iptables: fail to start ovs/linuxbridge agents on missing sysctl knobs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Undecided
|
Unassigned | ||
openstack-manuals |
Won't Fix
|
Medium
|
Ihar Hrachyshka |
Bug Description
https:/
Dear bug triager. This bug was created since a commit was marked with DOCIMPACT.
Your project "openstack/neutron" is set up so that we directly report the documentation bugs against it. If this needs changing, the docimpact-group option needs to be added for the project. You can ask the OpenStack infra team (#openstack-infra on freenode) for help if you need to.
commit e83a44b96a8e3cd
Author: Ihar Hrachyshka <email address hidden>
Date: Thu Sep 15 21:48:10 2016 +0000
iptables: fail to start ovs/linuxbridge agents on missing sysctl knobs
For new kernels (3.18+), bridge module is split into two pieces: bridge
and br_netfilter. The latter provides firewall support for bridged
traffic, as well as the following sysctl knobs:
* net.bridge.
* net.bridge.
* net.bridge.
Before kernel 3.18, any brctl command was loading the 'bridge' module
with the knobs, so at the moment where we reached iptables setup, they
were always available.
With new 3.18+ kernels, brctl still loads 'bridge' module, but not
br_netfilter. So bridge existance no longer guarantees us knobs'
presence. If we reach _enable_
module is loaded, then the code will fail, triggering agent resync. It
will also fail to enable bridge firewalling on systems where it's
disabled by default (examples of those systems are most if not all Red
Hat/Fedora based systems), making security groups completely
ineffective.
Systems that don't override default settings for those knobs would work
fine except for this exception in the log file and agent resync. This is
because the first attempt to add a iptables rule using 'physdev' module
(-m physdev) will trigger the kernel module loading. In theory, we could
silently swallow missing knobs, and still operate correctly. But on
second thought, it's quite fragile to rely on that implicit module
loading. In the case where we can't detect whether firewall is enabled,
it's better to fail than hope for the best.
An alternative to the proposed path could be trying
to fix broken deployment, meaning we would need to load the missing
kernel module on agent startup. It's not even clear whether we can
assume the operation would be available to us. Even with that, adding a
rootwrap filter to allow loading code in the kernel sounds quite scary.
If we would follow the path, we would also hit an issue of
distinguishing between cases of built-in kernel module vs. modular one.
A complexity that is probably beyond what Neutron should fix.
The patch introduces a sanity check that would fail on missing
configuration knobs.
DocImpact: document the new deployment requirement in operations guide
UpgradeImpact: deployers relying on agents fixing wrong sysctl defaults
Depends-On: Id6bfd9595f0772
Change-Id: I9137ea017624ac
Related-Bug: #1622914
Changed in neutron: | |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | nobody → Ihar Hrachyshka (ihar-hrachyshka) |
tags: |
added: install-guide removed: doc neutron |
Changed in openstack-manuals: | |
status: | New → Confirmed |
tags: | added: networking-guide |
tags: | removed: install-guide |
Changed in neutron: | |
status: | New → Confirmed |
Changed in openstack-manuals: | |
status: | Confirmed → Won't Fix |
As noted in the commit message, this one impacts the install/ upgrade/ deploy guide; so I'm moving it to openstack-manuals for the appropriate updates.
Note this is for master; there's a separate bug for the newton changes.