From 316f9a7d30a74ec3a4f9591c030a00e878c66602 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 28 Jul 2016 21:04:03 +0200 Subject: [PATCH 1/2] Nova/Neutron: Enable rootwrap daemon mode This provides a speedup (benchmarks that do a lot of neutron operations go down from 24 minutes to 11 minutes, providing an almost twofold improvement). The improvement is actually like eightfold on ARM. (cherry picked from commit ef29f92efe8d8dbc269c3ea127985a9f2cc16922) --- chef/cookbooks/neutron/templates/default/neutron.conf.erb | 1 + chef/cookbooks/nova/recipes/config.rb | 4 ++++ chef/cookbooks/nova/templates/default/nova.conf.erb | 1 + 3 files changed, 6 insertions(+) diff --git a/chef/cookbooks/neutron/templates/default/neutron.conf.erb b/chef/cookbooks/neutron/templates/default/neutron.conf.erb index 1fd424f058..68e23bdfdf 100644 --- a/chef/cookbooks/neutron/templates/default/neutron.conf.erb +++ b/chef/cookbooks/neutron/templates/default/neutron.conf.erb @@ -742,6 +742,7 @@ root_helper=sudo neutron-rootwrap /etc/neutron/rootwrap.conf # Root helper daemon application to use when possible. # root_helper_daemon = +root_helper_daemon = sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf # Use the root helper when listing the namespaces on a system. This may not # be required depending on the security configuration. If the root helper is diff --git a/chef/cookbooks/nova/recipes/config.rb b/chef/cookbooks/nova/recipes/config.rb index 05cb0c0ec3..c192cee6c2 100644 --- a/chef/cookbooks/nova/recipes/config.rb +++ b/chef/cookbooks/nova/recipes/config.rb @@ -51,6 +51,9 @@ search_env_filtered(:node, "roles:nova-controller").first end +# use nova-rootwrap daemon on compute-only nodes +use_rootwrap_daemon = !node["roles"].include?("nova-controller") + api_ha_enabled = api[:nova][:ha][:enabled] admin_api_host = CrowbarHelper.get_host_for_admin_url(api, api_ha_enabled) public_api_host = CrowbarHelper.get_host_for_public_url(api, api[:nova][:ssl][:enabled], api_ha_enabled) @@ -334,6 +337,7 @@ ssl_key_file: api_ssl_keyfile, ssl_cert_required: api[:nova][:ssl][:cert_required], ssl_ca_file: api_ssl_cafile, + use_rootwrap_daemon: use_rootwrap_daemon, oat_appraiser_host: oat_server[:hostname], oat_appraiser_port: "8443", has_itxt: has_itxt diff --git a/chef/cookbooks/nova/templates/default/nova.conf.erb b/chef/cookbooks/nova/templates/default/nova.conf.erb index 0c908f75fa..05da7a5047 100644 --- a/chef/cookbooks/nova/templates/default/nova.conf.erb +++ b/chef/cookbooks/nova/templates/default/nova.conf.erb @@ -448,6 +448,7 @@ instance_usage_audit_period = hour # root privileges. This option is usually enabled on nodes that run nova # compute processes (boolean value) #use_rootwrap_daemon = false +use_rootwrap_daemon = <%= @use_rootwrap_daemon %> # Path to the rootwrap configuration file to use for running commands as root # (string value) From 23d45c22c6bbf572a8d3107c295f8c9da9bfdd2d Mon Sep 17 00:00:00 2001 From: Thomas Bechtold Date: Mon, 21 Nov 2016 09:16:07 +0100 Subject: [PATCH 2/2] nova: Use rootwrap daemon mode only for kvm (bsc#1010553) Using the daemon mode fails for Xen (see lp#1643457). This is a workarround until the bug in oslo.rootwrap is fixed. https://bugzilla.suse.com/show_bug.cgi?id=1010553 --- chef/cookbooks/nova/templates/default/nova.conf.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/chef/cookbooks/nova/templates/default/nova.conf.erb b/chef/cookbooks/nova/templates/default/nova.conf.erb index 05da7a5047..c6f89bc2b5 100644 --- a/chef/cookbooks/nova/templates/default/nova.conf.erb +++ b/chef/cookbooks/nova/templates/default/nova.conf.erb @@ -448,7 +448,9 @@ instance_usage_audit_period = hour # root privileges. This option is usually enabled on nodes that run nova # compute processes (boolean value) #use_rootwrap_daemon = false +<% if @libvirt_type.eql?('kvm') -%> use_rootwrap_daemon = <%= @use_rootwrap_daemon %> +<% end -%> # Path to the rootwrap configuration file to use for running commands as root # (string value)