neutron

Bridge netfilter can't be enabled if process is running in namespace

Bug #1658343 reported by Slawek Kaplonski on 2017-01-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Slawek Kaplonski

Bug Description

If agent (like Linuxbridge L2 agent) is using iptables firewall driver, it tries to enable netfilter for bridges. In case when agent is running in namespace (like is for example in fullstack tests), /proc/sys/net/bridge is not available in namespace and there is "ugly" traceback in agent's logs. You can see it e.g. on http://logs.openstack.org/32/417532/5/check/gate-neutron-dsvm-fullstack-ubuntu-xenial/2842dcd/logs/dsvm-fullstack-logs/TestSecurityGroupsSameNetwork.test_tcp_securitygroup_linuxbridge-iptables_/neutron-linuxbridge-agent--2017-01-18--15-23-07-339346.txt.gz#_2017-01-18_15_23_17_436

IMO it could be good to check if /proc/sys/net/bridge exists and print some warning that it's not available so operator should manually ensure that those options are enabled on host if security groups should works there.

Slawek Kaplonski (slaweq) on 2017-01-21

Changed in neutron:
assignee:	nobody → Slawek Kaplonski (slaweq)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-22: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/423777

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-27: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/423777
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=750c491df7fb5c259a915fd727cec9fdce899186
Submitter: Jenkins
Branch: master

commit 750c491df7fb5c259a915fd727cec9fdce899186
Author: Sławek Kapłoński <email address hidden>
Date: Sun Jan 22 08:20:32 2017 +0000

Handle attempt to enable br_netfilter in namespace

    When the process is using the IptablesFirewall driver
    and is running in namespaces, there is no
    /proc/sys/net/bridge in the namespace available and
    enable of netfilter for bridge fails with stacktrace
    in logs.
    This patch handles the exception thrown during a
    failed attempted to retrieve net.bridge variable names
    and prints an info message in agent logs instead of
    printing a stacktrace.

Change-Id: I1ff6cedbf933ac54ef4bbf1d44fc8f57f68d57fc
Closes-bug: 1658343

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-04: Fix included in openstack/neutron 10.0.0.0rc1

This issue was fixed in the openstack/neutron 10.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.