yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19713
[Bug 1363773] [NEW] neutron-ns-metadata-proxy cannot be killed when running in virtual environment
Public bug reported:
When running in virtual env, neutron-ns-metadata-proxy on DHCP node
cannot be disabled properly when deleting a network.
Consequences:
1. Corresponding folder and files under /var/lib/neutron/dhcp/ are not cleaned up.
2. If neutron-dhcp-agent service is restarted in this unclean state, dnsmasq processes are restarted periodically (resync interval), because the failure of removing the deleted networks. (And because of bug 1345947, huge amount of NAK logs flood for dnsmasq.)
Root cause:
Killing neutron-ns-metadata-proxy is failed because of rootwrapper filter not matched in dhcp_filter.conf:
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'kill', '-9', '65832']
Exit code: 99
Stdout: ''
Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: kill -9 65832 (no filter matched)\n'
neutron-ns-metadata-proxy is started via ProcessManager, and in Virtual
Environment, the python binary under virtual env is used instead of
/usr/bin/python*.
However, in dhcp_file.conf absolute path is specified for KillerFiler for neutron-ns-metadata-proxy:
kill_metadata: KillFilter, root, /usr/bin/python, -9
kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
Proposed solution:
Do not specify absolute path in filter: use python (or python2.7, or python2.6) instead
============================================================================
diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters
index 88d61e8..26c2ffa 100644
--- a/etc/neutron/rootwrap.d/dhcp.filters
+++ b/etc/neutron/rootwrap.d/dhcp.filters
@@ -29,9 +29,9 @@ metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
-kill_metadata: KillFilter, root, /usr/bin/python, -9
-kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
-kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
+kill_metadata: KillFilter, root, python, -9
+kill_metadata7: KillFilter, root, python2.7, -9
+kill_metadata6: KillFilter, root, python2.6, -9
# ip_lib
ip: IpFilter, ip, root
** Affects: neutron
Importance: Undecided
Assignee: Han Zhou (zhouhan)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1363773
Title:
neutron-ns-metadata-proxy cannot be killed when running in virtual
environment
Status in OpenStack Neutron (virtual network service):
New
Bug description:
When running in virtual env, neutron-ns-metadata-proxy on DHCP node
cannot be disabled properly when deleting a network.
Consequences:
1. Corresponding folder and files under /var/lib/neutron/dhcp/ are not cleaned up.
2. If neutron-dhcp-agent service is restarted in this unclean state, dnsmasq processes are restarted periodically (resync interval), because the failure of removing the deleted networks. (And because of bug 1345947, huge amount of NAK logs flood for dnsmasq.)
Root cause:
Killing neutron-ns-metadata-proxy is failed because of rootwrapper filter not matched in dhcp_filter.conf:
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'kill', '-9', '65832']
Exit code: 99
Stdout: ''
Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: kill -9 65832 (no filter matched)\n'
neutron-ns-metadata-proxy is started via ProcessManager, and in
Virtual Environment, the python binary under virtual env is used
instead of /usr/bin/python*.
However, in dhcp_file.conf absolute path is specified for KillerFiler for neutron-ns-metadata-proxy:
kill_metadata: KillFilter, root, /usr/bin/python, -9
kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
Proposed solution:
Do not specify absolute path in filter: use python (or python2.7, or python2.6) instead
============================================================================
diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters
index 88d61e8..26c2ffa 100644
--- a/etc/neutron/rootwrap.d/dhcp.filters
+++ b/etc/neutron/rootwrap.d/dhcp.filters
@@ -29,9 +29,9 @@ metadata_proxy_quantum: CommandFilter, quantum-ns-metadata-proxy, root
metadata_proxy_local: CommandFilter, /usr/local/bin/neutron-ns-metadata-proxy, root
metadata_proxy_local_quantum: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
# RHEL invocation of the metadata proxy will report /usr/bin/python
-kill_metadata: KillFilter, root, /usr/bin/python, -9
-kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
-kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
+kill_metadata: KillFilter, root, python, -9
+kill_metadata7: KillFilter, root, python2.7, -9
+kill_metadata6: KillFilter, root, python2.6, -9
# ip_lib
ip: IpFilter, ip, root
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1363773/+subscriptions
Follow ups
References