neutron

rootwrap daemon bypassed - Breaks XenServer

Bug #1810764 reported by Bob Ball
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
High
Unassigned

Bug Description

The commit https://github.com/openstack/neutron/commit/05a54e800430bcfc81e36e1dad89fa47f3e8a6f0 appears to break XenServer integration.

Specifically, https://github.com/openstack/neutron/commit/05a54e800430bcfc81e36e1dad89fa47f3e8a6f0#diff-6a3c59b7b71c12cc29eca4c85268864eR1348 appears to run exclusively in the context of Nova - however in XenServer, the IP address for the tunnel is in dom0. XenServer's agent will redirect the actual OVS command to dom0 so the local IP address check is not valid.

We therefore fail with ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [-] Tunneling can't be enabled with invalid local_ip '10.62.65.37'. IP couldn't be found on this host's interfaces.

XenServer uses a rootwrap helper - https://github.com/openstack/os-xenapi/blob/master/devstack/plugin.sh#L148

I think the bug may be that we can't use privileged.get_ip_addresses but instead need to use agent_utils.execute to obtain the IP addresses

See original description
Tags: xenserver
Revision history for this message
Bob Ball (bob-ball) wrote :
Download full text (3.6 KiB)

2018-12-22 03:59:26.233 | +functions-common:service_check:1545 (B sudo systemctl status <email address hidden> --no-pager
2018-12-22 03:59:26.279 | ● <email address hidden> - Devstack <email address hidden>
2018-12-22 03:59:26.279 | Loaded: loaded (/<email address hidden>; enabled; vendor preset: enabled)
2018-12-22 03:59:26.280 | Active: failed (Result: exit-code) since Sat 2018-12-22 03:59:22 UTC; 3s ago
2018-12-22 03:59:26.280 | Process: 14962 ExecStart=/usr/local/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini.domU (code=exited, status=1/FAILURE)
2018-12-22 03:59:26.280 | Main PID: 14962 (code=exited, status=1/FAILURE)
2018-12-22 03:59:26.280 | CGroup: /<email address hidden>
2018-12-22 03:59:26.280 |
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: request[140688752052816]: (3, 'neutron.privileged.agent.linux.ip_lib.get_ip_addresses', (None,), {'index': 6, 'address': '10.71.136.118'}) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:443}}
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: reply[140688752052816]: (4, ()) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:456}}
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: request[140688752052816]: (3, 'neutron.privileged.agent.linux.ip_lib.get_ip_addresses', (None,), {'index': 7, 'address': '10.71.136.118'}) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:443}}
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: reply[140688752052816]: (4, ()) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:456}}
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: request[140688752052816]: (3, 'neutron.privileged.agent.linux.ip_lib.get_ip_addresses', (None,), {'index': 8, 'address': '10.71.136.118'}) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:443}}
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: reply[140688752052816]: (4, ()) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:456}}
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [-] Tunneling can't be enabled with invalid local_ip '10.71.136.118'. IP couldn't be found on this host's interfaces.
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU systemd[1]: devstack@q-do...

Read more...

Slawek Kaplonski (slaweq)
Changed in neutron:
status: New → Confirmed
importance: Undecided → High
Bob Ball (bob-ball)
summary: - XenServer cannot enable tunneling
+ rootwrap daemon broken - Breaks XenServer
Bob Ball (bob-ball)
summary: - rootwrap daemon broken - Breaks XenServer
+ rootwrap daemon bypassed - Breaks XenServer
Bob Ball (bob-ball)
description: updated
Revision history for this message
Brian Haley (brian-haley) wrote :

I believe we deprecated, then removed, Xen support in neutron in 2020 [0] so I'll close this bug. Please reopen if necessary.

[0] https://review.opendev.org/q/a6dbf97242caa3be646e8eb6b1502b5e59e123fd

Changed in neutron:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.