yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1923453] Re: [focal-wallaby] Services not running that should be: neutron-openvswitch-agent

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Corey Bryant <1923453@xxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Apr 2021 15:44:33 -0000
Reply-to: Bug 1923453 <1923453@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I think this is an upstream bug for neutron. It looks like
neutron/cmd/ovs_cleanup.py is missing a call to
agent_config.setup_privsep() in main():

diff --git a/neutron/cmd/ovs_cleanup.py b/neutron/cmd/ovs_cleanup.py
index c6290909a8..8e75317e08 100644
--- a/neutron/cmd/ovs_cleanup.py
+++ b/neutron/cmd/ovs_cleanup.py
@@ -58,6 +58,7 @@ def main():
     conf = setup_conf()
     conf()
     config.setup_logging()
+    agent_config.setup_privsep()
     do_main(conf)

The problem is the oslo.privsep library is not getting initialized. In
other words, init() [1] is not getting called in
oslo_privsep/priv_context.py, therefore _HELPER_COMMAND_PREFIX is not
getting set to root_helper as defined in neutron.conf [2].

So we end up running:
Running privsep helper: ['sudo', 'privsep-helper', '--config-file', '/etc/neutron/neutron.conf', '--privsep_context', 'neutron.privileged.ovs_vsctl_cmd', '--privsep_sock_path', '/tmp/tmpvvymywvv/privsep.sock']

Where we should instead we should be running:
Running privsep helper: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/neutron/neutron.conf', '--privsep_context', 'neutron.privileged.ovs_vsctl_cmd', '--privsep_sock_path', '/tmp/tmpdq_rjxpi/privsep.sock']

[1]
https://opendev.org/openstack/oslo.privsep/src/branch/stable/wallaby/oslo_privsep/priv_context.py#L107

[2] neutron.conf
[AGENT]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

** Also affects: neutron
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1923453

Title:
  [focal-wallaby] Services not running that should be: neutron-
  openvswitch-agent

Status in OpenStack neutron-gateway charm:
  New
Status in OpenStack neutron-openvswitch charm:
  New
Status in neutron:
  In Progress
Status in neutron package in Ubuntu:
  Triaged

Bug description:
  When deploying focal-wallaby, the neutron-openvswitch-agent service
  doesn't start because one of its dependency services refuses to start:

  systemd[1]: Starting OpenStack Neutron OVS cleanup...
  sudo[190474]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
  sudo[190474]: pam_unix(sudo:auth): conversation failed
  sudo[190474]: pam_unix(sudo:auth): auth could not identify password for [neutron]
  sudo[190474]:  neutron : command not allowed ; TTY=unknown ; PWD=/var/lib/neutron ; USER=root ; COMMAND=/usr/bin/privsep-helper --config-file /etc/neutron/neutron.conf --privsep_context neutron.privileged.>
  systemd[1]: neutron-ovs-cleanup.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: neutron-ovs-cleanup.service: Failed with result 'exit-code'.
  systemd[1]: Failed to start OpenStack Neutron OVS cleanup.

  Indeed /etc/securetty got removed in focal [0][1]. Maybe Neutron just
  started doing something in Wallaby that requires this file?

  This is visible in our OSCI test gate. [2][3]

  [0] https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1860826
  [1] https://askubuntu.com/questions/1239503/ubuntu-20-04-and-20-10-etc-securetty-no-such-file-or-directory
  [2] https://review.opendev.org/c/openstack/charm-neutron-openvswitch/+/778932
  [3] https://openstack-ci-reports.ubuntu.com/artifacts/1a8/778932/5/check/migrate-ovn-focal-wallaby-dvr-snat/1a84d92/log/juju-status.zaza-3b6febd0f883.txt

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-neutron-gateway/+bug/1923453/+subscriptions