Kuryr with OVS, db.sock permission denied
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr |
New
|
Undecided
|
Unassigned | ||
kuryr-libnetwork |
New
|
Undecided
|
Unassigned |
Bug Description
Zun and Kiryr installed using openstack-ansible for 2023.1. Kuryr service is run as unprivileged user kuryr.
On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with root-only privileges:
srwxr-x--- 1 root root 0 08-07 04:25 /var/run/
kuryr-libnetwork can not connect to it, throwing errors:
ERROR kuryr_libnetwor
One possible fix is to use network socket:
--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@
INT_BRIDGE=
HYBRID_
+DB='--
OPERATION=$1
PORT=$2
@@ -22,7 +23,7 @@
ovs_bind_port() {
echo "plugging veth $VETH (Neutron port $PORT)..."
- ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+ ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
set interface $VETH external_
@@ -30,14 +31,14 @@
ovs_unbind_port() {
echo "unplugging port $PORT..."
- MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+ MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
find interface external_
if [ -z "$MYPORT" ]; then
echo >&2 "Failed to find port $PORT."
exit 1
fi
- ovs-vsctl del-port $INT_BRIDGE $MYPORT
+ ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
}
ovs_hybrid_
@@ -63,7 +64,7 @@
ip link set $br_name up
# connect one end to the ovs integration bridge
- ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+ ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
set interface $veth_ovs external_
@@ -79,7 +80,7 @@
veth_
ip link set dev $veth_lb nomaster
- ovs-vsctl del-port $veth_ovs
+ ovs-vsctl ${DB} del-port $veth_ovs
ip link delete $veth_lb type veth
ip link set $br_name down
description: | updated |
Hi there,
I think you might be able to workaround that by adjusting group/user with which kuryr is running with OSA: /opendev. org/openstack/ openstack- ansible- os_zun/ src/branch/ master/ defaults/ main.yml# L82-L83
https:/
Given that you run kuryr as a root user - it should work as well. But not sure that it's a good idea to run services as root...
I do recall this issue being raised before couple of times with answer more or less - "you should run with root" :(