oslo-incubator

zmq requires rootwrap - does not provide filters to projects

Bug #1160420 reported by Erica Windisch on 2013-03-26

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	oslo-incubator	Fix Released	High	Erica Windisch	oslo-incubator 2013.2 "havana"

Bug Description

Presently, the zmq driver requires rootwrap to create the socket directory (defaults to /var/run/openstack). No rootwrap configuration is provided in oslo-incubator to copy into the consuming projects (and there seems to be no facility to provide this in update.py at present).

Note that this is a soft dependency. Administrators, packages, or start-up scripts can still create this directory outside of the code.

Solutions are:
* Default to /tmp instead of /var/run/openstack (could also eliminate processutils dependency)
* Extend update.py to do file-copying for module-specific rootwrap filters.
* Manually update each consuming project's rootwrap filters...
* Bake the need for this directory into documentation, packages, and startup scripts. Would need to be baked into devstack, too.

Welcome to suggestions.

See original description

Tags:

Erica Windisch (ewindisch) on 2013-03-26

description:

updated

Thierry Carrez (ttx) on 2013-04-12

tags:

added: rootwrap

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-04-12:

#1

Safely creating a directory under /tmp by default (and letting people choose something else but then they have to create it) seems to avoid the problem altogether.

It's safer not to have rootwrap at all on nodes where we can avoid it, so using rootwrap should always be seen as the worse solution ;) So it's better if oslo stuff does not grow a dependency on rootwrap...

Revision history for this message

Erica Windisch (ewindisch) wrote on 2013-04-12:

#2

Thierry, I agree. I'm not sure how we should handle the upgrade story for this.

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-04-12:

#3

How much of a problem is it if that (unspecified) socket directory moves on upgrade ? Do you lose data / state ? In my view, not specifying a value there means "wherever the system prefers it"... and is subject to (documented) change ?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-23: Fix proposed to oslo-incubator (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/27346

Changed in oslo:
assignee:	nobody → Eric Windisch (ewindisch)
status:	New → In Progress

Mark McLoughlin (markmc) on 2013-04-23

Changed in oslo:
importance:	Undecided → High

Revision history for this message

Mark McLoughlin (markmc) wrote on 2013-05-09:

#5

Hmm, how did run_as_root=true ever work here? We're calling process_utils.execute(.., run_as_root=True) but not passing any root_helper argument ... this should have no effect?

Anyway, since https://review.openstack.org/28014 this is definitely broken:

Traceback (most recent call last):
   File "/opt/stack/venvs/nova/bin/nova-rpc-zmq-receiver", line 8, in <module>
     load_entry_point('nova==2013.2.a3.gb5a946d', 'console_scripts', 'nova-rpc-zmq-receiver')()
   File "/opt/stack/venvs/nova/local/lib/python2.7/site-packages/nova/cmd/rpc_zmq_receiver.py", line 37, in main
     reactor.consume_in_thread()
   File "/opt/stack/venvs/nova/local/lib/python2.7/site-packages/nova/openstack/common/rpc/impl_zmq.py", line 526, in consume_in_thread
     utils.execute('mkdir', '-p', ipc_dir, run_as_root=True)
2013-05-09 10:29:44,895.895 6560 TRACE nova File "/opt/stack/venvs/nova/local/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 128, in execute
     message=('Command requested root, but did not specify a root '
NoRootWrapSpecified: Command requested root, but did not specify a root helper.

Thanks to Derek Higgins for pointing it out.

Revision history for this message

Erica Windisch (ewindisch) wrote on 2013-05-16:

#6

Mark: I don't think this ever *DID* work. In practice, we've always bypassed this codepath by creating the directory before hand.

The creation of this directory has been handled by the packages or in devstack, etc... I believe the tests create the IPC directory as well.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-29: Fix merged to oslo-incubator (master)

#7

Reviewed: https://review.openstack.org/27346
Committed: http://github.com/openstack/oslo-incubator/commit/b677b13560fc1e670022cefa2d330d84dac2304a
Submitter: Jenkins
Branch: master

commit b677b13560fc1e670022cefa2d330d84dac2304a
Author: Eric Windisch <email address hidden>
Date: Tue Apr 23 10:43:19 2013 -0400

Remove rootwrap from IPC directory creation

Removes processutils/rootwrap dependency.
Fixes bug 1160420 and partially fixes 1180631.

    The attempt will still be made to create
    /var/run/openstack, but will give a reasonable
    error when it happens.

If the directory exists, but permissions are denied,
we should also give a reasonable error.

    A patch will be submitted to devstack
    that will set and create the IPC directory as necessary.
    Packagers should do this as well.

Change-Id: I7814320adbfd0b2fe54cc2e523452c18ab2e7687

Changed in oslo:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-05-30

Changed in oslo:
milestone:	none → havana-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in oslo:
milestone:	havana-1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.