Hide Forgot
As per the dicussion on BZ https://bugzilla.redhat.com/show_bug.cgi?id=1431556#c24 with neutron, openvswitch and os teams, it has been agreed that we create a new directory for hosting vhost sockets for type dpdkvhostuserclient mode (which is default from OSP11 onwards). The new directory created is "/var/lib/vhost_sockets/" with qemu:qemu permission and the corresponding SELinux policies are added so that virt can access it. But even with this change, we need to openvswitch permission workarounds in the ovs-vswitchd service files, below ones: if [ -f /usr/lib/systemd/system/openvswitch-nonetwork.service ]; then ovs_service_path="/usr/lib/systemd/system/openvswitch-nonetwork.service" elif [ -f /usr/lib/systemd/system/ovs-vswitchd.service ]; then ovs_service_path="/usr/lib/systemd/system/ovs-vswitchd.service" fi grep -q "RuntimeDirectoryMode=.*" $ovs_service_path if [ "$?" -eq 0 ]; then sed -i 's/RuntimeDirectoryMode=.*/RuntimeDirectoryMode=0775/' $ovs_service_path else echo "RuntimeDirectoryMode=0775" >> $ovs_service_path fi grep -Fxq "Group=qemu" $ovs_service_path if [ ! "$?" -eq 0 ]; then echo "Group=qemu" >> $ovs_service_path fi grep -Fxq "UMask=0002" $ovs_service_path if [ ! "$?" -eq 0 ]; then echo "UMask=0002" >> $ovs_service_path fi ovs_ctl_path='/usr/share/openvswitch/scripts/ovs-ctl' grep -q "umask 0002 \&\& start_daemon \"\$OVS_VSWITCHD_PRIORITY\"" $ovs_ctl_path if [ ! "$?" -eq 0 ]; then sed -i 's/start_daemon \"\$OVS_VSWITCHD_PRIORITY.*/umask 0002 \&\& start_daemon \"$OVS_VSWITCHD_PRIORITY\" \"$OVS_VSWITCHD_WRAPPER\" \"$@\"/' $ovs_ctl_path fi Raising this BZ to understand why it is still required and discuss on the alternatives.
Alternatively, in the ODL deployments [1], instead of the new directory and ovs permission changes in the service file, the "user" and "group" values in the /etc/libvirt/qemu.conf[2] is set as "root". This change works (tested by Tim Roznet with ODL). We would like to understand if the same can by used for neutron ml2 based ovs-dpdk deployments too, if there is no other implications. [1] https://review.openstack.org/#/c/419648/19/extraconfig/pre_network/ovs_dpdk_config.yaml@71 [2] https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu.conf#L360
I'm not an openvswitch expert, but I think that is needed because giving qemu access is good but not enough. ovs has to have access too. We should probably ask some openvswitch developer.
It should also work for neutron ovs agent dpdk. I believe I tested it.
Michal, Can you please throw some light on c#1 as well. we would like to understand if changing the permissions for user and group fields to root in /etc/libvirt/qemu.conf has other impacts ?
(In reply to Saravanan KR from comment #1) > Alternatively, in the ODL deployments [1], instead of the new directory and > ovs permission changes in the service file, the "user" and "group" values in > the /etc/libvirt/qemu.conf[2] is set as "root". > Setting user = group = "root" results in qemu processes running under root:root privileges. Of course qemu can then access whatever path. However, my understanding is that you don't want to run qemu with root privileges, therefore you have to either: a) set user & group variables to something else (e.g. qemu:qemu), or b) not set at all (defaults to qemu:qemu on RHEL).
I've recently proposed a change to Open vSwitch upstream at: https://mail.openvswitch.org/pipermail/ovs-dev/2017-June/333423.html which makes ovs run with a group of hugetlbfs. Perhaps we could settle on a group ID that they could share; we could then use that for as our DAC id? Just throwing it out there.
Patch create upstream. https://review.openstack.org/#/c/478163/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462