quantum-lbaas-agent ignores use_namespaces = False

Bug #1201249 reported by Brandon Lee
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Low
Eugene Nikanorov

Bug Description

When use_namespaces = False is set in /etc/quantum/lbaas_agent.ini, the option is still ignored and the lbaas agent tries to execute the command:

Command: ['sudo', 'quantum-rootwrap', '/etc/quantum/rootwrap.conf', 'ip', 'netns', 'add', 'qlbaas-7930133f-49ea-4183-ab39-e83220cf6661']

Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

Currently available implementation uses namespaces to provision haproxy software balancers for tenants.
Hence it ignores this option.
The solution might be to remove it from configuration file of lbaas agent

tags: added: lbaas
tags: removed: quantum quantum-lbaas-agent
Changed in neutron:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
yong sheng gong (gongysh) wrote :

cannot we implement the agent without namespace?

Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

I think for software haproxy this would not be a practical solution for multitenant environments.
For agent supporting hardware/virtual appliances use_namespace option will not make sense.

Changed in neutron:
assignee: nobody → Eugene Nikanorov (enikanorov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/37022

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Brandon Lee (devmgr1) wrote :

This is not a fix, this is a downgrade. use_namespace is an option in openstack, not a requirement. Removing the option causes it to be a requirement. This is a continued problem in openstack development, if we settle for less that's just what we get, less.

The fix is to modify the code base so that the ldaas agent can be used with or without namespaces. Haproxy does not require namespaces to function.

Please fix the code don't downgrade it.

Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

The option you are referring to is an option for the reference implementation agent which is namespace specific.
E.g. this option was never used in this particular implementation of lbaas agent.

Adding support for haproxy balancer for hosts having no namespace support is a feature with much bigger scope than this bug and its practical need is doubtful.

Revision history for this message
Brandon Lee (devmgr1) wrote :

I agree with you 100% Eugene, absolutely "adding support for haproxy balancer for hosts having no namespace support is a feature with much bigger scope." I think you'd come to find truth to this in anything you do in life that it's always harder to do the right thing than to take the easy way out.

With respect to "its practical need is doubtful," namespace support has to compiled into the kernel, and iproute2 has to be installed, needless to say both of which are not offered in your standard OS deployment. If we continue down this path of eliminating possibilities, then the only people that are going to have the skills to deploy OpenStack are the developers.

If we want OpenStack to trudge down the path to success, then we must make it user friendly, otherwise, people would rather pay for a mainstream provider convenience where these options are not a requirement, but yet an option.

Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

I suggest to look at this from usage perspective: what would be if there were no namespaces? (I'm speaking about reference implementation now)

1) we will have to account for server tcp ports which accept incoming traffic since all haproxy processes will share the same network stack
2) we'll need to verify member addresses in order to prevent the balancer of one tenant to access members of another tenant.
This, in turn, would make object model dependent on deployment (with or without namespaces)

Even single (1) makes this impractical because most users would want default 80th port to balance traffic.

Revision history for this message
Brandon Lee (devmgr1) wrote :

Unfortunately, I don't have the answer of how to fix it, otherwise I would have done it myself. And, the easy route is to simply remove the option, this is the right way. Anyone has any other input?

Revision history for this message
Mark McClain (markmcclain) wrote :

Some features will require network namespace support and this is one of them. I think that removing the erroneous option is a valid fix. I expect at the Icehouse summit we will spend a little time talking about the timeline for deprecating no namespace support.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/37022
Committed: http://github.com/openstack/neutron/commit/078a73c6166fdd6f126feb8f7c7debf12b518159
Submitter: Jenkins
Branch: master

commit 078a73c6166fdd6f126feb8f7c7debf12b518159
Author: Eugene Nikanorov <email address hidden>
Date: Mon Jul 15 09:42:12 2013 +0400

    Remove use_namespaces option from etc/lbaas_agent.ini

    fixes bug 1201249

    Remove option from ini file since it is nor registered nor used
    in lbaas agent.

    Change-Id: I611f794279fea4a4155309cd0668e3b9718221b1

Changed in neutron:
status: In Progress → Fix Committed
Changed in neutron:
milestone: none → havana-3
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers