OpenStack Compute (nova)

xenhost plugin raises on ip6tables-save/ip6tables-restore

Bug #934603 reported by Chris Behrens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Mate Lakat
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

When ipv6 is enabled, the xen firewall driver ends up calling to xenhost plugin iptables_config command... passing in ip6tables-* commands to run. Unfortunately, xenhost raises when the command is not 'iptables-save' or 'iptables-restore'.

From xensource.log:

[20120218T00:13:19.191Z|debug|xenserver1|39610|Async.host.call_plugin R:58e2ec8ed064|audit] Host.call_plugin host = '69718d30-af03-4369-8420-82e073356697 (xenserver1)'; plugin = 'xenhost'; fn = 'iptables_config'; args = [ run_as_root: True; cmd_args: ["ip6tables-save", "-t", "filter"]; attempts: 5 ]
[20120218T00:13:19.247Z|debug|xenserver1|39610|Async.host.call_plugin R:58e2ec8ed064|dispatcher] Server_helpers.exec exception_handler: Got exception XENAPI_PLUGIN_FAILURE: [ iptables_config; PluginError; Invalid iptables command ]

Note 'ip6tables-save' in command args... and the corresponding code in xenhost that raises.

Revision history for this message
Chris Behrens (cbehrens) wrote :

Of course... xenserver dom0 doesn't even support ipv6. So I guess xenhost needs to just ignore them... or the xen dom0 firewall driver needs to not pass them.

If you happen to add the commands to the supported list in xenhost, you get this:

(nova.compute.manager): TRACE: Failure: ['XENAPI_PLUGIN_FAILURE', 'iptables_config', 'PluginError', "ip6tables-save v1.3.5: Can't initialize: Address family not supported by protocol\n\n"]

Tom Fifield (fifieldt)
tags: added: xen
Changed in nova:
status: New → Incomplete
status: Incomplete → Confirmed
Mark McLoughlin (markmc)
tags: added: xenserver
removed: xen
Revision history for this message
Thierry Carrez (ttx) wrote :

Looks like a wontfix to me, due to lack of IPv6 support on XenServer. Please reopen if you disagree.

Changed in nova:
status: Confirmed → Won't Fix
Revision history for this message
Chris Behrens (cbehrens) wrote :

I should update the comment. I wasn't thinking about XCP when I wrote the above... I think with XCP, you could have ipv6 enabled in dom0.

Changed in nova:
status: Won't Fix → Confirmed
Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
John Garbutt (johngarbutt) wrote :

ip6tables-* looks to have been added in XS 6.0, I think XS 6.1 should be in better shape around this too.

Mate Lakat (mate-lakat)
Changed in nova:
assignee: nobody → Mate Lakat (mate-lakat)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10407

Changed in nova:
status: Confirmed → In Progress
Michael Still (mikal)
tags: added: documentation
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/10407
Committed: http://github.com/openstack/nova/commit/cdc5a6a237dd57da59102b2a2020cadd67e4c168
Submitter: Jenkins
Branch: master

commit cdc5a6a237dd57da59102b2a2020cadd67e4c168
Author: Mate Lakat <email address hidden>
Date: Tue Jul 24 15:14:21 2012 +0100

    Fix ip6tables support in xenapi bug 934603

    Change-Id: Id7c4b0c4f8710652249b5c4fcb82abd5cccde6dd

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.