neutron

neutron-linuxbridge-agent not starting due to nf_tables rules

Bug #1915341 reported by Realtime on 2021-02-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Critical	Rodolfo Alonso	neutron next

Bug Description

* Description
When restarting neutron-linuxbridge-agent it fails, because it cannot remove nf_tables chains

* Pre-conditions
Openstack Ussuri on Ubuntu 20.04 installed as described in https://docs.openstack.org/install-guide on real hardware.

* reproduction steps
When you remove an instance there seem to remain some rules in neutronARP-* and neutronMAC-* tables. When restarting neutron-linuxbridge-agent then, it fails:

neutron_lib.exceptions.ProcessExecutionError: Exit code: 4; Stdin: ; Stdout: ; Stderr: ebtables v1.8.4 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain neutronARP-tap0a9b5e3a-21
INFO neutron.plugins.ml2.drivers.agent._common_agent [-] Stopping Linux bridge agent agent.

After flushing these chains the agent can be started.

# openstack --version
openstack 5.2.0

* severity: blocker

Tags:

Revision history for this message

Realtime (peter-icb) wrote on 2021-02-12:

Maybe that helps: When deleting an instance, neutron-linuxbrigde-agent.log on the compute node says:

2021-02-12 10:42:42.839 380182 INFO neutron.agent.securitygroups_rpc [req-7c47485c-9777-4dfd-9266-eb986e382ff4 347286303b394a9fbf27929b147c6c73 14e1888994e044248ec6c3ccc467db92 - - -] Security group member updated ['84b7c709-67e9-46a0-8d71-1ba068a798b1']
2021-02-12 10:42:43.120 380182 INFO neutron.agent.securitygroups_rpc [req-183b5ec6-681b-4e02-a76a-7ad3753b0c85 - - - - -] Refresh firewall rules
2021-02-12 10:42:43.195 380182 ERROR neutron.agent.linux.utils [req-13205454-f497-47bb-a1a4-bd6f03f284d8 - - - - -] Exit code: 255; Stdin: ; Stdout: ; Stderr: RTNETLINK answers: No such file or directory

Jakub Libosvar (libosvar) on 2021-02-15

Changed in neutron:
importance:	Undecided → Critical
milestone:	none → wallaby-3

Slawek Kaplonski (slaweq) on 2021-03-16

Changed in neutron:
milestone:	wallaby-3 → wallaby-rc1

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2021-03-24:

Hi, could you please provide debug logs? I tried to reproduce the issue in devstack but without success.

Revision history for this message

Realtime (peter-icb) wrote on 2021-03-25:

neutron-linuxbridge-agent.log Edit (17.2 KiB, text/plain)

Here is a tail from neutron-linuxbrigde-agent.log on the compute machnine.

Slawek Kaplonski (slaweq) on 2021-03-30

Changed in neutron:
milestone:	wallaby-rc1 → next

Revision history for this message

Realtime (peter-icb) wrote on 2021-04-06:

neutron.log Edit (9.2 KiB, text/plain)

Here is another log-tail.

Is there a fix already avaliable? Openstack Ussuri is UNUSABLE until this bug is fixed. Or is there a workaround to get linuxbrige-agent running without reboot on the compute machine?

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2021-04-06:

Hello:

In order to use Neutron with the older netfilter API (iptables, iptables6, ebtables, arptables), you need to force in the OS the use of the ebtables legacy API:

/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy

This is the same procedure used in the U/S CI [1].

Currently I'm working on the migration to NFT. This is what you are using in your environment (ebtables v1.8.4 (nf_tables)) and this is why is failing. The problem is how ebtables-nft orders the rules, not in the same way as the legacy API.

I have a testing patch [2] to test the migration to the new binaries [3]. I'm still seeing some errors related to ebtables that I'm trying to fix.

Regards.

[1]https://github.com/openstack/neutron/blob/58c9912be0ce5d9bf9eb9e1c44b87cdf90aab452/roles/legacy_ebtables/tasks/main.yaml
[2]https://review.opendev.org/c/openstack/neutron/+/775413/
[3]https://review.opendev.org/c/openstack/neutron/+/775413/11/roles/nftables/tasks/main.yaml

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2021-04-07:

Patch proposed: https://review.opendev.org/c/openstack/neutron/+/785137

Because we have another two LP bugs related to the nftables migration, once this documentation patch is merged, I would close this one. Any other work related to the migration could be tracked in the other LP bugs.

Related bugs:
- https://bugs.launchpad.net/neutron/+bug/1508155: nftables firewall driver
- https://bugs.launchpad.net/neutron/+bug/1922892: ebtables-nft errors in LB mech driver

Slawek Kaplonski (slaweq) on 2021-04-19

tags:

added: linuxbridge

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2021-04-19

Changed in neutron:
assignee:	nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
status:	New → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-22: Change abandoned on neutron (master)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/775413
Reason: tested patches already merged

Bernard Cafarelli (bcafarel) on 2021-06-11

tags:

added: neutron-proactive-backport-potential

Slawek Kaplonski (slaweq) on 2021-07-02

tags:

removed: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-15: Fix included in openstack/neutron 19.0.0.0rc1

This issue was fixed in the openstack/neutron 19.0.0.0rc1 release candidate.

Bernard Cafarelli (bcafarel) on 2022-10-27

Changed in neutron:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.