Port creation times out for some VMs in large group

Erik Olof Gunnar Andersson eandersson at blizzard.com
Thu Oct 10 18:08:02 UTC 2019


Yea - if you look at your sudoers its only allowing the old traditional rootwrap, and not the new daemon. You need both.

Defaults:neutron !requiretty

neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf

Best Regards, Erik Olof Gunnar Andersson

From: Albert Braden <Albert.Braden at synopsys.com>
Sent: Thursday, October 10, 2019 11:05 AM
To: Erik Olof Gunnar Andersson <eandersson at blizzard.com>; Chris Apsey <bitskrieg at bitskrieg.net>
Cc: openstack-discuss at lists.openstack.org
Subject: RE: Port creation times out for some VMs in large group

I have the neutron sudoers line under sudoers.d:

root at us01odc-qa-ctrl1:/etc/sudoers.d#<mailto:root at us01odc-qa-ctrl1:/etc/sudoers.d#> cat neutron_sudoers
Defaults:neutron !requiretty

neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

Whatever is causing this didn't start until I had been running the rootwrap daemon for 2 weeks, and it has not started in our prod cluster.

From: Erik Olof Gunnar Andersson <eandersson at blizzard.com<mailto:eandersson at blizzard.com>>
Sent: Wednesday, October 9, 2019 6:40 PM
To: Albert Braden <albertb at synopsys.com<mailto:albertb at synopsys.com>>; Chris Apsey <bitskrieg at bitskrieg.net<mailto:bitskrieg at bitskrieg.net>>
Cc: openstack-discuss at lists.openstack.org<mailto:openstack-discuss at lists.openstack.org>
Subject: Re: Port creation times out for some VMs in large group

You are probably missing an entry in your sudoers file.

You need something like


neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf

________________________________
From: Albert Braden <Albert.Braden at synopsys.com<mailto:Albert.Braden at synopsys.com>>
Sent: Wednesday, October 9, 2019 5:20 PM
To: Chris Apsey <bitskrieg at bitskrieg.net<mailto:bitskrieg at bitskrieg.net>>
Cc: openstack-discuss at lists.openstack.org<mailto:openstack-discuss at lists.openstack.org> <openstack-discuss at lists.openstack.org<mailto:openstack-discuss at lists.openstack.org>>
Subject: RE: Port creation times out for some VMs in large group


We tested this in dev and qa and then implemented in production and it did make a difference, but 2 weeks later we started seeing an issue, first in dev, and then in qa. In syslog we see neutron-linuxbridge-agent.service stopping and starting[1]. In neutron-linuxbridge-agent.log we see a rootwrap error[2]: "Exception: Failed to spawn rootwrap process."



If I comment out 'root_helper_daemon = "sudo /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf"' and restart neutron services then the error goes away.



How can I use the root_helper_daemon setting without creating this new error?



http://paste.openstack.org/show/782622/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191010/1d8ef1fd/attachment.html>


More information about the openstack-discuss mailing list