kolla-ansible

br_netfilter kernel module not loaded on computes

Bug #1886796 reported by Mark Goddard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Unassigned
kolla-ansible 11.0.0 "victoria"
Stein
Fix Released
Medium
Mark Goddard
kolla-ansible 8.2.0 "stein"
Train
Fix Released
Medium
Mark Goddard
kolla-ansible 9.2.0 "Train"
Ussuri
Fix Released
Medium
Mark Goddard
kolla-ansible 10.1.0 "ussuri"
Victoria
Fix Released
Medium
Unassigned
kolla-ansible 11.0.0 "victoria"

Bug Description

The nova-cell role sets the following sysctls on compute hosts, which require the br_netfilter kernel module to be loaded:

net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-ip6tables

If it is not loaded, then we see the following errors:

Failed to reload sysctl:
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

Loading the br_netfilter module resolves this issue.

Typically we do not see this since installing Docker and configuring it to manage iptables rules causes the br_netfilter module to be loaded. There are good reasons [1] to disable Docker's iptables management however, in which case we are likely to hit this issue.

[1] https://bugs.launchpad.net/kolla-ansible/+bug/1849275

See original description
Mark Goddard (mgoddard)
description: updated
Changed in kolla-ansible:
importance: Undecided → Medium
Revision history for this message
Mark Goddard (mgoddard) wrote :

Fixed: https://review.opendev.org/#/c/739944/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/740649

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/740650

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/740649
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=921585a82565937f0250c98fcae742a2cdf9e151
Submitter: Zuul
Branch: stable/train

commit 921585a82565937f0250c98fcae742a2cdf9e151
Author: Mark Goddard <email address hidden>
Date: Wed Jul 8 10:51:17 2020 +0100

    Load br_netfilter module in nova-cell role

    The nova-cell role sets the following sysctls on compute hosts, which
    require the br_netfilter kernel module to be loaded:

        net.bridge.bridge-nf-call-iptables
        net.bridge.bridge-nf-call-ip6tables

    If it is not loaded, then we see the following errors:

        Failed to reload sysctl:
        sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
        sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

    Loading the br_netfilter module resolves this issue.

    Typically we do not see this since installing Docker and configuring it
    to manage iptables rules causes the br_netfilter module to be loaded.
    There are good reasons [1] to disable Docker's iptables management
    however, in which case we are likely to hit this issue.

    This change loads the br_netfilter module in the nova-cell role for
    compute hosts.

    [1] https://bugs.launchpad.net/kolla-ansible/+bug/1849275

    Co-Authored-By: Dincer Celik <email address hidden>

    Closes-Bug: #1886796

    Change-Id: Id52668ba8dab460ad4c33fad430fc8611e70825e
    (cherry picked from commit 2f91be9f391f3aa5ef80248ca821b3f34e73bf24)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/740648
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=d986ba05d2e4288a74b8d35cc9d4ca11c8c1f883
Submitter: Zuul
Branch: stable/ussuri

commit d986ba05d2e4288a74b8d35cc9d4ca11c8c1f883
Author: Mark Goddard <email address hidden>
Date: Wed Jul 8 10:51:17 2020 +0100

    Load br_netfilter module in nova-cell role

    The nova-cell role sets the following sysctls on compute hosts, which
    require the br_netfilter kernel module to be loaded:

        net.bridge.bridge-nf-call-iptables
        net.bridge.bridge-nf-call-ip6tables

    If it is not loaded, then we see the following errors:

        Failed to reload sysctl:
        sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
        sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

    Loading the br_netfilter module resolves this issue.

    Typically we do not see this since installing Docker and configuring it
    to manage iptables rules causes the br_netfilter module to be loaded.
    There are good reasons [1] to disable Docker's iptables management
    however, in which case we are likely to hit this issue.

    This change loads the br_netfilter module in the nova-cell role for
    compute hosts.

    [1] https://bugs.launchpad.net/kolla-ansible/+bug/1849275

    Co-Authored-By: Dincer Celik <email address hidden>

    Closes-Bug: #1886796

    Change-Id: Id52668ba8dab460ad4c33fad430fc8611e70825e
    (cherry picked from commit 2f91be9f391f3aa5ef80248ca821b3f34e73bf24)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/stein)

Reviewed: https://review.opendev.org/740650
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=29b6bc128ebcb3dd446fd9869ea2358d2fa5314d
Submitter: Zuul
Branch: stable/stein

commit 29b6bc128ebcb3dd446fd9869ea2358d2fa5314d
Author: Mark Goddard <email address hidden>
Date: Wed Jul 8 10:51:17 2020 +0100

    Load br_netfilter module in nova-cell role

    The nova-cell role sets the following sysctls on compute hosts, which
    require the br_netfilter kernel module to be loaded:

        net.bridge.bridge-nf-call-iptables
        net.bridge.bridge-nf-call-ip6tables

    If it is not loaded, then we see the following errors:

        Failed to reload sysctl:
        sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
        sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

    Loading the br_netfilter module resolves this issue.

    Typically we do not see this since installing Docker and configuring it
    to manage iptables rules causes the br_netfilter module to be loaded.
    There are good reasons [1] to disable Docker's iptables management
    however, in which case we are likely to hit this issue.

    This change loads the br_netfilter module in the nova-cell role for
    compute hosts.

    [1] https://bugs.launchpad.net/kolla-ansible/+bug/1849275

    Co-Authored-By: Dincer Celik <email address hidden>

    Closes-Bug: #1886796

    Change-Id: Id52668ba8dab460ad4c33fad430fc8611e70825e
    (cherry picked from commit 2f91be9f391f3aa5ef80248ca821b3f34e73bf24)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 8.3.0

This issue was fixed in the openstack/kolla-ansible 8.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 10.2.0

This issue was fixed in the openstack/kolla-ansible 10.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 9.3.0

This issue was fixed in the openstack/kolla-ansible 9.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.