It looks like something is still missing. I added the line to /etc/sudoers.d/neutron_sudoers:
root@us01odc-qa-ctrl3:/var/log/neutron# cat /etc/sudoers.d/neutron_sudoers
Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf *
Then I restarted neutron services and the error was gone… for a few minutes, and then it came back on ctrl3. Ctrl1/2 aren’t erroring at this time.
I changed neutron’s shell and tested the daemon command and it seems to work:
root@us01odc-qa-ctrl3:~# su - neutron
neutron@us01odc-qa-ctrl3:~$ /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
/tmp/rootwrap-5b1QoP/rootwrap.sock
Z%‘"‘‘‘Vs‘‘5-‘,a‘‘‘‘G‘‘‘‘v‘‘
But neutron-linuxbridge-agent.log still scrolls errors:
http://paste.openstack.org/show/782740/
It appears that there is another factor besides the config, because even when the sudoers line was missing, it would work for hours or days before
the error started. It has been working in our prod cluster for about a week now, without the sudoers line. It seems like it should not work that way. What am I missing?
From: Erik Olof Gunnar Andersson <eandersson@blizzard.com>
Sent: Thursday, October 10, 2019 11:08 AM
To: Albert Braden <albertb@synopsys.com>; Chris Apsey <bitskrieg@bitskrieg.net>
Cc: openstack-discuss@lists.openstack.org
Subject: RE: Port creation times out for some VMs in large group
Yea – if you look at your sudoers its only allowing the old traditional rootwrap, and not the new daemon. You need both.
Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
Best Regards, Erik Olof Gunnar Andersson
From: Albert Braden <Albert.Braden@synopsys.com>
Sent: Thursday, October 10, 2019 11:05 AM
To: Erik Olof Gunnar Andersson <eandersson@blizzard.com>; Chris Apsey <bitskrieg@bitskrieg.net>
Cc: openstack-discuss@lists.openstack.org
Subject: RE: Port creation times out for some VMs in large group
I have the neutron sudoers line under sudoers.d:
root@us01odc-qa-ctrl1:/etc/sudoers.d# cat neutron_sudoers
Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
Whatever is causing this didn’t start until I had been running the rootwrap daemon for 2 weeks, and it has not started in our prod cluster.
From: Erik Olof Gunnar Andersson <eandersson@blizzard.com>
Sent: Wednesday, October 9, 2019 6:40 PM
To: Albert Braden <albertb@synopsys.com>; Chris Apsey <bitskrieg@bitskrieg.net>
Cc: openstack-discuss@lists.openstack.org
Subject: Re: Port creation times out for some VMs in large group
You are probably missing an entry in your sudoers file.
You need something like
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
From: Albert Braden <Albert.Braden@synopsys.com>
Sent: Wednesday, October 9, 2019 5:20 PM
To: Chris Apsey <bitskrieg@bitskrieg.net>
Cc: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org>
Subject: RE: Port creation times out for some VMs in large group
We tested this in dev and qa and then implemented in production and it did make a difference, but 2 weeks later we started seeing an issue, first in dev, and then in qa. In syslog we see neutron-linuxbridge-agent.service stopping and starting[1].
In neutron-linuxbridge-agent.log we see a rootwrap error[2]: “Exception: Failed to spawn rootwrap process.”
If I comment out ‘root_helper_daemon = "sudo /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf"’ and restart neutron services then the error goes away.
How can I use the root_helper_daemon setting without creating this new error?