Open Stack

>
> I was wondering if the user/group should be (only) set in a common config,
> like neutron.conf, if it should be duplicated in dhcp and metadata config
> files, or if the metadata ini should be added to the list of ini files,
> when starting up the DHCP agent.
>

Previously, metadata_proxy_user/group were documented in neutron.conf (when
a neutron.conf sample was in github repo) in order to deduce
metadata_proxy_socket_mode correctly.
You can also define them in both l3/dhcp.ini and metadata-agent.ini config
files or set explicitly metadata_proxy_socket_mode in metadata-agent.ini.

But it's unrelated as your trouble seems to be linked to a
metadata_proxy_watch_log misconfiguration and
metadata_proxy_user/group/watch_log are all used by dhcp/l3-agents.

With the wrong config, I hit the access denied issue and had no info
> indicating that is what has happened. Was wondering if there was any
> protection against that misconfiguration case, or way to get an indication
> of it.
>


Before dropping privileges, we cannot detect such access deny to log file
(because of features like GRsec,PaX, RBAC).
After dropping privileges, we can only log to syslog or stdout if we catch
an access deny to log file.

Cedric/ZZelle at IRC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160912/68b98134/attachment.html>