yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1644517] [NEW] [neutron-vpnaas] libreswan driver requires root

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Paul Bourke <paul.bourke@xxxxxxxxxx>
Date: Thu, 24 Nov 2016 11:16:41 -0000
Reply-to: Bug 1644517 <1644517@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The libreswan device driver attempts to both cleanup[0] and chown[1]
ipsec.secrets to root, using the bare python os module. From what I can
gather it should use neutron-rootwrap to do these operations, otherwise
the operator is forced to run the agent as root.

[0] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L40-L42
[1] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L50-L51

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1644517

Title:
  [neutron-vpnaas] libreswan driver requires root

Status in neutron:
  New

Bug description:
  The libreswan device driver attempts to both cleanup[0] and chown[1]
  ipsec.secrets to root, using the bare python os module. From what I
  can gather it should use neutron-rootwrap to do these operations,
  otherwise the operator is forced to run the agent as root.

  [0] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L40-L42
  [1] https://github.com/openstack/neutron-vpnaas/blob/master/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py#L50-L51

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1644517/+subscriptions

Follow ups

[Bug 1644517] Re: [neutron-vpnaas] libreswan driver requires root
From: OpenStack Infra, 2018-02-09