neutron

IptablesFirewallTestCase failing with certain kernels: "sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory"

Bug #1522186 reported by Assaf Muller on 2015-12-02

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Low	Unassigned

Bug Description

cat /etc/redhat-release
Fedora release 22 (Twenty Two)

uname -r
4.1.7-200.fc22.x86_64

tox -e dsvm-functional neutron.tests.functional.agent.linux.test_iptables_firewall.IptablesFirewallTestCase
All tests in the test class fail with:
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory

Full trace here:
http://paste.openstack.org/show/480705/

This thread shows that you need to 'modprobe br_netfilter' to be able to set that sysctl (Which is mandatory for the iptables firewall driver) since kernel v3.17-rc4-777-g34666d4.

http://askubuntu.com/questions/645638/directory-proc-sys-net-bridge-missing

This bug affects both production systems as well as the functional tests.

1) Neutron's functional tests should be portable - They should 'just work' on supported platforms by bringing in their own dependencies (Python requirements as well as platform requirements via tools/configure_for_func_testing.sh).
2) For production code, it would seem Neutron currently assumes the deployment tool makes sure the br_netfilter kernel module is in place. We should examine the validity of this assumption, at a minimum document it.

Tags:

Miguel Angel Ajo (mangelajo) on 2015-12-03

tags:

added: sg-fw

Doug Wiegley (dougwig) on 2015-12-03

Changed in neutron:
status:	New → Confirmed

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-12-22:

The fix would be to make the module available ahead of the tests.

Changed in neutron:
importance:	Undecided → Low

Revision history for this message

Doug Wiegley (dougwig) wrote on 2015-12-22:

Note the comment about it affecting production systems as well. Likely that module needs to get added as a depedency for ubuntu or redhat or whatnot, as well.

Mohammed Ashraf (mohammed-asharaf) on 2016-02-15

Changed in neutron:
assignee:	nobody → Mohammed Ashraf (mohammed-asharaf)
status:	Confirmed → In Progress

Mohammed Ashraf (mohammed-asharaf) on 2016-02-17

Changed in neutron:
assignee:	Mohammed Ashraf (mohammed-asharaf) → nobody

Revision history for this message

Andrea (andrelisci) wrote on 2016-03-25:

on centos 7 it needs modprobe bridge

Jakub Libosvar (libosvar) on 2016-07-19

Changed in neutron:
status:	In Progress → Confirmed

Revision history for this message

Jakub Libosvar (libosvar) wrote on 2016-07-19:

This doesn't reproduce anymore:

[08:01:02]
vagrant@centos7-devstack:/opt/stack/neutron((detached from origin/master))
$ lsmod | grep bridge
[08:01:04]
vagrant@centos7-devstack:/opt/stack/neutron((detached from origin/master))
$ tox -edsvm-functional -- neutron.tests.functional.agent.test_firewall
[...]
dsvm-functional: commands succeeded
congratulations :)
[08:03:08]
vagrant@centos7-devstack:/opt/stack/neutron((detached from origin/master))
$ lsmod | grep bridge
bridge 119562 0
stp 12976 1 bridge
llc 14552 2 stp,bridge

Tested with CentOS Linux release 7.2.1511 (Core)
It was most likely fixed by 2759f130b4e0ee2e9bbc5f6871114d4fc41f63f1 as it creates a linux bridge before using the firewall driver. brctl addbr inserts bridge kernel module in case it's not in use.

Changed in neutron:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.