yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1887281] Re: [linuxbridge] ebtables delete arp protect chain fails

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1887281@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Nov 2020 11:08:44 -0000
Reply-to: Bug 1887281 <1887281@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/740588
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2207b885449667a7bc377f427b9123165223dbde
Submitter: Zuul
Branch:    master

commit 2207b885449667a7bc377f427b9123165223dbde
Author: Lukas Steiner <lukas.steiner@xxxxxxxxxxxxxx>
Date:   Sun Jul 12 14:10:26 2020 +0200

    Flush ebtables arp protect chains before deleting them
    
    When a port is removed, the linuxbridge agent cleans up the chains
    neutronARP-* and neutronMAC-*, but in some cases this chains still
    contains rules and ebtables fails with `CHAIN_USER_DEL failed (Device or
    resource busy)`. Flushing the chains before deleting them, fixes that
    issue.
    
    Change-Id: Icfcf8c5406cfdc47fabf012e82ed56c345a73af8
    Closes-Bug: #1887281


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1887281

Title:
  [linuxbridge] ebtables delete arp protect chain fails

Status in neutron:
  Fix Released

Bug description:
  After stopping or deleting an instance the linuxbridge-agent tries to
  clean up the ARP protect firewall rules and fails with

  ```
   neutron_lib.exceptions.ProcessExecutionError: Exit code: 4; Stdin: ; Stdout: ; Stderr: ebtables v1.8.4 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain neutronARP-tapc6f37d57-46
  ```

  Flushing the chain with `ebtables -F chain` before deleting it, seems
  to solve the problem. Same for the neutronMAC-tapc6f37d57-46 chain.
  There're two rules which aren't removed before the agent tries to
  delete the chain:

  ```
  Bridge chain: neutronMAC-tapc6f37d57-46, entries: 1, policy: DROP
  -i tapc6f37d57-46 --among-src fa:16:3e:f1:de:e -j RETURN
  Bridge chain: neutronARP-tapc6f37d57-46, entries: 1, policy: RETURN
  -p ARP --arp-ip-src 192.168.1.148 -j ACCEPT
  ```

  OpenStack Version: ussuri
  Linux distro: CentOS 8

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1887281/+subscriptions

References

[Bug 1887281] [NEW] [linuxbridge] ebtables delete arp protect chain fails
From: Lukas Steiner, 2020-07-12