Rootwrap Error with L3_agent

Asked by Graham Hemingway on 2012-10-22

I am seeing the following error in /var/log/quantum/l3_agent.log:

2012-10-22 09:00:48 DEBUG [quantum.agent.linux.utils] Running command: sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf /sbin/iptables-save -t filter
2012-10-22 09:00:48 DEBUG [quantum.agent.linux.utils]
Command: ['sudo', '/usr/bin/quantum-rootwrap', '/etc/quantum/rootwrap.conf', '/sbin/iptables-save', '-t', 'filter']
Exit code: 99
Stdout: 'Unauthorized command: /sbin/iptables-save -t filter\n'
Stderr: ''
2012-10-22 09:00:48 ERROR [quantum.agent.l3_agent] Error running l3_nat daemon_loop
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/quantum/agent/", line 170, in daemon_loop
  File "/usr/lib/python2.7/dist-packages/quantum/agent/", line 227, in do_single_loop
  File "/usr/lib/python2.7/dist-packages/quantum/agent/", line 300, in process_router
    self.external_gateway_added(ri, ex_gw_port, internal_cidrs)
  File "/usr/lib/python2.7/dist-packages/quantum/agent/", line 398, in external_gateway_added
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/", line 282, in apply
  File "/usr/lib/python2.7/dist-packages/quantum/agent/linux/", line 55, in execute
    raise RuntimeError(m)
Command: ['sudo', '/usr/bin/quantum-rootwrap', '/etc/quantum/rootwrap.conf', '/sbin/iptables-save', '-t', 'filter']
Exit code: 99
Stdout: 'Unauthorized command: /sbin/iptables-save -t filter\n'
Stderr: ''

If I run "sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf /sbin/iptables-save -t filter" it does indeed give me an Unauthorized command error.

If I run "sudo /usr/bin/quantum-rootwrap /etc/quantum/rootwrap.conf iptables-save -t filter" (without the /sbin/) it works OK.
Otherwise, I don't see errors in the log.

Is this a problem?


Question information

English Edit question
neutron Edit question
No assignee Edit question
Last query:
Last reply:

I have focused in on this a bit and wanted to add some more details.
First, this only happens once I set the router_id in l3_agent.ini. Only then does this error occur.

I noticed that line 272 of quantum/agent/linux/ is:

        s = [('/sbin/iptables', self.ipv4)]

If I change this to:

        s = [('iptables', self.ipv4)]

It seems to work without error. Is this correct?

dan wendlandt (danwent) said : #2

Hi Graham,

Thanks for the report. This looks like a bug and we'll have to repro + fix. That line in (I believe) is copied from nova, so we need to look into why sbin was pre-pended there. I'll convert this into a bug.

dan wendlandt (danwent) said : #4

also, can you comment on what OS you're running on? Ubuntu? Red Hat? thanks.

I am running all Ubuntu 12.04 Server using the Ubuntu cloud-archive PPAs.

Can you help with this problem?

Provide an answer of your own, or ask Graham Hemingway for more information if necessary.

To post a message you must log in.