1228096 – rootwrap daemon mode should be enabled

Bug 1228096 - rootwrap daemon mode should be enabled

Summary: rootwrap daemon mode should be enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	ga
Target Release:	7.0 (Kilo)
Assignee:	Ihar Hrachyshka
QA Contact:	Eran Kuris
Docs Contact:
URL:
Whiteboard:
Depends On:	1230438 1230900
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-04 08:08 UTC by Ihar Hrachyshka
Modified:	2023-02-22 23:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-neutron-2015.1.0-8.el7ost
Doc Type:	Release Note
Doc Text:	In Kilo, Neutron services now can rely on so called rootwrap daemon to execute external commands like 'ip' or 'sysctl'. The daemon pre-caches rootwrap filters and drastically improves overall agent performance. For RHEL-OSP7, rootwrap daemon is enabled by default. If you want to avoid using it and stick to another root privilege separation mechanism like 'sudo', then make sure you also disable the daemon by setting 'root_helper_daemon =' in [agent] section of your neutron.conf file.
Clone Of:
Environment:
Last Closed:	2015-08-05 13:24:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:1548	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2015-08-05 17:07:06 UTC

Description Ihar Hrachyshka 2015-06-04 08:08:28 UTC

Kilo introduced a new feature for neutron: rootwrap daemon mode, that drastically enhances performance for agents that extensively call to external tools like ip or sysctl or radvd (it means e.g. ovs or l3 agent).

It would be great to see the feature enabled by default since OSP7.

Comment 4 Ihar Hrachyshka 2015-06-04 13:36:58 UTC

Ofer, the daemon is spawned by neutron itself, and is not controlled by any external system (like systemd). The idea is that neutron spawns it once, and then communicate with it using a local UNIX socket.

To test the setup, you just upgrade the package and make sure that agents still behave correctly (l2, l3), updating ports and bridges and namespaces based on user actions. Any regression or integration tests would do it.

Comment 5 Ihar Hrachyshka 2015-06-05 09:57:51 UTC

Targeting to GA as per Livnat and Nir.

Comment 8 Eran Kuris 2015-06-21 11:12:18 UTC

Verified on OSP7 on rhel 7 
# rpm -qa |grep neutron 
openstack-neutron-common-2015.1.0-8.el7ost.noarch
python-neutron-lbaas-2015.1.0-5.el7ost.noarch
python-neutron-fwaas-2015.1.0-3.el7ost.noarch
python-neutronclient-2.4.0-1.el7ost.noarch
openstack-neutron-fwaas-2015.1.0-3.el7ost.noarch
python-neutron-2015.1.0-8.el7ost.noarch
openstack-neutron-openvswitch-2015.1.0-8.el7ost.noarch
openstack-neutron-2015.1.0-8.el7ost.noarch
openstack-neutron-ml2-2015.1.0-8.el7ost.noarch
openstack-neutron-lbaas-2015.1.0-5.el7ost.noarch


Configured setup with 2 VM  , router .
checked full connectivity internal network and external network  with floating IP .

Comment 10 errata-xmlrpc 2015-08-05 13:24:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548

Note You need to log in before you can comment on or make changes to this bug.