From 227008cf68aa68f340d95703e85355ae81585506 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Wed, 12 Feb 2020 13:39:33 +0100
Subject: [PATCH] Change /run bind mount for neutron/openvswitch

Currently we have a very wide /run mount for all Neutron/OVS services,
which allows sudo/rootwrap to contact with the hosts dbus - all symptoms
are documented in the related bug.

Since we use tcp connections to OVS from Neutron agents - removing
bind mounts.

Closes-Bug: #1861792

Change-Id: Ifee4bec7b2e9ef4e2d624b1411f1a9e6332325c6
---
 ansible/roles/neutron/defaults/main.yml              | 10 ----------
 ansible/roles/openvswitch/defaults/main.yml          |  4 ++--
 ansible/roles/ovs-dpdk/defaults/main.yml             |  4 ++--
 releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml |  5 +++++
 4 files changed, 9 insertions(+), 14 deletions(-)
 create mode 100644 releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml

diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index b1d6e27cf..b9b401d6e 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -247,7 +247,6 @@ ironic_neutron_agent_dimensions: "{{ default_container_dimensions }}"
 neutron_dhcp_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-dhcp-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run/:/run/:shared"
   - "neutron_metadata_socket:/var/lib/neutron/kolla/"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
@@ -255,27 +254,23 @@ neutron_l3_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-l3-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
   - "neutron_metadata_socket:/var/lib/neutron/kolla/"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_sriov_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-sriov-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_linuxbridge_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-linuxbridge-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_metadata_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-metadata-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run/:/run/:shared"
   - "neutron_metadata_socket:/var/lib/neutron/kolla/"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
@@ -283,7 +278,6 @@ neutron_openvswitch_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-openvswitch-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_server_default_volumes:
@@ -294,24 +288,20 @@ neutron_server_default_volumes:
 neutron_bgp_dragent_default_volumes:
   - "{{ node_config_directory }}/neutron-bgp-dragent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
 neutron_infoblox_ipam_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-infoblox-ipam-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
 neutron_openvswitch_agent_xenapi_default_volumes:
   - "{{ node_config_directory }}/neutron-openvswitch-agent-xenapi/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 neutron_metering_agent_default_volumes:
   - "{{ node_config_directory }}/neutron-metering-agent/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/neutron/neutron:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/neutron' if neutron_dev_mode | bool else '' }}"
 ironic_neutron_agent_default_volumes:
diff --git a/ansible/roles/openvswitch/defaults/main.yml b/ansible/roles/openvswitch/defaults/main.yml
index 9902a3ee9..fe2867ab5 100644
--- a/ansible/roles/openvswitch/defaults/main.yml
+++ b/ansible/roles/openvswitch/defaults/main.yml
@@ -55,14 +55,14 @@ openvswitch_db_default_volumes:
   - "{{ node_config_directory }}/openvswitch-db-server/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
   - "kolla_logs:/var/log/kolla/"
   - "openvswitch_db:/var/lib/openvswitch/"
 openvswitch_vswitchd_default_volumes:
   - "{{ node_config_directory }}/openvswitch-vswitchd/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
   - "kolla_logs:/var/log/kolla/"
 
 openvswitch_extra_volumes: "{{ default_extra_volumes }}"
diff --git a/ansible/roles/ovs-dpdk/defaults/main.yml b/ansible/roles/ovs-dpdk/defaults/main.yml
index 95333630f..972b81388 100644
--- a/ansible/roles/ovs-dpdk/defaults/main.yml
+++ b/ansible/roles/ovs-dpdk/defaults/main.yml
@@ -78,14 +78,14 @@ ovsdpdk_vswitchd_dimensions: "{{ default_container_dimensions }}"
 ovsdpdk_db_default_volumes:
   - "{{ node_config_directory }}/ovsdpdk-db/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
   - "kolla_logs:/var/log/kolla/"
   - "ovsdpdk_db:/var/lib/openvswitch/"
 ovsdpdk_vswitchd_default_volumes:
   - "{{ node_config_directory }}/ovsdpdk-vswitchd/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "/lib/modules:/lib/modules:ro"
-  - "/run:/run:shared"
+  - "/run/openvswitch:/run/openvswitch:shared"
   - "/dev:/dev:shared"
   - "kolla_logs:/var/log/kolla/"
 
diff --git a/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml b/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml
new file mode 100644
index 000000000..cff5fee56
--- /dev/null
+++ b/releasenotes/notes/bug-1861792-a44a31693b0c786f.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Remove /run bind mounts in Neutron services causing dbus host-level
+    errors `LP# 1861792 <https://launchpad.net/bugs/1861792>`.
-- 
GitLab