yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1669626] [NEW] When using openvswitch as the firewall driver, nf_conntrack_ipv4 and nf_conntrack_ipv6 kernel modules are needed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steven Davis <1669626@xxxxxxxxxxxxxxxxxx>
Date: Fri, 03 Mar 2017 00:51:06 -0000
Reply-to: Bug 1669626 <1669626@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

VM's suddenly stopped being able to communicate out.

Openstack version: Mitaka
OVS version: 2.5.0

We use the Openvswitch firewall driver, and it had been working great.
Then, randomly, all VM's running on our stack ceased to be able to
communicate with anything.

After looking into the flow construct on br-int, it was clear OVS was
sending the traffic to a drop flow like this:

cookie=0xa2b1b8107c6edcef, duration=8973.001s, table=72, n_packets=176,
n_bytes=17248, idle_age=8797, priority=50,ct_state=+inv+trk actions=drop

We checked logs on the Neutron server and others, but couldn't find any
indication of why this was happening.

Eventually we got some invaluable help that I would have never found on
my own, which was, somehow we didn't have these modules loaded:

nf_conntrack_ipv4 and nf_conntrack_ipv6

The second we loaded those modules, everything worked great.

It was requested of me to report this as a bug per there being no
mention of those kernel module requirements in relevant documentation.

Such documentation would have saved us days of time.

Thanks!

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1669626

Title:
  When using openvswitch as the firewall driver, nf_conntrack_ipv4 and
  nf_conntrack_ipv6 kernel modules are needed

Status in neutron:
  New

Bug description:
  VM's suddenly stopped being able to communicate out.

  Openstack version: Mitaka
  OVS version: 2.5.0

  We use the Openvswitch firewall driver, and it had been working great.
  Then, randomly, all VM's running on our stack ceased to be able to
  communicate with anything.

  After looking into the flow construct on br-int, it was clear OVS was
  sending the traffic to a drop flow like this:

  cookie=0xa2b1b8107c6edcef, duration=8973.001s, table=72,
  n_packets=176, n_bytes=17248, idle_age=8797,
  priority=50,ct_state=+inv+trk actions=drop

  We checked logs on the Neutron server and others, but couldn't find
  any indication of why this was happening.

  Eventually we got some invaluable help that I would have never found
  on my own, which was, somehow we didn't have these modules loaded:

  nf_conntrack_ipv4 and nf_conntrack_ipv6

  The second we loaded those modules, everything worked great.

  It was requested of me to report this as a bug per there being no
  mention of those kernel module requirements in relevant documentation.

  Such documentation would have saved us days of time.

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1669626/+subscriptions

Follow ups

[Bug 1669626] Re: When using openvswitch as the firewall driver, nf_conntrack_ipv4 and nf_conntrack_ipv6 kernel modules are needed
From: Boden R, 2017-09-07