<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:67271052;
mso-list-type:hybrid;
mso-list-template-ids:933025796 -2110645684 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:1.75in;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:3.25in;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:4.75in;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi Neutron guys,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying to explain a problem with the XenServer rootwrap and give a proposal to resolve it. I need some input on how to proceed with this proposal: e.g. if requires a spec? Any concerns need further discussion or clarification?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Problem description:<o:p></o:p></b></p>
<p class="MsoNormal">As we’ve known, some neutron services need run commands with root privileges and it’s achieved by running commands via the rootwrap. And in order to resolve performance issue, it has been improved to support daemon mode for the rootwrap
[1]. Either way has the commands running on the same node/VM which has relative neutron services running on.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But as a type-1 hypervisor, XenServer OpenStack has different behavior. Neutron’s compute agent
<span style="font-size:9.0pt;font-family:"Courier New";color:#333333;background:white">
neutron-openvswitch-agent</span> need run commands in dom0, as the tenants’ interfaces are plugged in an integration OVS which locates in Dom0. Currently the script of
<a href="https://github.com/openstack/neutron/blob/master/bin/neutron-rootwrap-xen-dom0">
https://github.com/openstack/neutron/blob/master/bin/neutron-rootwrap-xen-dom0</a> is used as XenServer OpenStack’s rootwrap. This script will create a XenAPI session with dom0 and passes the commands to dom0 for the real execution. Each command execution will
run this script once. So it has the similar performance issue as the non-daemon mode of rootwrap on other hypervisors: For each command, it has to parse the neutron-rootwrap-xen-dom0 script and the rootwrap configure file. Furthermore, this rootwrap script
will create a XenAPI for each command execution and XenServer by default will log the XenAPI session creation events. It will cause frequent log file rotation and so other real useful log is lost.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Proposal:<o:p></o:p></b></p>
<p class="MsoNormal">The os.rootwrap support daemon mode for other hypervisors; but XenServer’s compute agent can’t use that as again it need run commands in Dom0. But we can refer to that design and implement the daemon mode for XenServer. After creating a
XenAPI session, Dom0’s XAPI will accept the command running requests from the session and reply with the running result. So logically we’ve had a daemon in dom0. So we can support daemon mode rootwrap with the following design:<o:p></o:p></p>
<p class="MsoNormal">1. Develop a daemon client module for XenServer: The agent service will use this client module to create a XenAPI session, and keep this session during the service’s whole life.<br>
2. once need run command on dom0, use the above client to runs commands in dom0.<o:p></o:p></p>
<p class="MsoNormal">It should be able to result the issues mentioned above, as the client module need import only once for each agent service and only use a single session for all commands. The prototype code[3] works well.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any concern or comments for the above proposal? And how I can proceed with solution? We’ve filed a RFE bug[2] which is in wishlist&incomplete status. Per the neutron policy[4], it seems need neutron-drivers team to evaluate the RFE and
determine if a spec is required. Could anyone help to evaluate this proposal and tell me how I should proceed? And I’m also open and happy for any comments. Thanks very much.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[1] <a href="https://specs.openstack.org/openstack/oslo-specs/specs/juno/rootwrap-daemon-mode.html">
https://specs.openstack.org/openstack/oslo-specs/specs/juno/rootwrap-daemon-mode.html</a><o:p></o:p></p>
<p class="MsoNormal">[2] <a href="https://bugs.launchpad.net/neutron/+bug/1585510">
https://bugs.launchpad.net/neutron/+bug/1585510</a><o:p></o:p></p>
<p class="MsoNormal">[3]prototype code: <a href="https://review.openstack.org/#/c/390931/">
<span style="font-size:9.0pt;font-family:"Courier New";color:#0033AA;background:white;text-decoration:none">https://review.openstack.org/#/c/390931/</span></a><o:p></o:p></p>
<p class="MsoNormal">[4] <a href="http://docs.openstack.org/developer/neutron/policies/blueprints.html">
http://docs.openstack.org/developer/neutron/policies/blueprints.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Jianghua<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>