Change /run bind mount for neutron/openvswitch

Currently we have a very wide /run mount for all Neutron/OVS services, which allows sudo/rootwrap to contact with the hosts dbus - all symptoms are documented in the related bug. Since we use tcp connections to OVS from Neutron agents - removing bind mounts. Closes-Bug: #1861792 Change-Id: Ifee4bec7b2e9ef4e2d624b1411f1a9e6332325c6 (cherry picked from commit 227008cf68)
2020-02-12 13:39:33 +01:00 · 2020-02-12 13:39:33 +01:00 · c4ad080d9a
parent 26d8fbcb6e
commit c4ad080d9a
4 changed files with 9 additions and 14 deletions
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@ -247,7 +247,6 @@ ironic_neutron_agent_dimensions: "{{ default_container_dimensions }}"
 neutron_dhcp_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-dhcp-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run/:/run/:shared"
  - "neutron_metadata_socket:/var/lib/neutron/kolla/"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
@ -255,27 +254,23 @@ neutron_l3_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-l3-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
  - "neutron_metadata_socket:/var/lib/neutron/kolla/"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_sriov_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-sriov-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_linuxbridge_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-linuxbridge-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_metadata_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-metadata-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run/:/run/:shared"
  - "neutron_metadata_socket:/var/lib/neutron/kolla/"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
@ -283,7 +278,6 @@ neutron_openvswitch_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-openvswitch-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_server_default_volumes:
@ -294,24 +288,20 @@ neutron_server_default_volumes:
 neutron_bgp_dragent_default_volumes:
  - "{{ node_config_directory }}/neutron-bgp-dragent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
 neutron_infoblox_ipam_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-infoblox-ipam-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
 neutron_openvswitch_agent_xenapi_default_volumes:
  - "{{ node_config_directory }}/neutron-openvswitch-agent-xenapi/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_metering_agent_default_volumes:
  - "{{ node_config_directory }}/neutron-metering-agent/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
  - "kolla_logs:/var/log/kolla/"
  - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 ironic_neutron_agent_default_volumes:
--- a/ansible/roles/openvswitch/defaults/main.yml
+++ b/ansible/roles/openvswitch/defaults/main.yml
@ -55,14 +55,14 @@ openvswitch_db_default_volumes:
  - "{{ node_config_directory }}/openvswitch-db-server/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
  - "kolla_logs:/var/log/kolla/"
  - "openvswitch_db:/var/lib/openvswitch/"
 openvswitch_vswitchd_default_volumes:
  - "{{ node_config_directory }}/openvswitch-vswitchd/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
  - "kolla_logs:/var/log/kolla/"

 openvswitch_extra_volumes: "{{ default_extra_volumes }}"
--- a/ansible/roles/ovs-dpdk/defaults/main.yml
+++ b/ansible/roles/ovs-dpdk/defaults/main.yml
@ -78,14 +78,14 @@ ovsdpdk_vswitchd_dimensions: "{{ default_container_dimensions }}"
 ovsdpdk_db_default_volumes:
  - "{{ node_config_directory }}/ovsdpdk-db/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
  - "kolla_logs:/var/log/kolla/"
  - "ovsdpdk_db:/var/lib/openvswitch/"
 ovsdpdk_vswitchd_default_volumes:
  - "{{ node_config_directory }}/ovsdpdk-vswitchd/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
  - "/dev:/dev:shared"
  - "kolla_logs:/var/log/kolla/"

--- a/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml
+++ b/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Remove /run bind mounts in Neutron services causing dbus host-level
+    errors `LP# 1861792 <https://launchpad.net/bugs/1861792>`.