Open Stack

Reviewed:  https://review.openstack.org/136840
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b78c5e54abd10fc71a46788110f9f36e6496414e
Submitter: Jenkins
Branch:    master

commit b78c5e54abd10fc71a46788110f9f36e6496414e
Author: Cedric Brandily <zzelle at gmail.com>
Date:   Mon Nov 24 15:53:04 2014 +0000

    Do not run neutron-ns-metadata-proxy as root on L3 agent
    
    Currently neutron-ns-metadata-proxy runs with root permissions when
    namespaces are enabled on the l3 agent because root permissions are
    required to "enter" in the namespace. But neutron-ns-metadata-proxy
    permissions should be reduced as much as possible because it is
    reachable from vms.
    
    This change allows to change neutron-ns-metadata-proxy permissions
    after its startup through the 2 new options metadata_proxy_user and
    metadata_proxy_group which allow to define user/group running metadata
    proxy after its initialization. Their default values are
    neutron-l3-agent effective user and group.
    
    Permissions drop is done after metadata proxy daemon writes its
    pid in its pidfile (it could be disallowed after permissions drop).
    
    Using nobody as metadata_proxy_user/group (more secure) is currently
    not supported because:
    
    * nobody has not the permission to connect the metadata socket,
    * nobody has not the permission to log to file because neutron uses
      WatchedFileHandler (which requires read/write permissions after
      permissions drop).
    This limitation will be addressed in a daughter change.
    
    DocImpact
    Partial-Bug: #1187107
    Change-Id: I55c8c3fb14ed91ae8570f98f19c2cdbaf89d42fc

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187107

Title:
  quantum-ns-metadata-proxy runs as root

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  # ps -ef | grep quantum-ns-metadata-proxy
  root     10239     1  0 19:01 ?        00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/var/lib/quantum/external/pids/7a44de32-3ac0-4f3e-92cc-1a37d8211db8.pid --router_id=7a44de32-3ac0-4f3e-92cc-1a37d8211db8 --state_path=/var/lib/quantum --debug --log-file=quantum-ns-metadata-proxy7a44de32-3ac0-4f3e-92cc-1a37d8211db8.log --log-dir=/var/log/quantum

  
  Root is needed to open the namespace, but the quantum-ns-metadata-proxy does not need root - it listens on 9697 by default not 80.

  I tried changing /etc/quantum/rootwrap.d/l3.filters for it to run as
  quantum instead:

  metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy,
  quantum

  but it still runs as root.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1187107/+subscriptions