Added a new environment variable "PROCESS_TAG" in ``ProcessManager``.
This environment variable could be read by the process executed and
is unique per process. This environment variable can be used to tag
the running process; for example, a container manager can use this
tag to mark the a container.
This feature will be used by TripleO to identify the running containers
with a unique tag. This will make the "kill" process easier; it will
be needed just to find the container running with this tag.
Closes-Bug: #1991000
Change-Id: I234c661720a8b1ceadb5333181890806f79dc21a
This patch moves all remaining filters to a single file. Since [1],
the number of processes executed using rootwrap have been reduced to
a small set.
[1]https://storyboard.openstack.org/#!/story/2007686
Story: #2007686
Task: #41284
Change-Id: Ic7eb717b9ee18068d7a6d7acb11302dd1fde60c6
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates the "kill_process" method to privsep and
removes the unneeded rootwrap filters.
Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf
Story: #2007686
Task: #41558
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates some missing execution methods present in
the code and removes unneeded rootwrap filters.
Story: #2007686
Task: #41558
Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates any "iptables" and "ipset" command related
to privsep.
Change-Id: I4a1e137b2b414067504ad7c799d68f482bf3d36c
Story: #2007686
Task: #41558
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates the execution of "ebtables" command to
privsep.
Story: #2007686
Task: #41558
Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d
This command is executed from scripts and in sanity checks, but not
from any Neutron service.
Change-Id: If82e89bf7b233559513ab44eadebb445648f0684
Story: #2007686
Task: #41282
The need for this change stems from following issues:
1) When ovs_use_veth = False with ovs-dpdk issue with ovs
was observed - after vswitch restart interface is not comming up.
Meaning ovs-dpdk uses ovs internal ports and it is not able to bring
them up on restart.
2) When ovs_use_veth = True and ovs-dpkd is used, packets sent with
incorrect checksum due to the fact that ovs-dpdk does not do checksum
calculations for veth interface.
This commit allows to use second option and resolve checksum issue by
disabling checksum offload.
Closes-Bug: #1832021
Related-Bug: #1831935
Change-Id: Iecce8d2c6c2c46718cc1020c6e8f914cd4560e4b
With the move to the Victoria job template in
https://review.opendev.org/#/c/722681/, the py37 jobs no
longer get run, so the check and gate job entries can
be removed.
Added a keepalived py38 KillFilter line to match the py36
and py37 ones.
Also updated TESTING.rst to use py38 in all examples.
Change-Id: Ief793b54d53c3239cfb24278e88e4f4189bbc2c2
In patch [1] support for custom kill scripts was added.
We also added rootwrap filter rules for such scripts to
kill dnsmasq, haproxy, dibbler and keepalived processes.
But we missed to add rule for radvd-kill so this patch
adds it (better late than never ;))
[1] https://review.opendev.org/#/c/661760/
Closes-Bug: #1873240
Change-Id: I8fa7176d1d9667c6b5cc95af0e31210d0f1c3662
A recent change introduced a couple of rootwrap filters that are
supposed to allow running ping within a network namespace.
Those filters will actually replace the "ip" command with "ping",
which leads to an invalid command.
Since those two filters are now superfluous, we're going to drop
them.
Change-Id: I57869c68e858503ed8d6b86506c79c289f2820e1
Closes-Bug: #1864186
This reverts commit 0ef4233d89.
This patch is introducing a redundant filter already present in
"testing.filters". The problem described in the related bug should
be solved in https://review.opendev.org/#/c/707697/.
Related-Bug: #1862927
Related-Bug: #1863213
Change-Id: I4de37364a6fb0184230a9742daced40e4edbfb30
To have correct support in rootwrap, "ping"/"ping6" command should
have the correct filters in rootwrap.
Because "ping" command is harmless, "CommandFilter" is used to allow
any binary call, regardless of the parameters used and the order.
Nevertheless, this patch also proposes to use "ping"/"ping6" with
the same parameters and a specific order, to help in the debug
process:
- ping[6] -W <timeout> <address>
- ping[6] -W <timeout> -c <count> <address>
- ping[6] -W <timeout> -c <count> -i <interval> <address>
Those commands could be called from inside a namespace. The needed
filter is also added in this patch.
Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
Closes-Bug: #1863006
In [1], new tests to check "ncat" tool were added. The missing piece
of this patch was to add a new rootwrap filter to allow to execute
"ncat" binary as root and inside a namespace.
Closes-Bug: #1862927
[1]https://review.opendev.org/#/q/If8cf47a01dc353734ad07ca6cd4db7bec6c90fb6
Change-Id: I8e8e5cd8c4027cce58c7073002120d14f251463d
In L3 agent's rootwrap filters there are KillFilters
to allow killing of python processes (used to kill
neutron-keepalived-state-change-monitor script). There
was also filter for python3.5 but now Neutron supports
python3.6 and newer so python3.5 isn't needed there
anymore and this patch removes it from there.
Change-Id: I57fcc6b1c506dce9113b56ffee7d29a96fa7f251
Usually Neutron stops neutron-keepalived-state-change-monitor process
gracefully with SIGTERM.
But in case if this will not stop process for some time, Neutron will
try to kill this process with SIGKILL (-9).
That was causing problem with rootwrap as kill filters for this process
allowed to send only "-15" to it.
Now it is possible to kill this process with "-9" too.
Change-Id: Id019fa7649bd1158f9d56e63f8dad108d0ca8c1f
Closes-bug: #1860326
Since it's no longer supported past Train, lets stop
running the tests.
Updated docs and made some pep8 code tweaks as well.
Change-Id: I1c171ab906a3b4c66558163ad26947ebf710a276
If the configuration flag "debug_iptables_rules" is enabled, the
IPTables rules applied will be logged.
Similar to [1], when the IPTables firewall is enabled, it checks the
status of the following sysctl knobs:
* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables
In this case, the firewall is not enabling them but just checking the
status and logging it, to make easier the debugging process.
[1] https://review.opendev.org/#/c/371523/
Change-Id: I2ec953228d1d45e1d4c493c0b261901e6dbec0f7
Related-Bug: #1843259
In "NamespaceFixture", before deleting the namespace, this patch
introduces a check to first kill all processes running on it.
Closes-Bug: #1838793
Change-Id: I27f3db33f2e7ab685523fd2d6922177d7c9cb71b
All neutron.agent.linux.tc_lib TC commands, used in Linux Bridge
agent, have been implemented using Pyroute2.
Change-Id: Idcac297b204900037b22ab25a516a161f4e78224
Related-Bug: #1560963
This patch adds possibility to configure kill hooks used to kill
external processes, like dnsmasq or keepalived.
Change-Id: I29dfbedfb7167982323dcff1c4554ee780cc48db
Closes-Bug: #1825943
In L3 rootwrap filters we have filter to kill
neutron-keepalived-state-change process.
As this process is run under python, in commit [1] we added
KillFilter rules to allow kill various Python processes.
In RHEL8 there are "system" and "user" python versions provided.
It is called "platform-python" and is placed in /usr/libexec dir.
Details about it are in [2].
So this patch adds to neutron-keepalived-state-change Kill filters also
/usr/libexec/platform-python and /usr/libexec/platform-python3.6 to
allow killing this process on RHEL8 based OS.
[1] https://review.opendev.org/#/c/636710/
[2] https://developers.redhat.com/blog/2018/11/14/python-in-rhel-8/
Change-Id: Iafdaf2c1a6e5c1f5de856ff99e04c72c911c5123
When deleting HA routers, the keepalived state change monitor has to be
deleted. This patch adds rootwrap filters to allow deleting the state
change monitor.
Change-Id: Icfb208d9b51eaa41cf01af81f1ede7420a19cc93
Partial-Bug: #1795870
Partial-Bug: #1789434
It was added as temporary helper during migration process
and was marked to delete in Queens cycle.
Now we are in Rocky so I think we are fine to remove it
finally.
Change-Id: Iacf592841559d392b59864d507dc89ef028cbf05
Currently the L3 agent qos extension does not set the mtu for
tc filter rules, the default value is 2kb. Tc filter rules use
such mtu will result in an inaccurate bandwidth.
So in order to improve the precision, we set the mtu to 64kb.
For the test results, you can read the bug description.
For more information you can read the linux tc man page:
[1] https://linux.die.net/man/8/tc-tbf
[2] http://man7.org/linux/man-pages/man8/tc-police.8.html
Closes-Bug: #1777598
Change-Id: I7a167ec6139ccc55988b34f82080a182116d02a3
This is the TC lib utils for L3 IP QoS implementation.
For more detail please see [1]: L3 agent side TC rules.
[1] https://review.openstack.org/#/c/374506/
Partially-Implements blueprint: floating-ip-rate-limit
Related-Bug: #1596611
Change-Id: Icfec83ca6dc31d7283d9c6c6ef0997d5e60daae6
Allow ovs agent to run bridge command.
This is necessary because FDB extension uses bridge to update the FDB table.
Closes-Bug: #1730407
Change-Id: I0897f1efcf36fc7f6f06e80c3b29c0e1fa14b141
Sysctl was missing from the linuxbridge plugin rootwrap
configuration file. This was causing failures in the
linuxbridge agent when networks are created:
Rootwrap error running command: ['sysctl', '-w', 'net.ipv6.conf.eth0/557.disable_ipv6=1']:
NOTE: this bug was hidden by the fact that sysctl was
covered by the iptables-firewall.filters until recently,
when it was removed (see https://review.openstack.org/#/c/436315/).
Change-Id: Id20175df30d4d6039fb42e722d03f39521f6a499
Closes-Bug: #1715194
When neutron is deployed with hypervisor is XenServer, current
implementation will grab port's iface-id via xapi, but this isn't
the proper way:
Port's iface-id is already set when creating VM or hot plugging
VIFs in nova project, so there is no need to grab it via xapi
Change-Id: Ie07527cc89ac81ff1e3519db66925cee482f77a4
Closes-Bug: #1649747
The following enhancements are added:
-- PD keeps track of status of neutron routers: active or
standalone (master), or standby (not master),
-- PD DHCP clients are only spawned in the active router. In the
standby router, PD keeps track of the assigned prefixes, but
doesn't spawn DHCP clients.
-- When switchover occurs, on the router becoming standby, PD
clients are "killed" so that they don't send prefix withdrawals
to the DHCP server. On the router becoming active, PD spawns DHCP
clients with the assigned prefixes configured as hints in the
DHCP client's configuration
Closes-Bug: #1651465
Change-Id: I17df98128c7a88e72e31251687f30f569df6b860
Rodolfo Alonso Hernandez