[Openstack-security] [Bug 1187107] Fix merged to neutron (master)
OpenStack Infra
1187107 at bugs.launchpad.net
Tue Jan 27 06:35:22 UTC 2015
Reviewed: https://review.openstack.org/147436
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e171271f127cb48a89df78ec98ba732caf2da980
Submitter: Jenkins
Branch: master
commit e171271f127cb48a89df78ec98ba732caf2da980
Author: Cedric Brandily <zzelle at gmail.com>
Date: Wed Jan 7 22:21:10 2015 +0000
Move shared metadata driver related config options
This change moves metadata driver related config options to metadata
driver module to prepare the use of metadata driver method in the dhcp
agent (daughter change). The metadata_port option is not moved as the
dhcp agent uses a non-configurable port (80).
Change-Id: Ie45fdad86f33d35fca3096c4c52fae941a279e76
Partial-Bug: #1187107
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187107
Title:
quantum-ns-metadata-proxy runs as root
Status in OpenStack Neutron (virtual network service):
In Progress
Bug description:
# ps -ef | grep quantum-ns-metadata-proxy
root 10239 1 0 19:01 ? 00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/var/lib/quantum/external/pids/7a44de32-3ac0-4f3e-92cc-1a37d8211db8.pid --router_id=7a44de32-3ac0-4f3e-92cc-1a37d8211db8 --state_path=/var/lib/quantum --debug --log-file=quantum-ns-metadata-proxy7a44de32-3ac0-4f3e-92cc-1a37d8211db8.log --log-dir=/var/log/quantum
Root is needed to open the namespace, but the quantum-ns-metadata-proxy does not need root - it listens on 9697 by default not 80.
I tried changing /etc/quantum/rootwrap.d/l3.filters for it to run as
quantum instead:
metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy,
quantum
but it still runs as root.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1187107/+subscriptions
More information about the Openstack-security
mailing list