Reviewed: https://review.openstack.org/287449 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1db573ff12172f0a278b7318fe8094527e2bc72a Submitter: Jenkins Branch: master
commit 1db573ff12172f0a278b7318fe8094527e2bc72a Author: Eric Larese <[email protected]> Date: Wed Mar 2 15:41:36 2016 -0500 Use only_contrib option for nova_client calls Use the only_contrib option that was added by I030f4c55c2795c7f7973f5f12e54b9819c4a5578 to speed up nova_client calls and skip the search for nova_client extensions to reduce /var/log/audit noise. Change-Id: Ic97b342a3633ffdf05b02ddd81baad88e1605a75 Closes-Bug: #1509500 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1509500 Title: novaclient stats all files in /usr/bin Status in neutron: Fix Released Status in python-novaclient: Fix Released Bug description: It appears that novaclient is searching Python's sys.path to find novaclient's own executable, and a side effect of this is an operating system security package will log hundreds of errors each time this happens. For example, this stack trace: /usr/lib/python2.7/site-packages/neutron/manager.py(244)get_plugin() -> return weakref.proxy(cls.get_instance().plugin) /usr/lib/python2.7/site-packages/neutron/manager.py(238)get_instance() -> cls._create_instance() /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py(252)inner() -> return f(*args, **kwargs) /usr/lib/python2.7/site-packages/neutron/manager.py(224)_create_instance() -> cls._instance = cls() /usr/lib/python2.7/site-packages/neutron/manager.py(120)__init__() -> plugin_provider) /usr/lib/python2.7/site-packages/neutron/manager.py(157)_get_plugin_instance() -> return plugin_class() /usr/lib/python2.7/site-packages/neutron/quota/resource_registry.py(121)wrapper() -> return f(*args, **kwargs) /usr/lib/python2.7/site-packages/neutron/plugins/ml2/plugin.py(145)__init__() -> super(Ml2Plugin, self).__init__() /usr/lib/python2.7/site-packages/neutron/db/db_base_plugin_v2.py(103)__init__() -> self.nova_notifier = nova.Notifier() /usr/lib/python2.7/site-packages/neutron/notifiers/nova.py(98)__init__() -> ext for ext in nova_client.discover_extensions(NOVA_API_VERSION) > /usr/lib/python2.7/site-packages/novaclient/client.py(724)discover_extensions() -> _discover_via_contrib_path(version) This stack trace is during neutron server startup, a novaclient call is made which results in _discover_via_python_path() being invoked here: https://github.com/openstack/python- novaclient/blob/master/novaclient/client.py#L723 This method uses pkgutil.iter_modules() which will search all of /usr/bin (among many other places). An operating system security package such as SELinux on RedHat will log hundreds of errors like this to /var/log/audit/audit.log: type=AVC msg=audit(10/23/2015 15:41:08.766:368903) : avc: denied { getattr } for pid=13716 comm=neutron-server path=/usr/bin/virsh dev="dm-5" ino=138258059 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file One error is logged for every searched file in /usr/bin, about 1,300 messages each time neutron-server restarts on my test system. This generates a huge amount of noise in audit.log. I have not attempted to reproduce this with Ubuntu / AppArmor to verify if the issue is the same. Is this something the novaclient code would worry about? Is there some way I could submit a patch to fix this? To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1509500/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
