On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with room-only privileges:
srwxr-x--- 1 root root 0 08-07 04:25 /var/run/openvswitch/db.sock
kuryr-libnetwork can not connect to it, throwing errors:
ERROR kuryr_libnetwork.controllers [-] ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (Permission denied)
One possible fix is to use network socket:
--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000 +++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000 @@ -13,6 +13,7 @@
INT_BRIDGE="br-int" HYBRID_PLUG="'ovs_hybrid_plug': True" +DB='--db=tcp:127.0.0.1:6640'
OPERATION=$1 PORT=$2 @@ -22,7 +23,7 @@
ovs_bind_port() { echo "plugging veth $VETH (Neutron port $PORT)..." - ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \ + ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \ set interface $VETH external_ids:attached-mac=$MAC_ADDRESS \ external_ids:iface-id=$PORT external_ids:vm-uuid=$CONTAINER_UUID \ external_ids:iface-status=active external_ids:owner=kuryr @@ -30,14 +31,14 @@
ovs_unbind_port() { echo "unplugging port $PORT..." - MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \ + MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \ find interface external_ids:iface-id=$PORT \ external_ids:owner=kuryr` if [ -z "$MYPORT" ]; then echo >&2 "Failed to find port $PORT." exit 1 fi - ovs-vsctl del-port $INT_BRIDGE $MYPORT + ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT }
ovs_hybrid_bind_port() { @@ -63,7 +64,7 @@ ip link set $br_name up
# connect one end to the ovs integration bridge - ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \ + ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \ set interface $veth_ovs external_ids:attached-mac=$MAC_ADDRESS \ external_ids:iface-id=$PORT external_ids:vm-id=$CONTAINER_UUID \ external_ids:iface-status=active external_ids:owner=kuryr @@ -79,7 +80,7 @@ veth_ovs="qvo"${PORT:0:11}
ip link set dev $veth_lb nomaster - ovs-vsctl del-port $veth_ovs + ovs-vsctl ${DB} del-port $veth_ovs ip link delete $veth_lb type veth
ip link set $br_name down
On Ubuntu 20.04 (Focal) OpenVSwitch creates it's sockets with room-only privileges:
srwxr-x--- 1 root root 0 08-07 04:25 /var/run/ openvswitch/ db.sock
kuryr-libnetwork can not connect to it, throwing errors:
ERROR kuryr_libnetwor k.controllers [-] ovs-vsctl: unix:/var/ run/openvswitch /db.sock: database connection failed (Permission denied)
One possible fix is to use network socket:
--- a/libexec/kuryr/ovs 2023-11-03 19:54:59.691657959 +0000
+++ b/libexec/kuryr/ovs 2024-01-04 05:53:35.636326065 +0000
@@ -13,6 +13,7 @@
INT_BRIDGE= "br-int" PLUG="' ovs_hybrid_ plug': True" db=tcp: 127.0.0. 1:6640'
HYBRID_
+DB='--
OPERATION=$1
PORT=$2
@@ -22,7 +23,7 @@
ovs_bind_port() { ids:attached- mac=$MAC_ ADDRESS \
external_ ids:iface- id=$PORT external_ ids:vm- uuid=$CONTAINER _UUID \
external_ ids:iface- status= active external_ ids:owner= kuryr
echo "plugging veth $VETH (Neutron port $PORT)..."
- ovs-vsctl -- --may-exist add-port $INT_BRIDGE $VETH -- \
+ ovs-vsctl ${DB} -- --may-exist add-port $INT_BRIDGE $VETH -- \
set interface $VETH external_
@@ -30,14 +31,14 @@
ovs_unbind_port() { ids:iface- id=$PORT \
external_ ids:owner= kuryr`
echo "unplugging port $PORT..."
- MYPORT=`ovs-vsctl --data=bare --no-heading --columns=name \
+ MYPORT=`ovs-vsctl ${DB} --data=bare --no-heading --columns=name \
find interface external_
if [ -z "$MYPORT" ]; then
echo >&2 "Failed to find port $PORT."
exit 1
fi
- ovs-vsctl del-port $INT_BRIDGE $MYPORT
+ ovs-vsctl ${DB} del-port $INT_BRIDGE $MYPORT
}
ovs_hybrid_ bind_port( ) {
@@ -63,7 +64,7 @@
ip link set $br_name up
# connect one end to the ovs integration bridge ids:attached- mac=$MAC_ ADDRESS \
external_ ids:iface- id=$PORT external_ ids:vm- id=$CONTAINER_ UUID \
external_ ids:iface- status= active external_ ids:owner= kuryr ovs="qvo" ${PORT: 0:11}
- ovs-vsctl add-port $INT_BRIDGE $veth_ovs -- \
+ ovs-vsctl ${DB} add-port $INT_BRIDGE $veth_ovs -- \
set interface $veth_ovs external_
@@ -79,7 +80,7 @@
veth_
ip link set dev $veth_lb nomaster
- ovs-vsctl del-port $veth_ovs
+ ovs-vsctl ${DB} del-port $veth_ovs
ip link delete $veth_lb type veth
ip link set $br_name down