Bug 1228096

Summary: rootwrap daemon mode should be enabled
Product: Red Hat OpenStack Reporter: Ihar Hrachyshka <ihrachys>
Component: openstack-neutronAssignee: Ihar Hrachyshka <ihrachys>
Status: CLOSED ERRATA QA Contact: Eran Kuris <ekuris>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0 (Kilo)CC: amuller, chrisw, dlackey, ihrachys, lpeer, nyechiel, yeylon
Target Milestone: ga   
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-2015.1.0-8.el7ost Doc Type: Release Note
Doc Text:
In Kilo, Neutron services now can rely on so called rootwrap daemon to execute external commands like 'ip' or 'sysctl'. The daemon pre-caches rootwrap filters and drastically improves overall agent performance. For RHEL-OSP7, rootwrap daemon is enabled by default. If you want to avoid using it and stick to another root privilege separation mechanism like 'sudo', then make sure you also disable the daemon by setting 'root_helper_daemon =' in [agent] section of your neutron.conf file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:24:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230438, 1230900    
Bug Blocks:    

Description Ihar Hrachyshka 2015-06-04 08:08:28 UTC 
Kilo introduced a new feature for neutron: rootwrap daemon mode, that drastically enhances performance for agents that extensively call to external tools like ip or sysctl or radvd (it means e.g. ovs or l3 agent).

It would be great to see the feature enabled by default since OSP7.
Comment 4 Ihar Hrachyshka 2015-06-04 13:36:58 UTC 
Ofer, the daemon is spawned by neutron itself, and is not controlled by any external system (like systemd). The idea is that neutron spawns it once, and then communicate with it using a local UNIX socket.

To test the setup, you just upgrade the package and make sure that agents still behave correctly (l2, l3), updating ports and bridges and namespaces based on user actions. Any regression or integration tests would do it.
Comment 5 Ihar Hrachyshka 2015-06-05 09:57:51 UTC 
Targeting to GA as per Livnat and Nir.
Comment 8 Eran Kuris 2015-06-21 11:12:18 UTC 
Verified on OSP7 on rhel 7 
# rpm -qa |grep neutron 
openstack-neutron-common-2015.1.0-8.el7ost.noarch
python-neutron-lbaas-2015.1.0-5.el7ost.noarch
python-neutron-fwaas-2015.1.0-3.el7ost.noarch
python-neutronclient-2.4.0-1.el7ost.noarch
openstack-neutron-fwaas-2015.1.0-3.el7ost.noarch
python-neutron-2015.1.0-8.el7ost.noarch
openstack-neutron-openvswitch-2015.1.0-8.el7ost.noarch
openstack-neutron-2015.1.0-8.el7ost.noarch
openstack-neutron-ml2-2015.1.0-8.el7ost.noarch
openstack-neutron-lbaas-2015.1.0-5.el7ost.noarch


Configured setup with 2 VM  , router .
checked full connectivity internal network and external network  with floating IP .
Comment 10 errata-xmlrpc 2015-08-05 13:24:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548