Fix and enhancements for OVN plugins

[danalsan]

[ovn_host] Add support for containerized setups
[ovn_central] Add support to containerized setups
Allow reading commands output from containers
Minor enhancements to the OVN plugin

[pmoravec]

Please remove this extra empty line (Travis fails on it - you can run "pycodestyle" on modified code to spot it locally before committing it).

[pmoravec]

What is the purpose to copy the files? (to get the copy command output that is usefull for some troubleshooting?)

Is it safe to expose that file to publicly available /tmp directory - can't it be misused by some intruder?

(I think I got this; you collect the file in add_database_output and I guess it is really safe to expose them since non-containerised environment exposes them in similar way - am I right?)

[danalsan]

What is the purpose to copy the files? (to get the copy command output that is usefull for some troubleshooting?)

Is it safe to expose that file to publicly available /tmp directory - can't it be misused by some intruder?

(I think I got this; you collect the file in add_database_output and I guess it is really safe to expose them since non-containerised environment exposes them in similar way - am I right?)

Yes, you're right. On non containerized environments, this is exposed in the host filesystem while in containerized environments we want to read the files to figure out what tables to pull data from.

Re. security, these files are just the DB schema and are publicly available anyways in the OVS/OVN repositories, they do not contain any data but just the schema definition.

[TurboTurtle]

podman cp exists and matches the docker syntax to copy files out of a container. In no way should we be mounting anything anywhere in a plugin.

This whole block to construct the command can be reduced to:

if containerized:
    cmd = "%s cp %s:" % (self._container_runtime, self._container_name)

[danalsan]

podman cp exists and matches the docker syntax to copy files out of a container. In no way should we be mounting anything anywhere in a plugin.

I took a RHEL 8.0 base system where podman cp doesn't exist. Do you mean is it fair to assume that whatever version of podman is now packaged in RHEL8 would support that command? If so, I'll fallback to my previous version.

[root@controller-0 ovn_central]# podman cp
Command "cp" not found.
See podman --help.

[TurboTurtle]

It looks like podman cp is a 1.1 feature, whereas 8.0 has 1.0 podman. I'd imagine the next rebase for podman in RHEL will update it to at least 1.1 (Fedora is on 1.4 right now for reference).

In any event, I am still completely against doing mount operations within a plugin. Maybe there needs to be some logic to gate against podman-1.0, or we just accept that it won't work for that version of podman.

[TurboTurtle]

The above being said, I'm not a fan of sos copying files out of a container to a location in /tmp just to read them and then do nothing else.

Can we not just run the db query commands directly in the container and record that output?

[danalsan]

On 22 Aug 2019, at 22:01, Jake Hunsaker ***@***.***> wrote: @TurboTurtle commented on this pull request. In sos/plugins/ovn_central.py: > @@ -65,12 +86,37 @@ def setup(self): ] schema_dir = '/usr/share/openvswitch' + if containerized: + if self._container_runtime == 'podman': + dst = self.get_command_output( + "podman mount %s" % self._container_name)['output'] + cmd = "cp " + dst.rstrip() It looks like podman cp is a 1.1 feature, whereas 8.0 has 1.0 podman. I'd imagine the next rebase for podman in RHEL will update it to at least 1.1 (Fedora is on 1.4 right now for reference). In any event, I am still completely against doing mount operations within a plugin. Maybe there needs to be some logic to gate against podman-1.0, or we just accept that it won't work for that version of podman.

As I said, the directory is accesible even without mounting but I need to find it some how; it is not a real mount and anyways it’s just mounted right after the file is fetched. What then about using glob if Python 3 is installed to search for the files in /var/lib and “docker cp” otherwise? We need the ovn plugin to work on RHEL8. Can you suggest something that would work for you and later on when podman > 1.0 is available, we will just use “podman cp”?

…

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[TurboTurtle]

As I said, the directory is accesible even without mounting but I need to find it some how; it is not a real mount and anyways it’s just mounted right after the file is fetched. What then about using glob if Python 3 is installed to search for the files in /var/lib and “docker cp” otherwise? We need the ovn plugin to work on RHEL8. Can you suggest something that would work for you and later on when podman > 1.0 is available, we will just use “podman cp”?

As I said, I am still not onboard with performing file copies on the host. podman cp is a last resort in my mind, if we even agree to go that route at all.

What is represented by the table names in the ovn-(nb|sb).ovsschema files? Do they map to some other component within OVN that can be listed with some other ovn-ctl command? I would find it odd if an end user needed to go digging through schema files in order to run valid ovn-nbctl list $schema on their own.

If some kind of list command like that is present, we can simplify this substantially and making it container-compatible would be trivial.

[danalsan]

@TurboTurtle I changed the code to read the file inside the container to memory. If it's not a containerized setup, the old behavior is kept. This way we don't mount or copy any files into the host filesystem and it shouldn't be a problem as the schema file shouldn't grow much (it doesn't contain any data but just the tables, columns and relationships). Let me know if this works for you.
Thanks,
daniel

[bmr-cymru]

This pull request introduces 2 alerts when merging 8178714 into f9e0a23 - view on LGTM.com

new alerts:

• 1 for Unused local variable
• 1 for Wrong number of arguments in a call

---

Warning - Automated code review for sosreport/sos will be disabled on October 1, 2019. You can avoid this by installing the LGTM.com GitHub App. Read about the benefits of migrating to GitHub Apps in the blog.

---

Comment posted by LGTM.com

[danalsan]

The travis failures are unrelated to this PR, the offending lines belong to the following commit:

^2453c238 (Jake Hunsaker 2019-06-07 13:08:12 -0400 926) strfile = file_name.replace(os.path.sep, ".") + ".tailed"
^2453c238 (Jake Hunsaker 2019-06-07 13:08:12 -0400 927) self.add_string_as_file(tail(_file, sizelimit), strfile)

I can send a separate PR to fix it.

[TurboTurtle]

The offending commit is actually 9c421f8

But we can get that cleaned up in master in a moment before we close 3.8.

[danalsan]

The offending commit is actually 9c421f8

But we can get that cleaned up in master in a moment before we close 3.8.

ack, thanks a lot.
Let me know please if there's anything you'd like me to change from this PR.

[pmoravec]

Why this change, please?

@bmr-cymru and @TurboTurtle , any comment here? Could it have some drawbacks?

[danalsan]

Thanks a lot for taking a look.
Without that change, podman hangs for me [0] and with strace I could see that the process is receiving SIGTTIN all the time.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1732525

[pmoravec]

Theoretically, the JSON file might lack 'tables' (can we 100% guarantee the json file cant be corrupted or empty?). If this would happen, an uncaught exception would be raised.

[danalsan]

Good point, plus it was handled before my patch. Will fix.
Thanks!

[pmoravec]

Will be "cmds" variable really updated in the cmds.append('%s list %s' % (ovn_cmd, table)) call inside add_database_output? As:

>>> def plus(a,b,c):
...   c = a+b
... 
>>> s1=3
>>> s2=5
>>> s=6
>>> plus(s1,s2,s)
>>> s
6

(this could be over-worked by using "self.cmds" in setup and add_database_output and not passing "cmds" as its argument)

[danalsan]

As it is a list, we can be sure that the cmds variable will be updated. (My patch is not changing the behavior though, it was like that before). For example:

def _bb(param):
param.append(3)

aa = [1, 2]
_bb(aa)
print(aa)

$ python3.7 test.py
[1, 2, 3]

$ python2.7 test.py
[1, 2, 3]

[pmoravec]

Ah right, forgot it is a list..

[bmr-cymru]

Please make sure patches are in [component] description of change format. I've fixed the first one on this branch (and also split it into two separate patches - it was adding two items to one plugin and fixing a completely unrelated bug in another...).

I've dropped the stdin=PIPE patch as this is working around a problem in podman when it is run without a controlling TTY.