← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2033683] Re: openvswitch.agent.ovs_neutron_agent fails to Cmd: ['iptables-restore', '-n']

 

Hi Alex,

<< Can someone take a look why the above patch
https://review.opendev.org/c/openstack/kolla/+/761182 mentioned here has
been excluded from the neutron image?

It would have been just missed, since train release Tripleo builds
container images natively and not use kolla, You can propose a patch in
tripleo-common to fix it.

As said i was more interested to know why the issue seen now as
/usr/sbin/update-alternatives used to be the path from long back.

But considering you are using CentOS8-stream containers on CentOS9-stream host i think you are hitting a recent iptables issue in CentOS8-stream[1], you can check version in your running container, if it matches iptables-1.8.5-8 you can downgrade it to resolve the issue temporary, as the fix for it is not yet merged.
If there is no real reason to use CentOS8 images can move to use CentOS 9-Stream based images[2]

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2236501
[2] https://quay.io/repository/tripleowallabycentos9/openstack-neutron-server?tab=tags

Again marking it as invalid for neutron, feel free to reopen but share
what's expected fix is required in neutron project.

** Bug watch added: Red Hat Bugzilla #2236501
   https://bugzilla.redhat.com/show_bug.cgi?id=2236501

** Changed in: neutron
       Status: New => Invalid

** Changed in: tripleo
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2033683

Title:
  openvswitch.agent.ovs_neutron_agent fails to Cmd: ['iptables-restore',
  '-n']

Status in neutron:
  Invalid
Status in tripleo:
  Confirmed

Bug description:
  Description
  ===========
  Wallaby deployment via undercloud/overcloud started to fail recently on overcloud node provision
  Neutron constantly reports inability to update iptables that in turn makes baremetal to fail to boot from PXE
  From the review it seems that /usr/bin/update-alternatives set to legacy fails since neutron user doesn't have sudo to run it
  In the info I can see that neutron user has the following subset of commands it's able to run:
  ...
      (root) NOPASSWD: /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy
      (root) NOPASSWD: /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
      (root) NOPASSWD: /usr/bin/update-alternatives --auto iptables
      (root) NOPASSWD: /usr/bin/update-alternatives --auto ip6tables

  But the issue is the fact that command isn't found as it was moved to
  /usr/sbin/update-alternatives

  Steps to reproduce
  ==================
  1. Deploy undercloud
  2. Deploy networks and VIP
  3. Add and introspect a node
  4. Execute overcloud node provision ... that will timeout 

  Expected result
  ===============
  Successful overcloud node baremetal provisioning

  Logs & Configs
  ==============
  2023-08-31 18:21:28.613 4413 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-18d52177-9c93-401c-b97d-0334e488a257 - - - - -] Error while processing VIF ports: neutron_lib.exceptions.ProcessExecutionError: Exit code: 1; Cmd: ['iptables-restore', '-n']; Stdin: # Generated by iptables_manager

  2023-08-31 18:21:28.613 4413 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent COMMIT
  2023-08-31 18:21:28.613 4413 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent # Completed by iptables_manager
  2023-08-31 18:21:28.613 4413 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent ; Stdout: ; Stderr: iptables-restore: line 23 failed

  Environment
  ===========
  Centos 9 Stream and undercloud deployment tool

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2033683/+subscriptions