← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1509500] Re: novaclient stats all files in /usr/bin

 

Reviewed:  https://review.openstack.org/287449
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1db573ff12172f0a278b7318fe8094527e2bc72a
Submitter: Jenkins
Branch:    master

commit 1db573ff12172f0a278b7318fe8094527e2bc72a
Author: Eric Larese <erlarese@xxxxxxxxxx>
Date:   Wed Mar 2 15:41:36 2016 -0500

    Use only_contrib option for nova_client calls
    
    Use the only_contrib option that was added by
    I030f4c55c2795c7f7973f5f12e54b9819c4a5578 to speed up nova_client calls
    and skip the search for nova_client extensions to reduce
    /var/log/audit noise.
    
    Change-Id: Ic97b342a3633ffdf05b02ddd81baad88e1605a75
    Closes-Bug: #1509500


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1509500

Title:
  novaclient stats all files in /usr/bin

Status in neutron:
  Fix Released
Status in python-novaclient:
  Fix Released

Bug description:
  It appears that novaclient is searching Python's sys.path to find
  novaclient's own executable, and a side effect of this is an operating
  system security package will log hundreds of errors each time this
  happens.  For example, this stack trace:

    /usr/lib/python2.7/site-packages/neutron/manager.py(244)get_plugin()
  -> return weakref.proxy(cls.get_instance().plugin)
    /usr/lib/python2.7/site-packages/neutron/manager.py(238)get_instance()
  -> cls._create_instance()
    /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py(252)inner()
  -> return f(*args, **kwargs)
    /usr/lib/python2.7/site-packages/neutron/manager.py(224)_create_instance()
  -> cls._instance = cls()
    /usr/lib/python2.7/site-packages/neutron/manager.py(120)__init__()
  -> plugin_provider)
    /usr/lib/python2.7/site-packages/neutron/manager.py(157)_get_plugin_instance()
  -> return plugin_class()
    /usr/lib/python2.7/site-packages/neutron/quota/resource_registry.py(121)wrapper()
  -> return f(*args, **kwargs)
    /usr/lib/python2.7/site-packages/neutron/plugins/ml2/plugin.py(145)__init__()
  -> super(Ml2Plugin, self).__init__()
    /usr/lib/python2.7/site-packages/neutron/db/db_base_plugin_v2.py(103)__init__()
  -> self.nova_notifier = nova.Notifier()
    /usr/lib/python2.7/site-packages/neutron/notifiers/nova.py(98)__init__()
  -> ext for ext in nova_client.discover_extensions(NOVA_API_VERSION)
  > /usr/lib/python2.7/site-packages/novaclient/client.py(724)discover_extensions()
  -> _discover_via_contrib_path(version)

  This stack trace is during neutron server startup, a novaclient call
  is made which results in _discover_via_python_path() being invoked
  here: https://github.com/openstack/python-
  novaclient/blob/master/novaclient/client.py#L723

  This method uses pkgutil.iter_modules() which will search all of
  /usr/bin (among many other places).  An operating system security
  package such as SELinux on RedHat will log hundreds of errors like
  this to /var/log/audit/audit.log:

  type=AVC msg=audit(10/23/2015 15:41:08.766:368903) : avc:  denied  {
  getattr } for  pid=13716 comm=neutron-server path=/usr/bin/virsh
  dev="dm-5" ino=138258059 scontext=system_u:system_r:neutron_t:s0
  tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file

  One error is logged for every searched file in /usr/bin, about 1,300
  messages each time neutron-server restarts on my test system.  This
  generates a huge amount of noise in audit.log.  I have not attempted
  to reproduce this with Ubuntu / AppArmor to verify if the issue is the
  same.

  Is this something the novaclient code would worry about?  Is there
  some way I could submit a patch to fix this?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1509500/+subscriptions