← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1863068] [NEW] Dublicated Neutron Meter Rules in different projects kills metering

 

Public bug reported:

I want to use Neutron Meter with gnocchi to report the egress bandwidht used for public traffic.
So I created neutron meter labels and neutron meter rules to include all ipv4 traffic:
+-------------------+----------------------------------------------------------------------------------------------------+
| Field             | Value                                                                                              |
+-------------------+----------------------------------------------------------------------------------------------------+
| direction         | egress                                                                                             |
| id                | f2c9b9a8-0af3-40a5-a718-6e841bad111d                                                               |
| is_excluded       | False                                                                                              |
| location          | cloud='', project.domain_id='default', project.domain_name=,                                       |
|                   | project.id='80120067cd7949908e44dce45aeb7712', project.name='billing', region_name='xxx',      |
|                   | zone=                                                                                              |
| metering_label_id | d0068fc8-4a3e-4108-aa11-e3c171d4d1e1                                                               |
| name              | None                                                                                               |
| project_id        | None                                                                                               |
| remote_ip_prefix  | 0.0.0.0/0                                                                                          |
+-------------------+----------------------------------------------------------------------------------------------------+

And excluded all private nets:
+-------------------+----------------------------------------------------------------------------------------------------+
| Field             | Value                                                                                              |
+-------------------+----------------------------------------------------------------------------------------------------+
| direction         | egress                                                                                             |
| id                | 838c9631-665b-42b6-b1e9-539983a38573                                                               |
| is_excluded       | True                                                                                               |
| location          | cloud='', project.domain_id='default', project.domain_name=,                                       |
|                   | project.id='80120067cd7949908e44dce45aeb7712', project.name='billing', region_name='xxx',      |
|                   | zone=                                                                                              |
| metering_label_id | 435652e6-e985-4351-a31a-954bace9eea0                                                               |
| name              | None                                                                                               |
| project_id        | None                                                                                               |
| remote_ip_prefix  | 10.0.0.0/8                                                                                         |
+-------------------+----------------------------------------------------------------------------------------------------+

It works fine for just one project but if I apply it to all projects it
fails and no measures are recorded in gnocchi.

The neutron-metering-agent.log shows the following warning:
Feb 13 09:14:18 xxx_host neutron-metering-agent: 2020-02-13 09:14:09.648 4732 WARNING neutron.agent.linux.iptables_manager [req-4c38f1f5-2db4-4d4a-9c1f-9585b1b50427 65c6d4bdcbc7469a910f6361b7f70f27 80120067cd7949908e44dce45aeb7712 - - -] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A neutron-meter-r-28155d45-d16 -s 10.0.0.0/8 -o qg-c61bafef-ea -j RETURN

I would expect that it is possible to have similar rules for different
projects.

What do you think? Is it part of the rule creation code?

In the iptables_manager code the function is criticised: 
https://github.com/openstack/neutron/blob/86e4f141159072421a19080455caba1b0efef776/neutron/agent/linux/iptables_manager.py
# TODO(kevinbenton): remove this function and the next one. They are
        # just oversized brooms to sweep bugs under the rug!!! We generate the
        # rules and we shouldn't be generating duplicates.
        def _weed_out_duplicates(line):
            if line in seen_lines:
                thing = 'chain' if line.startswith(':') else 'rule'
                LOG.warning("Duplicate iptables %(thing)s detected. This "
                            "may indicate a bug in the iptables "
                            "%(thing)s generation code. Line: %(line)s",
                            {'thing': thing, 'line': line})
                return False
            seen_lines.add(line)
            # Leave it alone
            return True

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: metering

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1863068

Title:
  Dublicated Neutron Meter Rules in different projects kills metering

Status in neutron:
  New

Bug description:
  I want to use Neutron Meter with gnocchi to report the egress bandwidht used for public traffic.
  So I created neutron meter labels and neutron meter rules to include all ipv4 traffic:
  +-------------------+----------------------------------------------------------------------------------------------------+
  | Field             | Value                                                                                              |
  +-------------------+----------------------------------------------------------------------------------------------------+
  | direction         | egress                                                                                             |
  | id                | f2c9b9a8-0af3-40a5-a718-6e841bad111d                                                               |
  | is_excluded       | False                                                                                              |
  | location          | cloud='', project.domain_id='default', project.domain_name=,                                       |
  |                   | project.id='80120067cd7949908e44dce45aeb7712', project.name='billing', region_name='xxx',      |
  |                   | zone=                                                                                              |
  | metering_label_id | d0068fc8-4a3e-4108-aa11-e3c171d4d1e1                                                               |
  | name              | None                                                                                               |
  | project_id        | None                                                                                               |
  | remote_ip_prefix  | 0.0.0.0/0                                                                                          |
  +-------------------+----------------------------------------------------------------------------------------------------+

  And excluded all private nets:
  +-------------------+----------------------------------------------------------------------------------------------------+
  | Field             | Value                                                                                              |
  +-------------------+----------------------------------------------------------------------------------------------------+
  | direction         | egress                                                                                             |
  | id                | 838c9631-665b-42b6-b1e9-539983a38573                                                               |
  | is_excluded       | True                                                                                               |
  | location          | cloud='', project.domain_id='default', project.domain_name=,                                       |
  |                   | project.id='80120067cd7949908e44dce45aeb7712', project.name='billing', region_name='xxx',      |
  |                   | zone=                                                                                              |
  | metering_label_id | 435652e6-e985-4351-a31a-954bace9eea0                                                               |
  | name              | None                                                                                               |
  | project_id        | None                                                                                               |
  | remote_ip_prefix  | 10.0.0.0/8                                                                                         |
  +-------------------+----------------------------------------------------------------------------------------------------+

  It works fine for just one project but if I apply it to all projects
  it fails and no measures are recorded in gnocchi.

  The neutron-metering-agent.log shows the following warning:
  Feb 13 09:14:18 xxx_host neutron-metering-agent: 2020-02-13 09:14:09.648 4732 WARNING neutron.agent.linux.iptables_manager [req-4c38f1f5-2db4-4d4a-9c1f-9585b1b50427 65c6d4bdcbc7469a910f6361b7f70f27 80120067cd7949908e44dce45aeb7712 - - -] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A neutron-meter-r-28155d45-d16 -s 10.0.0.0/8 -o qg-c61bafef-ea -j RETURN

  I would expect that it is possible to have similar rules for different
  projects.

  What do you think? Is it part of the rule creation code?

  In the iptables_manager code the function is criticised: 
  https://github.com/openstack/neutron/blob/86e4f141159072421a19080455caba1b0efef776/neutron/agent/linux/iptables_manager.py
  # TODO(kevinbenton): remove this function and the next one. They are
          # just oversized brooms to sweep bugs under the rug!!! We generate the
          # rules and we shouldn't be generating duplicates.
          def _weed_out_duplicates(line):
              if line in seen_lines:
                  thing = 'chain' if line.startswith(':') else 'rule'
                  LOG.warning("Duplicate iptables %(thing)s detected. This "
                              "may indicate a bug in the iptables "
                              "%(thing)s generation code. Line: %(line)s",
                              {'thing': thing, 'line': line})
                  return False
              seen_lines.add(line)
              # Leave it alone
              return True

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1863068/+subscriptions