Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1367609 - /usr/share/nova/rootwrap doesn't include network.filters
Summary: /usr/share/nova/rootwrap doesn't include network.filters
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 9.0 (Mitaka)
Assignee: Brent Eagles
QA Contact: Prasanth Anbalagan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-17 00:37 UTC by bigswitch
Modified: 2016-11-28 17:45 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-28 17:45:01 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 358024 None None None 2016-08-19 17:30:53 UTC
Launchpad 1627131 None None None 2016-09-23 17:55:46 UTC

Description bigswitch 2016-08-17 00:37:53 UTC
Description of problem:

We are using rhosp9 rc1 and notice that on compute nodes /usr/share/nova/rootwrap doesn't include network.filters. This filter should be included.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Matthew Booth 2016-08-19 14:35:23 UTC
Prateek, could you check this out on a RHOS 9 setup? I'd like to know:

* Which package owns /usr/share/nova/rootwrap
* Where does it expect network.filters to be?
* Is it there?

Thanks,

Matt

Comment 3 Matthew Booth 2016-08-19 14:56:56 UTC
Prateek, never mind: confirmed this file is owned by openstack-nova-network-13.1.0-6.el7ost.noarch.rpm. Could you check if this package is installed for a default neutron setup? Guessing it's not.

Comment 4 Mike Burns 2016-08-19 15:00:58 UTC
Was this file there in OSP 8?  is this a regression?  can you look at an OSP 8 setup and tell us which rpm the file comes from (if it's there)?

I know that bigswitch is not using nova-network, so it makes sense that nova-network wouldn't be installed.

Comment 5 Dan Smith 2016-08-19 15:05:10 UTC
network.filters is a file in the openstack-nova-network package, but may have some things in there that the compute service needs to run for vif plugging and such even in neutron mode.

Comment 6 Brent Eagles 2016-08-19 15:58:14 UTC
As Dan alludes to, the missing file isn't an issue unless it contained a filter that isn't already included in compute.filters.

As this is bigswitch related, I suspect the filter for 'ivs-vsctl' is among the missing. If this assumption is correct and as bigswitch support isn't part of the neutron core package, it's not obvious where the filter belongs. However, since the operation is called directly by the VIF driver (similarly to OVS ports), adding the required lines to compute.filters would at least be consistent with what have been doing. Alternatively the bigswitch packaging could drop a  file in /etc/nova/rootwrap.d with the appropriate filters.

Can we confirm which filters are required that are missing?

Comment 7 bigswitch 2016-08-19 17:14:12 UTC
Brent, you are right. The missing filter is following

https://github.com/openstack/nova/blob/stable/mitaka/etc/nova/rootwrap.d/network.filters#L37-L40

Comment 8 Brent Eagles 2016-08-19 17:30:54 UTC
I've created a patch upstream to add this to compute.filters. Let's see where it takes us.

Comment 9 Salman Khan 2016-08-31 13:29:09 UTC
There are other filters as well which are provided by network.filters file, all those need to be added in compute.filters if plan is not to provide network.filters files with openstack-nova-common package but rather only with openstack-nova-network. 

network.filters file was used to be provided by openstack-nova-common package in Liberty but it is removed now in Mitaka package, not sure why there isn't any bug/blueprint related to it upstream. See the output below for Liberty and Mitaka packages upstream and the list of files provided by them, clearly the file has been removed from liberty to mitaka.


[root@overcloud-compute-0 ~]# rpm -qlp http://mirror.centos.org/centos/7/cloud/x86_64/openstack-liberty/openstack-nova-common-12.0.4-1.el7.noarch.rpm
warning: http://mirror.centos.org/centos/7/cloud/x86_64/openstack-liberty/openstack-nova-common-12.0.4-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 764429e6: NOKEY
/etc/logrotate.d/openstack-nova
/etc/nova
/etc/nova/api-paste.ini
/etc/nova/nova.conf
/etc/nova/policy.json
/etc/nova/release
/etc/nova/rootwrap.conf
/etc/polkit-1/localauthority/50-local.d/50-nova.pkla
/etc/polkit-1/rules.d/50-nova.rules
/etc/sudoers.d/nova
/usr/bin/nova-manage
/usr/bin/nova-rootwrap
/usr/bin/nova-rootwrap-daemon
/usr/share/doc/openstack-nova-common-12.0.4
/usr/share/doc/openstack-nova-common-12.0.4/LICENSE
/usr/share/man/man1/nova-all.1.gz
/usr/share/man/man1/nova-api-ec2.1.gz
/usr/share/man/man1/nova-api-metadata.1.gz
/usr/share/man/man1/nova-api-os-compute.1.gz
/usr/share/man/man1/nova-api.1.gz
/usr/share/man/man1/nova-cells.1.gz
/usr/share/man/man1/nova-cert.1.gz
/usr/share/man/man1/nova-compute.1.gz
/usr/share/man/man1/nova-conductor.1.gz
/usr/share/man/man1/nova-console.1.gz
/usr/share/man/man1/nova-consoleauth.1.gz
/usr/share/man/man1/nova-dhcpbridge.1.gz
/usr/share/man/man1/nova-idmapshift.1.gz
/usr/share/man/man1/nova-manage.1.gz
/usr/share/man/man1/nova-network.1.gz
/usr/share/man/man1/nova-novncproxy.1.gz
/usr/share/man/man1/nova-objectstore.1.gz
/usr/share/man/man1/nova-rootwrap.1.gz
/usr/share/man/man1/nova-scheduler.1.gz
/usr/share/man/man1/nova-serialproxy.1.gz
/usr/share/man/man1/nova-spicehtml5proxy.1.gz
/usr/share/man/man1/nova-xvpvncproxy.1.gz
/usr/share/nova
/usr/share/nova/client.ovpn.template
/usr/share/nova/interfaces.template
/usr/share/nova/nova-dist.conf
/usr/share/nova/rootwrap
/usr/share/nova/rootwrap/api-metadata.filters
/usr/share/nova/rootwrap/compute.filters
/usr/share/nova/rootwrap/network.filters
/var/lib/nova
/var/lib/nova/buckets
/var/lib/nova/instances
/var/lib/nova/keys
/var/lib/nova/networks
/var/lib/nova/tmp
/var/log/nova
/var/run/nova




[root@overcloud-compute-0 ~]# rpm -qlp http://mirror.centos.org/centos/7/cloud/x86_64/openstack-mitaka/openstack-nova-common-13.0.0-1.el7.noarch.rpm
warning: http://mirror.centos.org/centos/7/cloud/x86_64/openstack-mitaka/openstack-nova-common-13.0.0-1.el7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 764429e6: NOKEY
/etc/logrotate.d/openstack-nova
/etc/nova
/etc/nova/api-paste.ini
/etc/nova/nova.conf
/etc/nova/policy.json
/etc/nova/release
/etc/nova/rootwrap.conf
/etc/polkit-1/localauthority/50-local.d/50-nova.pkla
/etc/polkit-1/rules.d/50-nova.rules
/etc/sudoers.d/nova
/usr/bin/nova-manage
/usr/bin/nova-rootwrap
/usr/bin/nova-rootwrap-daemon
/usr/share/doc/openstack-nova-common-13.0.0
/usr/share/doc/openstack-nova-common-13.0.0/LICENSE
/usr/share/man/man1/nova-all.1.gz
/usr/share/man/man1/nova-api-metadata.1.gz
/usr/share/man/man1/nova-api-os-compute.1.gz
/usr/share/man/man1/nova-api.1.gz
/usr/share/man/man1/nova-cells.1.gz
/usr/share/man/man1/nova-cert.1.gz
/usr/share/man/man1/nova-compute.1.gz
/usr/share/man/man1/nova-conductor.1.gz
/usr/share/man/man1/nova-console.1.gz
/usr/share/man/man1/nova-consoleauth.1.gz
/usr/share/man/man1/nova-dhcpbridge.1.gz
/usr/share/man/man1/nova-idmapshift.1.gz
/usr/share/man/man1/nova-manage.1.gz
/usr/share/man/man1/nova-network.1.gz
/usr/share/man/man1/nova-novncproxy.1.gz
/usr/share/man/man1/nova-rootwrap.1.gz
/usr/share/man/man1/nova-scheduler.1.gz
/usr/share/man/man1/nova-serialproxy.1.gz
/usr/share/man/man1/nova-spicehtml5proxy.1.gz
/usr/share/man/man1/nova-xvpvncproxy.1.gz
/usr/share/nova
/usr/share/nova/client.ovpn.template
/usr/share/nova/interfaces.template
/usr/share/nova/nova-dist.conf
/var/lib/nova
/var/lib/nova/buckets
/var/lib/nova/instances
/var/lib/nova/keys
/var/lib/nova/networks
/var/lib/nova/tmp
/var/log/nova
/var/run/nova

Comment 11 Mike Burns 2016-09-23 17:16:48 UTC
Brent, I see this merged in master, can we backport it to mitaka?

Comment 12 Brent Eagles 2016-09-23 17:29:25 UTC
I'm not sure. There are a couple of things about it: 

 - Yours truly neglected to file a launchpad bug at the time I originally submitted the patch. 

 - It's a weird sort of bug in that it would only affect packagers that weren't including all of the filter files. I'm not sure where it fits with the current nova process and policies on backports.

I *think* all we should need to do is just file that appropriate launchpad bug and submit the backport. Melanie, does this sound right to you?

Comment 13 Brent Eagles 2016-09-23 17:57:18 UTC
Launchpad bug is submitted u/s and see what I can do.

Comment 15 Mike Burns 2016-10-05 18:16:52 UTC
Brent, any luck getting this backported to Mitaka?

Comment 16 Brent Eagles 2016-10-07 15:49:44 UTC
According to mriedman, it's a "no go" upstream.

Comment 20 Artom Lifshitz 2016-11-04 19:37:40 UTC
This looks a like duplicate of 1371562 [1], which I fixed in openstack-nova-13.1.1-7.el7ost by moving network.filters to the -common package. What version was this bug observed with? If prior to 13.1.1-7, can we try upgrading and making sure that the bug goes away?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1371562

Comment 21 bigswitch 2016-11-28 17:44:10 UTC
network.filter is present in latest rhosp9 overcloud-full.qcow2 image. Closing bugzilla


Note You need to log in before you can comment on or make changes to this bug.