[opensuse-cloud] wrong filters in /etc/quantum/rootwrap.d/iptables-firewall.filters
There are problems with quantum-dhcp-agent, because there entries in /etc/quantum/rootwrap.d/iptables-firewall.filters are not correct. ---snip--- [Filters] # quantum/agent/linux/iptables_manager.py # "iptables-save", ... iptables-save: CommandFilter, /sbin/iptables-save, root iptables-restore: CommandFilter, /sbin/iptables-restore, root ip6tables-save: CommandFilter, /sbin/ip6tables-save, root ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root # quantum/agent/linux/iptables_manager.py # "iptables", "-A", ... iptables: CommandFilter, /sbin/iptables, root ip6tables: CommandFilter, /sbin/ip6tables, root ---snap--- But on SUSE we have /usr/sbin/iptables-save, /usr/sbin/iptables-restore, ... I'll add a patch to the openstack-quantum package to fix this issue. Looks like there are also issues in dhcp.filter. dnsmasq is also in /usr/sbin and not in /sbin. Christian. -- Christian Berendt Cloud Computing Solution Architect Tel.: +49-171-5542175 Mail: berendt@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
2013/3/14 Christian Berendt <berendt@b1-systems.de>: Hi Christian, thanks for discovering these problems. I agree we should have already spend more time on debugging quantum, so thanks for uncovering those issues in finishing a setup.
I'll add a patch to the openstack-quantum package to fix this issue.
This patch is not upstreamable. the usual way to do that is to duplicate all the filters, and give them the name x / x_usr and use one with /usr and one without: iptables: CommandFilter, /sbin/iptables, root iptables_usr: CommandFilter, /usr/sbin/iptables, root This way we can upstream it. ideally you'd do that yourself :-) Thanks, Dirk -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
Hi, Le jeudi 14 mars 2013, à 15:23 +0100, Christian Berendt a écrit :
There are problems with quantum-dhcp-agent, because there entries in /etc/quantum/rootwrap.d/iptables-firewall.filters are not correct.
---snip--- [Filters]
# quantum/agent/linux/iptables_manager.py # "iptables-save", ... iptables-save: CommandFilter, /sbin/iptables-save, root iptables-restore: CommandFilter, /sbin/iptables-restore, root ip6tables-save: CommandFilter, /sbin/ip6tables-save, root ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
# quantum/agent/linux/iptables_manager.py # "iptables", "-A", ... iptables: CommandFilter, /sbin/iptables, root ip6tables: CommandFilter, /sbin/ip6tables, root ---snap---
But on SUSE we have /usr/sbin/iptables-save, /usr/sbin/iptables-restore, ...
I'll add a patch to the openstack-quantum package to fix this issue.
Looks like there are also issues in dhcp.filter. dnsmasq is also in /usr/sbin and not in /sbin.
FWIW, I would think the proper fix is something like https://review.openstack.org/#/c/16766/ (not sure why it wasn't done for quantum?) Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
2013/3/15 Vincent Untz <vuntz@opensuse.org>:
FWIW, I would think the proper fix is something like https://review.openstack.org/#/c/16766/
(not sure why it wasn't done for quantum?)
It seems Quantum does not use the rootwrap implementatiom from oslo/openstack-common yet. Lets see if we can fix that... Greetings, Dirk -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
2013/3/15 Dirk Müller <dirk@dmllr.de>:
(not sure why it wasn't done for quantum?) Lets see if we can fix that...
Actually easier than I thought: https://review.openstack.org/#/c/24539/ Greetings, Dirk -- To unsubscribe, e-mail: opensuse-cloud+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-cloud+owner@opensuse.org
participants (3)
-
Christian Berendt -
Dirk Müller -
Vincent Untz