yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1745443] [NEW] cannot restrict /var/lib/neutron permissions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Stefan Nica <1745443@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Jan 2018 17:32:25 -0000
Reply-to: Bug 1745443 <1745443@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Restricting access to the /var/lib/neutron path to the user neutron
negatively affects the dnsmasq processes spawned by the neutron dhcp-
agent, which execute as the dnsmasq user:

---------------------
2018-01-25T10:48:56.609668+00:00 d52-54-77-77-01-01 dnsmasq[25454]: started, version 2.78-security-prerelease cachesize 2000
2018-01-25T10:48:56.612892+00:00 d52-54-77-77-01-01 dnsmasq[25454]: compile time options: IPv6 GNU-getopt no-DBus i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
2018-01-25T10:48:56.613198+00:00 d52-54-77-77-01-01 dnsmasq-dhcp[25454]: DHCP, static leases only on 192.168.123.0, lease time 1d
2018-01-25T10:48:56.613521+00:00 d52-54-77-77-01-01 dnsmasq-dhcp[25454]: DHCP, sockets bound exclusively to interface tap775d1b31-34
2018-01-25T10:48:56.613735+00:00 d52-54-77-77-01-01 dnsmasq[25454]: using nameserver 192.168.251.1#53
2018-01-25T10:48:56.613946+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
2018-01-25T10:48:56.614153+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
2018-01-25T10:48:56.614354+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
2018-01-25T10:48:56.622489+00:00 d52-54-77-77-01-01 haproxy[25455]: Proxy listener started.
2018-01-25T10:48:56.858479+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
2018-01-25T10:48:56.858834+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
2018-01-25T10:48:56.859148+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
2018-01-25T10:48:56.916623+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
2018-01-25T10:48:56.916925+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
2018-01-25T10:48:56.917146+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
---------------------

# ls -ald /var/lib/neutron
drwxr-x--- 7 neutron neutron 4096 Jan 25 11:55 /var/lib/neutron
---------------------

# ps -ef|grep dnsmasq
dnsmasq  13805     1  0 17:20 ?        00:00:00 dnsmasq --user=neutron --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host --addn-hosts=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts --dhcp-leasefile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap775d1b31-34 --dhcp-range=set:tag0,192.168.123.0,static,255.255.255.0,86400s --dhcp-option-force=option:mtu,8858 --dhcp-lease-max=256 --conf-file= --server=192.168.251.1 --domain=openstack.local
---------------------


If the dnsmasq process is started as the neutron user using its '--user'
option, the problem dissapears.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1745443

Title:
  cannot restrict /var/lib/neutron permissions

Status in neutron:
  New

Bug description:
  Restricting access to the /var/lib/neutron path to the user neutron
  negatively affects the dnsmasq processes spawned by the neutron dhcp-
  agent, which execute as the dnsmasq user:

  ---------------------
  2018-01-25T10:48:56.609668+00:00 d52-54-77-77-01-01 dnsmasq[25454]: started, version 2.78-security-prerelease cachesize 2000
  2018-01-25T10:48:56.612892+00:00 d52-54-77-77-01-01 dnsmasq[25454]: compile time options: IPv6 GNU-getopt no-DBus i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
  2018-01-25T10:48:56.613198+00:00 d52-54-77-77-01-01 dnsmasq-dhcp[25454]: DHCP, static leases only on 192.168.123.0, lease time 1d
  2018-01-25T10:48:56.613521+00:00 d52-54-77-77-01-01 dnsmasq-dhcp[25454]: DHCP, sockets bound exclusively to interface tap775d1b31-34
  2018-01-25T10:48:56.613735+00:00 d52-54-77-77-01-01 dnsmasq[25454]: using nameserver 192.168.251.1#53
  2018-01-25T10:48:56.613946+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
  2018-01-25T10:48:56.614153+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
  2018-01-25T10:48:56.614354+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
  2018-01-25T10:48:56.622489+00:00 d52-54-77-77-01-01 haproxy[25455]: Proxy listener started.
  2018-01-25T10:48:56.858479+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
  2018-01-25T10:48:56.858834+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
  2018-01-25T10:48:56.859148+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
  2018-01-25T10:48:56.916623+00:00 d52-54-77-77-01-01 dnsmasq[25454]: failed to load names from /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts: Permission denied
  2018-01-25T10:48:56.916925+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host: Permission denied
  2018-01-25T10:48:56.917146+00:00 d52-54-77-77-01-01 dnsmasq[25454]: cannot read /var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts: Permission denied
  ---------------------

  # ls -ald /var/lib/neutron
  drwxr-x--- 7 neutron neutron 4096 Jan 25 11:55 /var/lib/neutron
  ---------------------

  # ps -ef|grep dnsmasq
  dnsmasq  13805     1  0 17:20 ?        00:00:00 dnsmasq --user=neutron --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/host --addn-hosts=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/opts --dhcp-leasefile=/var/lib/neutron/dhcp/c78e2e07-4223-4c00-a52c-ff9e2637e35e/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap775d1b31-34 --dhcp-range=set:tag0,192.168.123.0,static,255.255.255.0,86400s --dhcp-option-force=option:mtu,8858 --dhcp-lease-max=256 --conf-file= --server=192.168.251.1 --domain=openstack.local
  ---------------------


  If the dnsmasq process is started as the neutron user using its '--
  user' option, the problem dissapears.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1745443/+subscriptions