yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #28474
[Bug 1421772] [NEW] neutron-openvswitch-agent says Tried to generate an ipset iptable rule for a security group rule even in normal operation
Public bug reported:
Lot's of messages like those ones can be seen in normal operation:
2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
The logic of this log message is broken, and should be removed.
Because, we can actually generate an iptable rule referencing a set which doesn't exist yet,
as long as we don't try to push the iptables before creating the sets, in which case
iptables-restore would fail, and that's ok enough.
I will submit a patch to remove the message logic.
** Affects: neutron
Importance: Undecided
Assignee: Miguel Angel Ajo (mangelajo)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1421772
Title:
neutron-openvswitch-agent says Tried to generate an ipset iptable
rule for a security group rule even in normal operation
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Lot's of messages like those ones can be seen in normal operation:
2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
The logic of this log message is broken, and should be removed.
Because, we can actually generate an iptable rule referencing a set which doesn't exist yet,
as long as we don't try to push the iptables before creating the sets, in which case
iptables-restore would fail, and that's ok enough.
I will submit a patch to remove the message logic.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1421772/+subscriptions
Follow ups
References