Bug 1367609

Prateek, could you check this out on a RHOS 9 setup? I'd like to know:

* Which package owns /usr/share/nova/rootwrap
* Where does it expect network.filters to be?
* Is it there?

Thanks,

Matt

Prateek, never mind: confirmed this file is owned by openstack-nova-network-13.1.0-6.el7ost.noarch.rpm. Could you check if this package is installed for a default neutron setup? Guessing it's not.

Was this file there in OSP 8?  is this a regression?  can you look at an OSP 8 setup and tell us which rpm the file comes from (if it's there)?

I know that bigswitch is not using nova-network, so it makes sense that nova-network wouldn't be installed.

network.filters is a file in the openstack-nova-network package, but may have some things in there that the compute service needs to run for vif plugging and such even in neutron mode.

As Dan alludes to, the missing file isn't an issue unless it contained a filter that isn't already included in compute.filters.

As this is bigswitch related, I suspect the filter for 'ivs-vsctl' is among the missing. If this assumption is correct and as bigswitch support isn't part of the neutron core package, it's not obvious where the filter belongs. However, since the operation is called directly by the VIF driver (similarly to OVS ports), adding the required lines to compute.filters would at least be consistent with what have been doing. Alternatively the bigswitch packaging could drop a  file in /etc/nova/rootwrap.d with the appropriate filters.

Can we confirm which filters are required that are missing?

Brent, you are right. The missing filter is following

https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/rootwrap.d/network.filters#L37-L40

I've created a patch upstream to add this to compute.filters. Let's see where it takes us.

There are other filters as well which are provided by network.filters file, all those need to be added in compute.filters if plan is not to provide network.filters files with openstack-nova-common package but rather only with openstack-nova-network. 

network.filters file was used to be provided by openstack-nova-common package in Liberty but it is removed now in Mitaka package, not sure why there isn't any bug/blueprint related to it upstream. See the output below for Liberty and Mitaka packages upstream and the list of files provided by them, clearly the file has been removed from liberty to mitaka.


[root@overcloud-compute-0 ~]# rpm -qlp http://mirror.centos.org/centos/7/cloud/x86_64/openstack-liberty/openstack-nova-common-12.0.4-1.el7.noarch.rpm
warning: http://mirror.centos.org/centos/7/cloud/x86_64/openstack-liberty/openstack-nova-common-12.0.4-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 764429e6: NOKEY
/etc/logrotate.d/openstack-nova
/etc/nova
/etc/nova/api-paste.ini
/etc/nova/nova.conf
/etc/nova/policy.json
/etc/nova/release
/etc/nova/rootwrap.conf
/etc/polkit-1/localauthority/50-local.d/50-nova.pkla
/etc/polkit-1/rules.d/50-nova.rules
/etc/sudoers.d/nova
/usr/bin/nova-manage
/usr/bin/nova-rootwrap
/usr/bin/nova-rootwrap-daemon
/usr/share/doc/openstack-nova-common-12.0.4
/usr/share/doc/openstack-nova-common-12.0.4/LICENSE
/usr/share/man/man1/nova-all.1.gz
/usr/share/man/man1/nova-api-ec2.1.gz
/usr/share/man/man1/nova-api-metadata.1.gz
/usr/share/man/man1/nova-api-os-compute.1.gz
/usr/share/man/man1/nova-api.1.gz
/usr/share/man/man1/nova-cells.1.gz
/usr/share/man/man1/nova-cert.1.gz
/usr/share/man/man1/nova-compute.1.gz
/usr/share/man/man1/nova-conductor.1.gz
/usr/share/man/man1/nova-console.1.gz
/usr/share/man/man1/nova-consoleauth.1.gz
/usr/share/man/man1/nova-dhcpbridge.1.gz
/usr/share/man/man1/nova-idmapshift.1.gz
/usr/share/man/man1/nova-manage.1.gz
/usr/share/man/man1/nova-network.1.gz
/usr/share/man/man1/nova-novncproxy.1.gz
/usr/share/man/man1/nova-objectstore.1.gz
/usr/share/man/man1/nova-rootwrap.1.gz
/usr/share/man/man1/nova-scheduler.1.gz
/usr/share/man/man1/nova-serialproxy.1.gz
/usr/share/man/man1/nova-spicehtml5proxy.1.gz
/usr/share/man/man1/nova-xvpvncproxy.1.gz
/usr/share/nova
/usr/share/nova/client.ovpn.template
/usr/share/nova/interfaces.template
/usr/share/nova/nova-dist.conf
/usr/share/nova/rootwrap
/usr/share/nova/rootwrap/api-metadata.filters
/usr/share/nova/rootwrap/compute.filters
/usr/share/nova/rootwrap/network.filters
/var/lib/nova
/var/lib/nova/buckets
/var/lib/nova/instances
/var/lib/nova/keys
/var/lib/nova/networks
/var/lib/nova/tmp
/var/log/nova
/var/run/nova




[root@overcloud-compute-0 ~]# rpm -qlp http://mirror.centos.org/centos/7/cloud/x86_64/openstack-mitaka/openstack-nova-common-13.0.0-1.el7.noarch.rpm
warning: http://mirror.centos.org/centos/7/cloud/x86_64/openstack-mitaka/openstack-nova-common-13.0.0-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 764429e6: NOKEY
/etc/logrotate.d/openstack-nova
/etc/nova
/etc/nova/api-paste.ini
/etc/nova/nova.conf
/etc/nova/policy.json
/etc/nova/release
/etc/nova/rootwrap.conf
/etc/polkit-1/localauthority/50-local.d/50-nova.pkla
/etc/polkit-1/rules.d/50-nova.rules
/etc/sudoers.d/nova
/usr/bin/nova-manage
/usr/bin/nova-rootwrap
/usr/bin/nova-rootwrap-daemon
/usr/share/doc/openstack-nova-common-13.0.0
/usr/share/doc/openstack-nova-common-13.0.0/LICENSE
/usr/share/man/man1/nova-all.1.gz
/usr/share/man/man1/nova-api-metadata.1.gz
/usr/share/man/man1/nova-api-os-compute.1.gz
/usr/share/man/man1/nova-api.1.gz
/usr/share/man/man1/nova-cells.1.gz
/usr/share/man/man1/nova-cert.1.gz
/usr/share/man/man1/nova-compute.1.gz
/usr/share/man/man1/nova-conductor.1.gz
/usr/share/man/man1/nova-console.1.gz
/usr/share/man/man1/nova-consoleauth.1.gz
/usr/share/man/man1/nova-dhcpbridge.1.gz
/usr/share/man/man1/nova-idmapshift.1.gz
/usr/share/man/man1/nova-manage.1.gz
/usr/share/man/man1/nova-network.1.gz
/usr/share/man/man1/nova-novncproxy.1.gz
/usr/share/man/man1/nova-rootwrap.1.gz
/usr/share/man/man1/nova-scheduler.1.gz
/usr/share/man/man1/nova-serialproxy.1.gz
/usr/share/man/man1/nova-spicehtml5proxy.1.gz
/usr/share/man/man1/nova-xvpvncproxy.1.gz
/usr/share/nova
/usr/share/nova/client.ovpn.template
/usr/share/nova/interfaces.template
/usr/share/nova/nova-dist.conf
/var/lib/nova
/var/lib/nova/buckets
/var/lib/nova/instances
/var/lib/nova/keys
/var/lib/nova/networks
/var/lib/nova/tmp
/var/log/nova
/var/run/nova

Brent, I see this merged in master, can we backport it to mitaka?

I'm not sure. There are a couple of things about it: 

 - Yours truly neglected to file a launchpad bug at the time I originally submitted the patch. 

 - It's a weird sort of bug in that it would only affect packagers that weren't including all of the filter files. I'm not sure where it fits with the current nova process and policies on backports.

I *think* all we should need to do is just file that appropriate launchpad bug and submit the backport. Melanie, does this sound right to you?

Launchpad bug is submitted u/s and see what I can do.

Brent, any luck getting this backported to Mitaka?

According to mriedman, it's a "no go" upstream.

This looks a like duplicate of 1371562 [1], which I fixed in openstack-nova-13.1.1-7.el7ost by moving network.filters to the -common package. What version was this bug observed with? If prior to 13.1.1-7, can we try upgrading and making sure that the bug goes away?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1371562

network.filter is present in latest rhosp9 overcloud-full.qcow2 image. Closing bugzilla