Bug 1389305

Summary: Move rootwrap filters for openvswitch from openstack-neutron-openvswitch to python-neutron or other
Product: [Community] RDO Reporter: Vladislav Odintsov <odivlad>
Component: openstack-neutronAssignee: Assaf Muller <amuller>
Status: CLOSED WONTFIX QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: amuller, chris.brown, chrisw, odivlad, srevivo
Target Milestone: ---Flags: odivlad: needinfo-
Target Release: trunk   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
centos 7, mitaka, networking-vsphere-2.0.0
Last Closed: 2019-06-24 12:03:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
python-networking-vsphere rpm
none
python-networking-vsphere rpm without filters require none

Description Vladislav Odintsov 2016-10-27 12:22:07 UTC 
Created attachment 1214582 [details]
python-networking-vsphere rpm

Description of problem:

Hi, I'm doing an rpm packaging of python-networking-vsphere project, and I observe a little problem with rootwrap execution of ovs-ofctl commands.

ovs-* commands should be executed as a user with root privileges.
rootwrap commands and daemon both use rootwrap filters to allow execution of particular commands.

In general it's unable to use /usr/lib/python2.7/site-packages/neutron/agent/common/ovs_lib.py from package python-neutron without installation of special rootwrap filters file, which is in openstack-neutron-openvswitch (/usr/share/neutron/rootwrap/openvswitch-plugin.filters).

For usage with networking-vsphere (neutron-ovsvapp-agent), which uses ovs_lib.py it is needed openvswitch-plugin.filters file, but actually there is no necessity in installation of another agent (neutron-openvswich-agent).

I've proposed specfile for review and I'm interested if it is possible to make some rearrangement of rpm packages?
For instance, move file /usr/share/neutron/rootwrap/openvswitch-plugin.filters either to package python-neutron (to that place, where these rules are explicitly needed), or to openstack-neutron-common rpm.


How reproducible:
always


Steps to Reproduce:
1. yum install centos-release-openstack-mitaka
2. yum install ./python-networking-vsphere-*.rpm (from attachment)
3. systemctl start openvswitch
4. ovs-vsctl add-br br-sec; ovs-vsctl add-port br-sec eth2; ovs-vsctl add-br br-eth1; ovs-vsctl add-port br-eth1 eth1
5. use config:
/etc/neutron/plugins/ml2/ovsvapp_agent.ini:
[vmware]
vcenter_ip = 172.17.0.117
vcenter_username = Administrator
vcenter_password = P@ssw0rd
wsdl_location=https://172.17.0.117:443/sdk/vimService.wsdl
cluster_dvs_mapping = VOL615/host/VOL615_IBM:dvSwitchInt
esx_hostname = 172.17.0.113
[ovsvapp]
tenant_network_types = vlan,vxlan
local_ip = 172.17.4.11
bridge_mappings = physnet1:br-eth1
[securitygroup]
security_bridge_mapping = br-sec:eth2
ovsvapp_firewall_driver = networking_vsphere.drivers.ovs_firewall.OVSFirewallDriver
6. Ensure absence of filter rules: 
grep ovs-ofctl /usr/share/neutron/rootwrap/*
7. Start service:
systemctl start neutron-ovsvapp-agent
7. See errors in /var/log/neutron/ovsvapp-agent.log:
2016-10-27 06:31:15.260 4418 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-int', '-']. Exception:
2016-10-27 06:31:15.260 4418 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-int', '-']. Exception:
2016-10-27 06:31:15.261 4418 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-int', '-']. Exception:
...
2016-10-27 08:15:23.992 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'del-flows', 'br-int', '-']. Exception:
2016-10-27 08:15:23.993 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'del-flows', 'br-int', '-']. Exception:
2016-10-27 08:15:24.001 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'del-flows', 'br-eth1', '-']. Exception:
2016-10-27 08:15:24.002 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'del-flows', 'br-eth1', '-']. Exception:
2016-10-27 08:15:24.002 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-eth1', '-']. Exception:
2016-10-27 08:15:24.003 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-eth1', '-']. Exception:
2016-10-27 08:15:24.004 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-eth1', '-']. Exception:
2016-10-27 08:15:24.004 3401 ERROR neutron.agent.common.ovs_lib [-] Unable to execute ['ovs-ofctl', 'add-flows', 'br-int', '-']. Exception:


Actual results:
yum install openstack-neutron-openvswitch fixes a problem.

Expected results:
file /usr/share/neutron/rootwrap/openvswitch-plugin.filters distributes with python-neutron and doesn't require any other packages installation.
Comment 1 Vladislav Odintsov 2016-10-27 12:30:41 UTC 
Created attachment 1214584 [details]
python-networking-vsphere rpm without filters require

Previous rpm (with release 1.test.el7.centos) was uploaded by mystake with temporary fix require.
For reproducing a problem, please, use the second rpm (python-networking-vsphere-2.0.0-2.test.el7.centos.noarch.rpm).
Comment 2 Christopher Brown 2017-06-22 15:29:08 UTC 
Hi Vladislav,

Sorry you didn't get a response.

Is this still a problem?
Comment 3 Vladislav Odintsov 2017-08-07 08:00:48 UTC 
Hi Christopher,

yes.

Actually, I'm not sure, that my solution is good enough. Maybe somebody can advice a better one. Maybe filters should be moved to another `common` subpackage. Don'no.
Comment 4 Assaf Muller 2018-02-26 18:07:58 UTC 
Vladislav, was the issue resolved since you reported it? If not, please send patches to the RDO repositories to make packaging changes.
Comment 5 Vladislav Odintsov 2020-12-11 09:32:55 UTC 
I'm no longer involved in openstack and looks like nobody is interested in this change, so close it as wontfix.