From c4ad080d9a0a79caadac39ecc1a2891219741797 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 12 Feb 2020 13:39:33 +0100 Subject: [PATCH] Change /run bind mount for neutron/openvswitch Currently we have a very wide /run mount for all Neutron/OVS services, which allows sudo/rootwrap to contact with the hosts dbus - all symptoms are documented in the related bug. Since we use tcp connections to OVS from Neutron agents - removing bind mounts. Closes-Bug: #1861792 Change-Id: Ifee4bec7b2e9ef4e2d624b1411f1a9e6332325c6 (cherry picked from commit 227008cf68aa68f340d95703e85355ae81585506) --- ansible/roles/neutron/defaults/main.yml | 10 ---------- ansible/roles/openvswitch/defaults/main.yml | 4 ++-- ansible/roles/ovs-dpdk/defaults/main.yml | 4 ++-- releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml | 5 +++++ 4 files changed, 9 insertions(+), 14 deletions(-) create mode 100644 releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml index 483495f89c..b4af1de5a2 100644 --- a/ansible/roles/neutron/defaults/main.yml +++ b/ansible/roles/neutron/defaults/main.yml @@ -247,7 +247,6 @@ ironic_neutron_agent_dimensions: "{{ default_container_dimensions }}" neutron_dhcp_agent_default_volumes: - "{{ node_config_directory }}/neutron-dhcp-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run/:/run/:shared" - "neutron_metadata_socket:/var/lib/neutron/kolla/" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" @@ -255,27 +254,23 @@ neutron_l3_agent_default_volumes: - "{{ node_config_directory }}/neutron-l3-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" - "neutron_metadata_socket:/var/lib/neutron/kolla/" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" neutron_sriov_agent_default_volumes: - "{{ node_config_directory }}/neutron-sriov-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" neutron_linuxbridge_agent_default_volumes: - "{{ node_config_directory }}/neutron-linuxbridge-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" neutron_metadata_agent_default_volumes: - "{{ node_config_directory }}/neutron-metadata-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run/:/run/:shared" - "neutron_metadata_socket:/var/lib/neutron/kolla/" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" @@ -283,7 +278,6 @@ neutron_openvswitch_agent_default_volumes: - "{{ node_config_directory }}/neutron-openvswitch-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" neutron_server_default_volumes: @@ -294,24 +288,20 @@ neutron_server_default_volumes: neutron_bgp_dragent_default_volumes: - "{{ node_config_directory }}/neutron-bgp-dragent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" neutron_infoblox_ipam_agent_default_volumes: - "{{ node_config_directory }}/neutron-infoblox-ipam-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" neutron_openvswitch_agent_xenapi_default_volumes: - "{{ node_config_directory }}/neutron-openvswitch-agent-xenapi/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" neutron_metering_agent_default_volumes: - "{{ node_config_directory }}/neutron-metering-agent/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run:/run:shared" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}" ironic_neutron_agent_default_volumes: diff --git a/ansible/roles/openvswitch/defaults/main.yml b/ansible/roles/openvswitch/defaults/main.yml index 7781356e21..9ccd22add2 100644 --- a/ansible/roles/openvswitch/defaults/main.yml +++ b/ansible/roles/openvswitch/defaults/main.yml @@ -55,14 +55,14 @@ openvswitch_db_default_volumes: - "{{ node_config_directory }}/openvswitch-db-server/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" + - "/run/openvswitch:/run/openvswitch:shared" - "kolla_logs:/var/log/kolla/" - "openvswitch_db:/var/lib/openvswitch/" openvswitch_vswitchd_default_volumes: - "{{ node_config_directory }}/openvswitch-vswitchd/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" + - "/run/openvswitch:/run/openvswitch:shared" - "kolla_logs:/var/log/kolla/" openvswitch_extra_volumes: "{{ default_extra_volumes }}" diff --git a/ansible/roles/ovs-dpdk/defaults/main.yml b/ansible/roles/ovs-dpdk/defaults/main.yml index 66be60bce0..495ee4330c 100644 --- a/ansible/roles/ovs-dpdk/defaults/main.yml +++ b/ansible/roles/ovs-dpdk/defaults/main.yml @@ -78,14 +78,14 @@ ovsdpdk_vswitchd_dimensions: "{{ default_container_dimensions }}" ovsdpdk_db_default_volumes: - "{{ node_config_directory }}/ovsdpdk-db/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - - "/run:/run:shared" + - "/run/openvswitch:/run/openvswitch:shared" - "kolla_logs:/var/log/kolla/" - "ovsdpdk_db:/var/lib/openvswitch/" ovsdpdk_vswitchd_default_volumes: - "{{ node_config_directory }}/ovsdpdk-vswitchd/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "/lib/modules:/lib/modules:ro" - - "/run:/run:shared" + - "/run/openvswitch:/run/openvswitch:shared" - "/dev:/dev:shared" - "kolla_logs:/var/log/kolla/" diff --git a/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml b/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml new file mode 100644 index 0000000000..cff5fee560 --- /dev/null +++ b/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Remove /run bind mounts in Neutron services causing dbus host-level + errors `LP# 1861792 `.