Success using neutron-rootwrap-xen-dom0 with xenserver (6.2)?

asked 2014-01-21 10:27:31 -0600

rgs gravatar image

I see a bunch of references to neutron-rootwrap-xen-dom0 in various developer resources, but I am having a hard time finding any deployment / operational resources that might outline a successful deployment (ie specific requirements on the Dom0.) Any resources or shared experiences would be helpful!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-02-11 15:26:50 -0600

Andrew Kinney gravatar image

The one thing I did find is that it needed to be specified as "root_helper = neutron-rootwrap-xen-dom0 /etc/neutron/rootwrap.conf" in the [agent] section of /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini for it to get used. You also have to configure the xenapi related bits at the end of /etc/neutron/rootwrap.conf.

You also have to have all the XenServer plugins installed in dom0. This was not a simple thing. There are also some patches to apply, which no longer apply properly due to versioning differences. I had to do those manually.

That said, I have had zero success with it. Every attempt to use it has resulted in a cascading series of errors that resulted in every configuration variant I could think of failing. Many resulted in the XenServer public IP getting knocked offline. Most of the trouble stemmed from security groups getting hosed for lack of iptables support in the XenServer plugins. I ran out of time to resolve that issue. A two week project turned into a two month nightmare, with more compromises than I wanted.

Ultimately, I settled for running all the networking within a VM. It has some drawbacks, but it works.

edit flag offensive delete link more


Since I supplied this answer, I've learned more. You have to set your security groups driver to nova (not neutron) in nova.conf on your compute node. No firewall drivers exist for xenserver in neutron, so you have to use the dom0 iptables firewall driver in nova for security groups to function.

Andrew Kinney gravatar imageAndrew Kinney ( 2014-02-13 19:57:20 -0600 )edit

That said, this code: will break XenServer HVM. No ports will get VLAN tags as a result.

Andrew Kinney gravatar imageAndrew Kinney ( 2014-02-27 21:22:39 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-01-21 10:27:31 -0600

Seen: 811 times

Last updated: Feb 11 '14