tripleo

neutron failover does not work properly after baremetal->container upgrade

Bug #1772072 reported by Brent Eagles on 2018-05-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Brent Eagles	tripleo rocky-2

Bug Description

related bug: https://bugs.launchpad.net/tripleo/+bug/1752330

original reported bug: https://bugzilla.redhat.com/show_bug.cgi?id=1563443

When upgrading from baremetal to containers, neutron subprocesses like keepalived, etc continue to run on baremetal. However, there is a permissions mismatch between the containers and the corresponding baremetal processes (neutron uid does not match neutron uid in container). This breaks failover monitoring and interprocess communication between the containerized neutron agents and supporting processes.

Tags:

Brent Eagles (beagles) on 2018-05-18

Changed in tripleo:
status:	New → Confirmed
importance:	Undecided → Critical
assignee:	nobody → Brent Eagles (beagles)
milestone:	none → rocky-2

OpenStack Infra (hudson-openstack) on 2018-05-18

Changed in tripleo:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2018-05-19

Changed in tripleo:
assignee:	Brent Eagles (beagles) → Marius Cornea (mcornea)

OpenStack Infra (hudson-openstack) on 2018-05-22

Changed in tripleo:
assignee:	Marius Cornea (mcornea) → Brent Eagles (beagles)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-25: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/567655
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=818ad752f8b048217a0d5b76ea2c5f86714597f4
Submitter: Zuul
Branch: master

commit 818ad752f8b048217a0d5b76ea2c5f86714597f4
Author: Brent Eagles <email address hidden>
Date: Thu May 10 15:03:41 2018 -0230

Add acl to paths that are shared among related neutron processes

    Neutron runs several processes to support features such as routers,
    dhcp, etc. Neutron monitors these processes through shared domain
    sockets, pids files, etc in /var/lib/neutron. When upgrading a node
    from a non-containerized deployment to containers, the user and group
    ids are updated to that of the container and the supporting processes
    are no longer able to access the shared files. This patch adds ACL to
    the shared files to resolve this.

Note this only impacts upgraded nodes and only routers, networks, etc,
that existed before the upgrade.

Closes-Bug: #1772072
Change-Id: I8f28032488c30b5d38d8c7fa76872a2c3a642717

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-25: Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/570563

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-26: Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/570563
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=816a4347953bea4b3f85a76938a6b218aca99450
Submitter: Zuul
Branch: stable/queens

commit 816a4347953bea4b3f85a76938a6b218aca99450
Author: Brent Eagles <email address hidden>
Date: Thu May 10 15:03:41 2018 -0230

Add acl to paths that are shared among related neutron processes

Note this only impacts upgraded nodes and only routers, networks, etc,
that existed before the upgrade.

    Closes-Bug: #1772072
    Change-Id: I8f28032488c30b5d38d8c7fa76872a2c3a642717
    (cherry picked from commit 818ad752f8b048217a0d5b76ea2c5f86714597f4)