Ask Your Question
1

Permission denied in dhcp agent

asked 2015-02-09 14:34:43 -0500

abhishek-i gravatar image

I am running Juno on Open Suse. I see this error:

2015-02-09 20:31:57.483 213 ERROR neutron.agent.dhcp_agent [-] Unable to enable dhcp for 4be52cd6-b2ad-4bc7-9941-d0543380df7b.
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent Traceback (most recent call last):
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/dhcp_agent.py", line 128, in call_driver
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent     getattr(driver, action)(**action_kwargs)
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/dhcp.py", line 206, in enable
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent     self.spawn_process()
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/dhcp.py", line 427, in spawn_process
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent     ip_wrapper.netns.execute(cmd, addl_env=env)
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 550, in execute
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent     check_exit_code=check_exit_code, extra_ok_codes=extra_ok_codes)
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 84, in execute
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent     raise RuntimeError(m)
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent RuntimeError:
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qdhcp-4be52cd6-b2ad-4bc7-9941-d0543380df7b', 'env', 'NEUTRON_NETWORK_ID=4be52cd6-b2ad-4bc7-9941-d0543380df7b', 'dnsmasq', '--no-hosts', '--no-resolv', '--strict-order', '--bind-interfaces', '--interface=tapd75afbaa-52', '--except-interface=lo', '--pid-file=/var/lib/neutron/dhcp/4be52cd6-b2ad-4bc7-9941-d0543380df7b/pid', '--dhcp-hostsfile=/var/lib/neutron/dhcp/4be52cd6-b2ad-4bc7-9941-d0543380df7b/host', '--addn-hosts=/var/lib/neutron/dhcp/4be52cd6-b2ad-4bc7-9941-d0543380df7b/addn_hosts', '--dhcp-optsfile=/var/lib/neutron/dhcp/4be52cd6-b2ad-4bc7-9941-d0543380df7b/opts', '--leasefile-ro', '--dhcp-range=set:tag0,192.168.122.0,static,86400s', '--dhcp-lease-max=16', '--conf-file=', '--domain=openstacklocal']
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent Exit code: 3
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent Stdout: ''
2015-02-09 20:31:57.483 213 TRACE neutron.agent.dhcp_agent Stderr: '\ndnsmasq: failed to open pidfile /var/lib/neutron/dhcp/4be52cd6-b2ad-4bc7-9941-d0543380df7b/pid: Permission denied\n'

The root user owns that directory:

z0:/opt/ocs # ls -la /var/lib/neutron/dhcp/4be52cd6-b2ad-4bc7-9941-d0543380df7b/
total 16
drwxr-xr-x 1 root root  54 Feb  9 20:33 .
drwxr-xr-x 1 root root  72 Feb  7 00:59 ..
-rw-r--r-- 1 root root 201 Feb  9 20:33 addn_hosts
-rw-r--r-- 1 root root 198 Feb  9 20:33 host
-rw-r--r-- 1 root root  14 Feb  9 20:33 interface
-rw-r--r-- 1 root root  77 Feb  9 20:33 opts

How do I solve this?

edit retag flag offensive close merge delete

Comments

Change to "neutron:neutron" with chown?

Eric Xie gravatar imageEric Xie ( 2015-02-09 17:06:13 -0500 )edit

That did not help :(

abhishek-i gravatar imageabhishek-i ( 2015-02-10 12:28:21 -0500 )edit

under what user is neutron running?

sfcloudman gravatar imagesfcloudman ( 2015-02-10 14:16:10 -0500 )edit

neutron is running as root. Also, those files are owned by root.

abhishek-i gravatar imageabhishek-i ( 2015-02-10 16:00:32 -0500 )edit

Neutron should NOT run as root. That is the reason for rootwrap so it call in to sudo for the privileged commands that it needs to run.

sfcloudman gravatar imagesfcloudman ( 2015-02-10 23:28:18 -0500 )edit

2 answers

Sort by » oldest newest most voted
2

answered 2015-02-10 19:13:53 -0500

abhishek-i gravatar image

It turned out that apparmor was blocking writes to that directory. This worked fine on disabling apparmor. Thanks to everyone who looked into it.

edit flag offensive delete link more

Comments

How I despise apparmor. I wish it a slow death.

sfcloudman gravatar imagesfcloudman ( 2015-02-10 23:28:39 -0500 )edit

I totally second that. Took me a day to debug this!

abhishek-i gravatar imageabhishek-i ( 2015-02-11 16:28:11 -0500 )edit
1

answered 2015-02-09 20:26:27 -0500

Neutron uses root-wrap to execute shell commands.

https://wiki.openstack.org/wiki/Rootwrap

Not sure how you installed neutron but it looks like /etc/sudoers.d/neutron_sudoers is not there or doesnt have the correct contents.

In /etc/sudoers.d/neutron_sudoers you need to have this:

Defaults:neutron !requiretty

neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap

This file should be on all dhcp nodes.

edit flag offensive delete link more

Comments

I'm on opensuse, so that file is called openstack-neutron. But I do have it and sudoers does include that directory. This is what I have:

Defaults:neutron !syslog
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap
abhishek-i gravatar imageabhishek-i ( 2015-02-10 12:28:06 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-02-09 14:34:43 -0500

Seen: 1,230 times

Last updated: Feb 10 '15