Open Stack

Reviewed:  https://review.openstack.org/147437
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ac6cf685176c3a985a71174b9e8f0161068e38e0
Submitter: Jenkins
Branch:    master

commit ac6cf685176c3a985a71174b9e8f0161068e38e0
Author: Cedric Brandily <zzelle at gmail.com>
Date:   Wed Jan 7 23:12:20 2015 +0000

    Do not run neutron-ns-metadata-proxy as root on dhcp agent
    
    Currently neutron-ns-metadata-proxy runs with root permissions when
    namespaces are enabled on the dhcp agent because root permissions are
    required to "enter" in the namespace. But neutron-ns-metadata-proxy
    permissions should be reduced as much as possible because it is
    reachable from vms.
    
    This change allows to change neutron-ns-metadata-proxy permissions
    after its startup through the 2 new options metadata_proxy_user and
    metadata_proxy_group which allow to define user/group running metadata
    proxy after its initialization. Their default values are
    neutron-dhcp-agent effective user and group.
    
    This change delegates metadata proxy management to metadata driver
    methods in order to reuse the work already done on l3 agent side.
    
    Permissions drop is done after metadata proxy daemon writes its
    pid in its pidfile (it could be disallowed after permissions drop) and
    after metadata proxy daemon binds its privileged server port (80).
    
    Using nobody as metadata_proxy_user/group (more secure) is currently
    not supported because:
    
    * nobody has not the permission to connect the metadata socket,
    * nobody has not the permission to log to file because neutron uses
      WatchedFileHandler (which requires read/write permissions after
      permissions drop).
    This limitation will be addressed in a daughter change.
    
    DocImpact
    Closes-Bug: #1187107
    Change-Id: I53e97254d560e608101010f67bd2dcdec81fb6a2


** Changed in: neutron
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187107

Title:
  quantum-ns-metadata-proxy runs as root

Status in OpenStack Neutron (virtual network service):
  Fix Committed

Bug description:
  # ps -ef | grep quantum-ns-metadata-proxy
  root     10239     1  0 19:01 ?        00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/var/lib/quantum/external/pids/7a44de32-3ac0-4f3e-92cc-1a37d8211db8.pid --router_id=7a44de32-3ac0-4f3e-92cc-1a37d8211db8 --state_path=/var/lib/quantum --debug --log-file=quantum-ns-metadata-proxy7a44de32-3ac0-4f3e-92cc-1a37d8211db8.log --log-dir=/var/log/quantum

  
  Root is needed to open the namespace, but the quantum-ns-metadata-proxy does not need root - it listens on 9697 by default not 80.

  I tried changing /etc/quantum/rootwrap.d/l3.filters for it to run as
  quantum instead:

  metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy,
  quantum

  but it still runs as root.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1187107/+subscriptions