vif_plug_ovs.linux_net.delete_net_dev is called outside the privsep context

Bug #1801072 reported by Rodolfo Alonso
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
os-vif
Fix Committed
Critical
sean mooney

Bug Description

Method "vif_plug_ovs.linux_net.delete_net_dev" must be called inside the "privsep.vif_plug.entrypoint" context because it needs oslo_privsep.capabilities.CAP_NET_ADMIN.

Changed in os-vif:
status: New → Confirmed
importance: Undecided → Critical
Revision history for this message
Brian Haley (brian-haley) wrote :

Example error:

http://logs.openstack.org/54/613554/4/check/neutron-tempest-iptables_hybrid/2a9e423/logs/screen-n-cpu.txt.gz?level=WARNING#_Nov_01_10_27_32_358410

It's currently causing a failure in the neutron-tempest-iptables_hybrid job in the neutron check queue.

This is with version 1.12.0 of the os-vif code.

Revision history for this message
sean mooney (sean-k-mooney) wrote :
Download full text (6.4 KiB)

this error is causing exception to be thrown when using iptables firewall see

http://logs.openstack.org/54/613554/4/gate/neutron-tempest-iptables_hybrid/8a3d5a2/logs/screen-n-cpu.txt.gz?level=TRACE#_Nov_01_01_35_05_887143

Nov 01 01:35:07.388143 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif [None req-699fea88-7fc5-4cb1-8ec3-5dd79f4b80ad tempest-AttachInterfacesUnderV243Test-1716012966 tempest-AttachInterfacesUnderV243Test-1716012966] Failed to unplug vif VIFBridge(active=True,address=fa:16:3e:ff:a1:a0,bridge_name='qbr8bd88774-92',has_traffic_filtering=True,id=8bd88774-92ef-4250-a603-43fecd470309,network=Network(b67281f5-e54f-4f67-9fd0-a4ba526e8342),plugin='ovs',port_profile=VIFPortProfileOpenVSwitch,preserve_on_delete=False,vif_name='tap8bd88774-92'): NetlinkError: (1, 'Operation not permitted')
Nov 01 01:35:07.388919 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif Traceback (most recent call last):
Nov 01 01:35:07.389061 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/os_vif/__init__.py", line 110, in unplug
Nov 01 01:35:07.389175 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif plugin.unplug(vif, instance_info)
Nov 01 01:35:07.389295 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/vif_plug_ovs/ovs.py", line 286, in unplug
Nov 01 01:35:07.389423 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif self._unplug_bridge(vif, instance_info)
Nov 01 01:35:07.389574 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/vif_plug_ovs/ovs.py", line 252, in _unplug_bridge
Nov 01 01:35:07.389687 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif self.ovsdb.delete_ovs_vif_port(vif.network.bridge, v2_name)
Nov 01 01:35:07.389875 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/vif_plug_ovs/ovsdb/ovsdb_lib.py", line 90, in delete_ovs_vif_port
Nov 01 01:35:07.390018 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif linux_net.delete_net_dev(dev)
Nov 01 01:35:07.390137 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/vif_plug_ovs/linux_net.py", line 73, in delete_net_dev
Nov 01 01:35:07.390242 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif ip_lib.delete(dev, check_exit_code=[0, 2, 254])
Nov 01 01:35:07.390368 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/os_vif/internal/command/ip/__init__.py", line 34, in delete
Nov 01 01:35:07.390479 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif return api._get_impl().delete(device, check_exit_code=check_exit_code)
Nov 01 01:35:07.390612 ubuntu-xenial-ovh-bhs1-0000245319 nova-compute[30258]: ERROR os_vif File "/usr/local/lib/python2.7/dist-packages/os_vif/internal/command/ip/linux/impl_pyroute2.py", line 94, in delete
Nov 01 01:35:07.390734 ubuntu-xenial-ov...

Read more...

Changed in os-vif:
assignee: nobody → sean mooney (sean-k-mooney)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-vif (master)

Reviewed: https://review.openstack.org/602384
Committed: https://git.openstack.org/cgit/openstack/os-vif/commit/?id=165ed325917e5deadb274ad9c122db157c0b55b2
Submitter: Zuul
Branch: master

commit 165ed325917e5deadb274ad9c122db157c0b55b2
Author: Sean Mooney <email address hidden>
Date: Thu Sep 13 16:50:33 2018 +0100

    always create ovs port during plug

    - This change modifies the ovs plugin to always
      create the ovs interface in the ovs db.
    - This change enables the neutron l2 agent to configure
      the ovs interface by assigning a vlan tag and
      installing openflow rules as appropriate.
    - This change will reduce the live migration
      time for kernel ovs ports with hybrid plug false
      by creating the ovs port as part of plug before
      the migration starts.
    - This change adds the privsep decorator
      to delete_net_dev to account for it new usage
      via _unplug_vif_generic and address bug #1801072

    Change-Id: Iaf15fa7a678ec2624f7c12f634269c465fbad930
    Partial-Bug: #1734320
    Closes-Bug: #1801072

Changed in os-vif:
status: In Progress → Fix Released
Changed in os-vif:
status: Fix Released → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-vif 1.13.0

This issue was fixed in the openstack/os-vif 1.13.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on os-vif (stable/queens)

Change abandoned by sean mooney (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/609851

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on os-vif (stable/rocky)

Change abandoned by sean mooney (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/609850

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.