[openstack-dev] [neutron] Is this a bug in metadata proxy...

Paul Michali pc at michali.net
Wed Aug 31 12:16:29 UTC 2016


Hi,

I had seen something and was not sure if this was a subtle bug or not.

I have a Liberty based openstack setup. The account that is setting up
processes was user=neutron, group=neutron, however the metadata_agent.ini
config file was set up for a different group. So there was a
metadata_proxy_user=neutron, and metadata_proxy_group=foo config setting.

This ini file was used by the metadata agent process, but it was not
included in the DHCP agent process (not sure if I should have included the
metadata_agent.ini in the startup of DHCP or should have added these two
metadata proxy settings to neutron.conf, so that they were available to
DHCP).

In any case, here is what I saw happen...

I created a subnet (not using a router in this setup). It looks like DHCP
starts up the metadata agent proxy daemon) and the DHCP configuration is
used, which does NOT include the metadata_proxy_user/group, so the current
user's uid and gid are used (neutron/neutron) for the
metadata_proxy_user/group settings.

The proxy calls drop_privileges(), which because the group is different,
the log file can no longer be accessed by the daemon. An OSError occurs
with permission denied on the log file for this process, and the process
exits without any indications.

When I then try to use metadata services it fails (obviously). Looking, we
see that the metadata service is running (but the proxy is not, and I don't
see a way for an end user to check that - is there a way?).

Looking in the proxy log, the initial startup messages are seen, showing
all the configuration settings, and then there is nothing more. No
indication that it is lowering privileges to run under some other
user/group, that there was a fatal error, or that it is working and ready
to process requests. Nothing more appears in the log, as it was working and
there were no metadata proxy requests occurring.

I was only able to figure it out, by first checking to see if the proxy was
running, and then manually trying to start the proxy, using the command
line in the log, under a debugger, to find out that there was a permission
denied error.

So, it is likely a misconfiguration error on the user's part, but it was
really hard to figure that out.

Should/could we somehow indicate if there is an error lowering privs?

Is there a (user) way to tell if proxy is running?

Is there some documentation indicating that the proxy user/group settings
need to be available for both the metadata agent and for other agents that
may spawn the proxy (DHCP, L3)?

Regards,

PCM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160831/48610049/attachment.html>


More information about the OpenStack-dev mailing list