ac6cf68517
Currently neutron-ns-metadata-proxy runs with root permissions when namespaces are enabled on the dhcp agent because root permissions are required to "enter" in the namespace. But neutron-ns-metadata-proxy permissions should be reduced as much as possible because it is reachable from vms. This change allows to change neutron-ns-metadata-proxy permissions after its startup through the 2 new options metadata_proxy_user and metadata_proxy_group which allow to define user/group running metadata proxy after its initialization. Their default values are neutron-dhcp-agent effective user and group. This change delegates metadata proxy management to metadata driver methods in order to reuse the work already done on l3 agent side. Permissions drop is done after metadata proxy daemon writes its pid in its pidfile (it could be disallowed after permissions drop) and after metadata proxy daemon binds its privileged server port (80). Using nobody as metadata_proxy_user/group (more secure) is currently not supported because: * nobody has not the permission to connect the metadata socket, * nobody has not the permission to log to file because neutron uses WatchedFileHandler (which requires read/write permissions after permissions drop). This limitation will be addressed in a daughter change. DocImpact Closes-Bug: #1187107 Change-Id: I53e97254d560e608101010f67bd2dcdec81fb6a2
100 lines
3.7 KiB
INI
100 lines
3.7 KiB
INI
[DEFAULT]
|
|
# Show debugging output in log (sets DEBUG log level output)
|
|
# debug = False
|
|
|
|
# The DHCP agent will resync its state with Neutron to recover from any
|
|
# transient notification or rpc errors. The interval is number of
|
|
# seconds between attempts.
|
|
# resync_interval = 5
|
|
|
|
# The DHCP agent requires an interface driver be set. Choose the one that best
|
|
# matches your plugin.
|
|
# interface_driver =
|
|
|
|
# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
|
|
# BigSwitch/Floodlight)
|
|
# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
|
|
|
|
# Name of Open vSwitch bridge to use
|
|
# ovs_integration_bridge = br-int
|
|
|
|
# Use veth for an OVS interface or not.
|
|
# Support kernels with limited namespace support
|
|
# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
|
|
# ovs_use_veth = False
|
|
|
|
# Example of interface_driver option for LinuxBridge
|
|
# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
|
|
|
|
# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
|
|
# no additional setup of the DHCP server.
|
|
# dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
|
|
|
|
# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
|
|
# iproute2 package that supports namespaces).
|
|
# use_namespaces = True
|
|
|
|
# The DHCP server can assist with providing metadata support on isolated
|
|
# networks. Setting this value to True will cause the DHCP server to append
|
|
# specific host routes to the DHCP request. The metadata service will only
|
|
# be activated when the subnet does not contain any router port. The guest
|
|
# instance must be configured to request host routes via DHCP (Option 121).
|
|
# enable_isolated_metadata = False
|
|
|
|
# Allows for serving metadata requests coming from a dedicated metadata
|
|
# access network whose cidr is 169.254.169.254/16 (or larger prefix), and
|
|
# is connected to a Neutron router from which the VMs send metadata
|
|
# request. In this case DHCP Option 121 will not be injected in VMs, as
|
|
# they will be able to reach 169.254.169.254 through a router.
|
|
# This option requires enable_isolated_metadata = True
|
|
# enable_metadata_network = False
|
|
|
|
# Number of threads to use during sync process. Should not exceed connection
|
|
# pool size configured on server.
|
|
# num_sync_threads = 4
|
|
|
|
# Location to store DHCP server config files
|
|
# dhcp_confs = $state_path/dhcp
|
|
|
|
# Domain to use for building the hostnames
|
|
# dhcp_domain = openstacklocal
|
|
|
|
# Override the default dnsmasq settings with this file
|
|
# dnsmasq_config_file =
|
|
|
|
# Comma-separated list of DNS servers which will be used by dnsmasq
|
|
# as forwarders.
|
|
# dnsmasq_dns_servers =
|
|
|
|
# Limit number of leases to prevent a denial-of-service.
|
|
# dnsmasq_lease_max = 16777216
|
|
|
|
# Location to DHCP lease relay UNIX domain socket
|
|
# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
|
|
|
|
# Use broadcast in DHCP replies
|
|
# dhcp_broadcast_reply = False
|
|
|
|
# User (uid or name) running metadata proxy after its initialization
|
|
# (if empty: dhcp agent effective user)
|
|
# metadata_proxy_user =
|
|
|
|
# Group (gid or name) running metadata proxy after its initialization
|
|
# (if empty: dhcp agent effective group)
|
|
# metadata_proxy_group =
|
|
|
|
# Location of Metadata Proxy UNIX domain socket
|
|
# metadata_proxy_socket = $state_path/metadata_proxy
|
|
|
|
# dhcp_delete_namespaces, which is false by default, can be set to True if
|
|
# namespaces can be deleted cleanly on the host running the dhcp agent.
|
|
# Do not enable this until you understand the problem with the Linux iproute
|
|
# utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
|
|
# you are sure that your version of iproute does not suffer from the problem.
|
|
# If True, namespaces will be deleted when a dhcp server is disabled.
|
|
# dhcp_delete_namespaces = False
|
|
|
|
# Timeout for ovs-vsctl commands.
|
|
# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
|
|
# ovs_vsctl_timeout = 10
|