rootwrap daemon bypassed - Breaks XenServer

Bug #1810764 reported by Bob Ball on 2019-01-07
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
High
Unassigned

Bug Description

The commit https://github.com/openstack/neutron/commit/05a54e800430bcfc81e36e1dad89fa47f3e8a6f0 appears to break XenServer integration.

Specifically, https://github.com/openstack/neutron/commit/05a54e800430bcfc81e36e1dad89fa47f3e8a6f0#diff-6a3c59b7b71c12cc29eca4c85268864eR1348 appears to run exclusively in the context of Nova - however in XenServer, the IP address for the tunnel is in dom0. XenServer's agent will redirect the actual OVS command to dom0 so the local IP address check is not valid.

We therefore fail with ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [-] Tunneling can't be enabled with invalid local_ip '10.62.65.37'. IP couldn't be found on this host's interfaces.

XenServer uses a rootwrap helper - https://github.com/openstack/os-xenapi/blob/master/devstack/plugin.sh#L148

I think the bug may be that we can't use privileged.get_ip_addresses but instead need to use agent_utils.execute to obtain the IP addresses

Bob Ball (bob-ball) wrote :
Download full text (3.6 KiB)

2018-12-22 03:59:26.233 | +functions-common:service_check:1545 (B sudo systemctl status <email address hidden> --no-pager
2018-12-22 03:59:26.279 | ● <email address hidden> - Devstack <email address hidden>
2018-12-22 03:59:26.279 | Loaded: loaded (/<email address hidden>; enabled; vendor preset: enabled)
2018-12-22 03:59:26.280 | Active: failed (Result: exit-code) since Sat 2018-12-22 03:59:22 UTC; 3s ago
2018-12-22 03:59:26.280 | Process: 14962 ExecStart=/usr/local/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini.domU (code=exited, status=1/FAILURE)
2018-12-22 03:59:26.280 | Main PID: 14962 (code=exited, status=1/FAILURE)
2018-12-22 03:59:26.280 | CGroup: /<email address hidden>
2018-12-22 03:59:26.280 |
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: request[140688752052816]: (3, 'neutron.privileged.agent.linux.ip_lib.get_ip_addresses', (None,), {'index': 6, 'address': '10.71.136.118'}) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:443}}
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: reply[140688752052816]: (4, ()) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:456}}
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: request[140688752052816]: (3, 'neutron.privileged.agent.linux.ip_lib.get_ip_addresses', (None,), {'index': 7, 'address': '10.71.136.118'}) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:443}}
2018-12-22 03:59:26.280 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: reply[140688752052816]: (4, ()) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:456}}
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: request[140688752052816]: (3, 'neutron.privileged.agent.linux.ip_lib.get_ip_addresses', (None,), {'index': 8, 'address': '10.71.136.118'}) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:443}}
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: DEBUG oslo.privsep.daemon [-] privsep: reply[140688752052816]: (4, ()) {{(pid=15427) loop /usr/local/lib/python2.7/dist-packages/oslo_privsep/daemon.py:456}}
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU neutron-openvswitch-agent[14962]: ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [-] Tunneling can't be enabled with invalid local_ip '10.71.136.118'. IP couldn't be found on this host's interfaces.
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
2018-12-22 03:59:26.281 | Dec 22 03:59:22 DevStackOSDomU systemd[1]: devstack@q-do...

Read more...

Changed in neutron:
status: New → Confirmed
importance: Undecided → High
Bob Ball (bob-ball) on 2019-01-07
summary: - XenServer cannot enable tunneling
+ rootwrap daemon broken - Breaks XenServer
Bob Ball (bob-ball) on 2019-01-07
summary: - rootwrap daemon broken - Breaks XenServer
+ rootwrap daemon bypassed - Breaks XenServer
Bob Ball (bob-ball) on 2019-01-07
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers