← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #60718

[Bug 1658343] [NEW] Bridge netfilter can't be enabled if process is running in namespace

  Thread PreviousDate PreviousThread Next 
Public bug reported:

If agent (like Linuxbridge L2 agent) is using iptables firewall driver,
it tries to enable netfilter for bridges. In case when agent is running
in namespace (like is for example in fullstack tests),
/proc/sys/net/bridge is not available in namespace and there is "ugly"
traceback in agent's logs. You can see it e.g. on
http://logs.openstack.org/32/417532/5/check/gate-neutron-dsvm-fullstack-
ubuntu-xenial/2842dcd/logs/dsvm-fullstack-
logs/TestSecurityGroupsSameNetwork.test_tcp_securitygroup_linuxbridge-
iptables_/neutron-linuxbridge-agent--2017-01-18--
15-23-07-339346.txt.gz#_2017-01-18_15_23_17_436

IMO it could be good to check if /proc/sys/net/bridge exists and print
some warning that it's not available so operator should manually ensure
that those options are enabled on host if security groups should works
there.

** Affects: neutron
     Importance: Undecided
     Assignee: Slawek Kaplonski (slaweq)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Slawek Kaplonski (slaweq)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1658343

Title:
  Bridge netfilter can't be enabled if process is running in namespace

Status in neutron:
  New

Bug description:
  If agent (like Linuxbridge L2 agent) is using iptables firewall
  driver, it tries to enable netfilter for bridges. In case when agent
  is running in namespace (like is for example in fullstack tests),
  /proc/sys/net/bridge is not available in namespace and there is "ugly"
  traceback in agent's logs. You can see it e.g. on
  http://logs.openstack.org/32/417532/5/check/gate-neutron-dsvm-
  fullstack-ubuntu-xenial/2842dcd/logs/dsvm-fullstack-
  logs/TestSecurityGroupsSameNetwork.test_tcp_securitygroup_linuxbridge-
  iptables_/neutron-linuxbridge-agent--2017-01-18--
  15-23-07-339346.txt.gz#_2017-01-18_15_23_17_436

  IMO it could be good to check if /proc/sys/net/bridge exists and print
  some warning that it's not available so operator should manually
  ensure that those options are enabled on host if security groups
  should works there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1658343/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next