This patch moves all remaining filters to a single file. Since [1],
the number of processes executed using rootwrap have been reduced to
a small set.
[1]https://storyboard.openstack.org/#!/story/2007686
Story: #2007686
Task: #41284
Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates the "kill_process" method to privsep and
removes the unneeded rootwrap filters.
Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf
Story: #2007686
Task: #41558
This command is executed from scripts and in sanity checks, but not
from any Neutron service.
Change-Id: If82e89bf7b233559513ab44eadebb445648f0684
Story: #2007686
Task: #41282
The need for this change stems from following issues:
1) When ovs_use_veth = False with ovs-dpdk issue with ovs
was observed - after vswitch restart interface is not comming up.
Meaning ovs-dpdk uses ovs internal ports and it is not able to bring
them up on restart.
2) When ovs_use_veth = True and ovs-dpkd is used, packets sent with
incorrect checksum due to the fact that ovs-dpdk does not do checksum
calculations for veth interface.
This commit allows to use second option and resolve checksum issue by
disabling checksum offload.
Closes-Bug: #1832021
Related-Bug: #1831935
Change-Id: Iecce8d2c6c2c46718cc1020c6e8f914cd4560e4b
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.
Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
It was added as temporary helper during migration process
and was marked to delete in Queens cycle.
Now we are in Rocky so I think we are fine to remove it
finally.
Change-Id: Iacf592841559d392b59864d507dc89ef028cbf05
Due to the high memory footprint of current Python ns-metadata-proxy,
it has to be replaced with a lighter process to avoid OOM conditions in
large environments.
This patch spawns haproxy through a process monitor using a pidfile.
This allows tracking the process and respawn it if necessary as it was
done before. Also, it implements an upgrade path which consists of
detecting any running Python instance of ns-metadata-proxy and
replacing them by haproxy. Therefore, upgrades will take place by
simply restarting neutron-l3-agent and neutron-dhcp-agent.
According to /proc/<pid>/smaps, memory footprint goes down from ~50MB
to ~1.5MB.
Also, haproxy is added to bindep in order to ensure that it's installed.
UpgradeImpact
Depends-On: I36a5531cacc21c0d4bb7f20d4bec6da65d04c262
Depends-On: Ia37368a7ff38ea48c683a7bad76f87697e194b04
Closes-Bug: #1524916
Change-Id: I5a75cc582dca48defafb440207d10e2f7b4f218b
When we run devstack with USE_PYTHON3, the existing KillFilter
definitions are not enough. Let's add one specific to python 3.5
as well.
Change-Id: I2472e4e39315225d6c9ea1651c8e3b20edc59b49
This patch will kill processes that are listening on any port/UNIX
socket within the namespace to be cleaned up. To kill them it will
issue a SIGTERM to them (or to their parents if they were forked) and,
if they don't die after a few seconds, a SIGKILL to them and all their
children.
This is intended for those cases when there's no specific cleanup and
serves as a fallback method.
Change-Id: I4195f633ef4a1788496d1293846f19eef89416aa
Partial-Bug: #1403455
Original problem is that dhcp_release does not work with IPv6, but IPv6
leases still should be released. For example:
1. Start VM in dhcpv6-stateful network, make it acquire IPv6 address.
2. Delete VM.
3. Start another VM in same network before lease expires.
There's a very high chance that the same IPv6 address will be allocated
for both of these VMs (same address will be reused after first VM was
deleted).
On DHCP agent, hosts file would be changed, but not lease file, so
dnsmasq will not give second VM address until lease expires. Reducing
lease time is not a good solution here.
Solution is adding invocation of dhcp_release6 utility when
releasing IPv6 address. dhcp_release6 utility appears in dnsmasq 2.76.
It crafts DHCP6_Release packet, sends it from passed network
interface to IPv6 multicast address and waits for DHCP6_Reply.
Closes-Bug: 1521666
Change-Id: I5efab81cdaf0676503b6c7da0d4b4f400d859286
With the dependent patch Iade8b5b09bb53018485c85f8372fb94dbc2ad2da,
/usr/local/bin is added to exec_dirs in rootwrap.conf. Therefore, these
filters are no longer needed for devstack use case.
Depends-On: Iade8b5b09bb53018485c85f8372fb94dbc2ad2da
Change-Id: I98bff3cc679dfe19315f2b9b028ff48e4296e0de
ip_lib was parsing tunnel links incorrectly. We can create interface
names with any character the filesystem supports (not '..', '/', ':').
Given this we do not know what to delimit on so parsing iproute2 output
is probably not a good idea.
I asked the iproute2 devs what the proper way we should get interface
names is and was told NOT to parse iproute2 output but to use something
like sysfs instead. http://www.spinics.net/lists/netdev/msg316577.html
This patch pulls interfaces from sysfs (/sys/class/net) and verifies them
via checking if they are links (bonding creates files for instance and
needs to be skipped).
Currently it is not possible without jumping through a ton of hoops to
access a network namespace without iproute2 or cython, so we use ip to
run find to find the correct sysfs directory. We also only call out to
iproute2 _ONLY_ if needed.
Change-Id: I07d1d297f07857d216649cccf717896574aac301
Closes-Bug: 1374663
In fix of bug 1202392, there was dead code left [1]. This patch
cleans them up.
[1] https://review.openstack.org/#/c/37580/
Change-Id: I02edb9ce6ac639e84089afea5a900462e61b934a
dhcp and l3 rootwrap filter files contain reference to the deleted
binary quantum-ns-metadata-proxy. This change removes these obsolete
filters.
Change-Id: Iad4772752d74a1c0535144b5faf9a1f8ae89f6a3
Closes-Bug: #1391256
This commit fix the problem of killing neutron-ns-metadata-proxy
when running in Virtual Environment.
Change-Id: I987dd87e19c218846a48e58b61679b4153d97f66
Closes-bug: #1363773
* Change the plug method in MidonetInterfaceDriver to use mm-ctl
* Move MidonetInterfaceDriver to interface.py
* adapt interface driver midonet unit tests to mm-ctl
Change-Id: Ib6cfbc212b793fa939cad17017c0b2b8b0a5b7fb
Closes-Bug: #1245797
Some users of the Pidfile class don't specify root_helper,
which then defaults to 'sudo', which will generate an error.
Remove root_helper altogether since we actually don't need
root priveleges to read /proc/$pid/cmdline.
Changed code to use open.readline() instead of a shell, and
tweaked tests accordingly.
Also cleaned-up the rootwrap filters that allow it as they
are not used anymore.
Fixes bug 1218142
Change-Id: I6691feb1c9f7bfa261a7ec464fd8f3f92168c302
Previously neutron was keeping track of dhcp lease time in order
to ensure it didn't hand out an ip address that was already leased.
This patch removes that logic and instead leverages the dhcp_release
utility. This allows us to reuse ip addresses immediately after a port
is deleted. This patch also bumps the lease time to 24 hours instead
of 2 minutes with reduces the amount of dhcp traffic.
DocImpact
There is a DocImpact for this bug related to the upgrade path. One should
first upgrade their dhcp-agents. Then wait till the dhcp_lease time has
expired. Lastly, update neutron-server in order to avoid the case where
an instance is deleted and the dnsmasq process has not released the lease
and neturon allocates that ip to a new port.
Fixes bug: 1202392
Implements blueprint: remove-dhcp-lease
Change-Id: Ifcb4f093c92904ceb896438987d53e692eb7fb26
Use the common oslo-incubator rootwrap rather than maintain a
specific fork within Neutron.
- Migrated DnsmasqFilter use in dhcp.filters to the new EnvFilter
- Changed environment passing in ip_lib's netns.execute so that
it can be properly matched using IpNetNsExecFilter + EnvFilter.
It now calls "ip netns exec ns env A=B C=D command" instead of
"A=B C=D ip netns exec ns command". Adjusted tests accordingly.
All the other changes are coming directly from the Oslo "rootwrap"
module sync.
Notes:
- Neutron locates its rootwrap.conf in etc/ rather than in etc/neutron
- Neutron maintains a specific bin/quantum-rootwrap-xen-dom0 which
requires additional config in rootwrap.conf
Both behaviors were preserved in this commit, but this may need to be
addressed in the future to simplify future oslo-rootwrap updates.
Implements bp: quantum-common-rootwrap
Change-Id: I02879942a9d1169a71aa4d684c1b9ec109a6de32
This change renames everything to Neutron while providing backwards
compatible adjustments for Grizzly configuration files.
implements blueprint: remove-use-of-quantum
Change-Id: Ie7d07ba7c89857e13d4ddc8f0e9b68de020a3d19
Rodolfo Alonso Hernandez