← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #60885

[Bug 1658343] Re: Bridge netfilter can't be enabled if process is running in namespace

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/423777
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=750c491df7fb5c259a915fd727cec9fdce899186
Submitter: Jenkins
Branch:    master

commit 750c491df7fb5c259a915fd727cec9fdce899186
Author: Sławek Kapłoński <slawek@xxxxxxxxxxxx>
Date:   Sun Jan 22 08:20:32 2017 +0000

    Handle attempt to enable br_netfilter in namespace
    
    When the process is using the IptablesFirewall driver
    and is running in namespaces, there is no
    /proc/sys/net/bridge in the namespace available and
    enable of netfilter for bridge fails with stacktrace
    in logs.
    This patch handles the exception thrown during a
    failed attempted to retrieve net.bridge variable names
    and prints an info message in agent logs instead of
    printing a stacktrace.
    
    Change-Id: I1ff6cedbf933ac54ef4bbf1d44fc8f57f68d57fc
    Closes-bug: 1658343


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1658343

Title:
  Bridge netfilter can't be enabled if process is running in namespace

Status in neutron:
  Fix Released

Bug description:
  If agent (like Linuxbridge L2 agent) is using iptables firewall
  driver, it tries to enable netfilter for bridges. In case when agent
  is running in namespace (like is for example in fullstack tests),
  /proc/sys/net/bridge is not available in namespace and there is "ugly"
  traceback in agent's logs. You can see it e.g. on
  http://logs.openstack.org/32/417532/5/check/gate-neutron-dsvm-
  fullstack-ubuntu-xenial/2842dcd/logs/dsvm-fullstack-
  logs/TestSecurityGroupsSameNetwork.test_tcp_securitygroup_linuxbridge-
  iptables_/neutron-linuxbridge-agent--2017-01-18--
  15-23-07-339346.txt.gz#_2017-01-18_15_23_17_436

  IMO it could be good to check if /proc/sys/net/bridge exists and print
  some warning that it's not available so operator should manually
  ensure that those options are enabled on host if security groups
  should works there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1658343/+subscriptions

References

  Thread PreviousDate PreviousThread Next