Comment 3 for bug 1673832

The issue is that privsep, as it is used from os-vif, tries to use sudo to run things as root. However, CNI is already run as root. So this makes little sense. The privsep mode that should be used is Method.FORK.

The following snippet forces it:

diff --git a/kuryr_kubernetes/cni/main.py b/kuryr_kubernetes/cni/main.py
index 3188600..2bb121e 100644
--- a/kuryr_kubernetes/cni/main.py
+++ b/kuryr_kubernetes/cni/main.py
@@ -61,6 +61,10 @@ class K8sCNIPlugin(cni_api.CNIPlugin):
         config.init(args)
         config.setup_logging()
         os_vif.initialize()
+ ovs = os_vif._EXT_MANAGER['ovs'].obj
+ ovs_mod = sys.modules[ovs.__module__]
+ ovs_mod.linux_net.privsep.vif_plug.start(
+ ovs_mod.linux_net.privsep.priv_context.Method.FORK)
         clients.setup_kubernetes_client()
         self._pipeline = h_cni.CNIPipeline()
         self._watcher = k_watcher.Watcher(self._pipeline)

However, the right solution would be to make os-vif configurable to choose the privsep method.