← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1363773] [NEW] neutron-ns-metadata-proxy cannot be killed when running in virtual environment

 

Public bug reported:

When running in virtual env, neutron-ns-metadata-proxy on DHCP node
cannot be disabled properly when deleting a network.

Consequences:
1. Corresponding folder and files under /var/lib/neutron/dhcp/ are not cleaned up.
2. If neutron-dhcp-agent service is restarted in this unclean state, dnsmasq processes are restarted periodically (resync interval), because the failure of removing the deleted networks. (And because of bug 1345947, huge amount of NAK logs flood for dnsmasq.)

Root cause:
Killing neutron-ns-metadata-proxy is failed because of rootwrapper filter not matched in dhcp_filter.conf:
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'kill', '-9', '65832']
Exit code: 99
Stdout: ''
Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: kill -9 65832 (no filter matched)\n'

neutron-ns-metadata-proxy is started via ProcessManager, and in Virtual
Environment, the python binary under virtual env is used instead of
/usr/bin/python*.

However, in dhcp_file.conf absolute path is specified for KillerFiler for neutron-ns-metadata-proxy:
kill_metadata: KillFilter, root, /usr/bin/python, -9
kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9

Proposed solution:
Do not specify absolute path in filter: use python (or python2.7, or python2.6) instead
============================================================================
diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters
index 88d61e8..26c2ffa 100644
--- a/etc/neutron/rootwrap.d/dhcp.filters
+++ b/etc/neutron/rootwrap.d/dhcp.filters
@@ -29,9 +29,9 @@ metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
 metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
 metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
-kill_metadata: KillFilter, root, /usr/bin/python, -9
-kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
-kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
+kill_metadata: KillFilter, root, python, -9
+kill_metadata7: KillFilter, root, python2.7, -9
+kill_metadata6: KillFilter, root, python2.6, -9
 
 # ip_lib
 ip: IpFilter, ip, root

** Affects: neutron
     Importance: Undecided
     Assignee: Han Zhou (zhouhan)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1363773

Title:
  neutron-ns-metadata-proxy cannot be killed when running in virtual
  environment

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  When running in virtual env, neutron-ns-metadata-proxy on DHCP node
  cannot be disabled properly when deleting a network.

  Consequences:
  1. Corresponding folder and files under /var/lib/neutron/dhcp/ are not cleaned up.
  2. If neutron-dhcp-agent service is restarted in this unclean state, dnsmasq processes are restarted periodically (resync interval), because the failure of removing the deleted networks. (And because of bug 1345947, huge amount of NAK logs flood for dnsmasq.)

  Root cause:
  Killing neutron-ns-metadata-proxy is failed because of rootwrapper filter not matched in dhcp_filter.conf:
  Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'kill', '-9', '65832']
  Exit code: 99
  Stdout: ''
  Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: kill -9 65832 (no filter matched)\n'

  neutron-ns-metadata-proxy is started via ProcessManager, and in
  Virtual Environment, the python binary under virtual env is used
  instead of /usr/bin/python*.

  However, in dhcp_file.conf absolute path is specified for KillerFiler for neutron-ns-metadata-proxy:
  kill_metadata: KillFilter, root, /usr/bin/python, -9
  kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
  kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9

  Proposed solution:
  Do not specify absolute path in filter: use python (or python2.7, or python2.6) instead
  ============================================================================
  diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters
  index 88d61e8..26c2ffa 100644
  --- a/etc/neutron/rootwrap.d/dhcp.filters
  +++ b/etc/neutron/rootwrap.d/dhcp.filters
  @@ -29,9 +29,9 @@ metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
   metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
   metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
   # RHEL invocation of the metadata proxy will report /usr/bin/python
  -kill_metadata: KillFilter, root, /usr/bin/python, -9
  -kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
  -kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
  +kill_metadata: KillFilter, root, python, -9
  +kill_metadata7: KillFilter, root, python2.7, -9
  +kill_metadata6: KillFilter, root, python2.6, -9
   
   # ip_lib
   ip: IpFilter, ip, root

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1363773/+subscriptions


Follow ups

References