test system.  This
  generates a huge amount of noise in audit.log.  I have not attempted
  to reproduce this with Ubuntu / AppArmor to verify if the issue is the
  same.

  Is this something the novaclient code would worry about?  Is there
  some way I could submit a patch to fix this?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1509500/+subscriptions