neutron

neutron-ovs-agent in compute node with XenServer doesn't support conntrack

Bug #1603400 reported by huan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
huan

Bug Description

Environment:
  XenServer 7.0
  Neutron (latest upstream)
  Devstack

With the above environment, When I firt set a security group for VM, ping the VM's floating ip, remove the security group from the VM, I found there are exceptions in q-agt.log (q-agt running in compute node, targeted for Dom0 when XenServer is used as hypervisor).

2016-07-15 11:15:56.231 ERROR neutron.agent.linux.ip_conntrack [req-fe62ea80-4965-4d5a-bed5-56fa3b917ed5 None None] Failed execute conntrack command ('conntrack', '-D', '-f', 'ipv4', '-d', '10.0.0.9', '-w', 2)
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack Traceback (most recent call last):
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack File "/opt/stack/neutron/neutron/agent/linux/ip_conntrack.py", line 72, in _delete_conntrack_state
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack extra_ok_codes=[1])
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack File "/opt/stack/neutron/neutron/agent/linux/utils.py", line 138, in execute
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack raise RuntimeError(msg)
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack RuntimeError: Exit code: 96; Stdin: ; Stdout: ; Stderr: Traceback (most recent call last):
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack File "/opt/stack/neutron/bin/neutron-rootwrap-xen-dom0", line 120, in run_command
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack {'cmd': json.dumps(user_args), 'cmd_input': json.dumps(cmd_input)})
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack File "/usr/local/lib/python2.7/dist-packages/XenAPI.py", line 229, in __call__
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack return self.__send(self.__name, args)
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack File "/usr/local/lib/python2.7/dist-packages/XenAPI.py", line 133, in xenapi_request
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack result = _parse_result(getattr(self, methodname)(*full_params))
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack File "/usr/local/lib/python2.7/dist-packages/XenAPI.py", line 203, in _parse_result
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack raise Failure(result['ErrorDescription'])
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack Failure: ['XENAPI_PLUGIN_FAILURE', 'run_command', 'PluginError', "Dom0 execution of 'conntrack' is not permitted"]
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack
2016-07-15 11:15:56.231 TRACE neutron.agent.linux.ip_conntrack

Revision history for this message
huan (huan-xie) wrote :

When XenServer is used as hypervisor, the conntrack command is acutually executed in Dom0, so plugins in Dom0 should conntrack command.

I have made a patch for this problem, see https://review.openstack.org/#/c/341304/

Brandon Logan (brandon-logan)
Changed in neutron:
status: New → In Progress
assignee: nobody → huan (huan-xie)
Revision history for this message
huan (huan-xie) wrote :

I have tested this patch https://review.openstack.org/#/c/341304/ do fix this bug, hope to get this merged as we saw some users also suffer from this problem

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/341304
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0d8483391dd7aa19304e3f1e2b6ea3bee040a279
Submitter: Jenkins
Branch: master

commit 0d8483391dd7aa19304e3f1e2b6ea3bee040a279
Author: Huan Xie <email address hidden>
Date: Tue Jul 12 22:48:01 2016 -0700

    XenAPI: add support for conntrack with XenServer

    With XenServer as hypervisor, the commands neutron-ovs-agent in
    compute node run are actually executed in Dom0. But current Dom0
    plugin doesn't allow conntrack command, this patch is to add such
    support.
    Also, the exitcode the commands returned in Dom0 will pass through
    Dom0 to neutron to make sure the plugin is only aimed executing
    commands, it doesn't deal with business scenario.

    Closes-Bug: #1603400

    Change-Id: I304788240bcd590ec211bca052fe64594a4e6eca

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.0.0b1

This issue was fixed in the openstack/neutron 10.0.0.0b1 development milestone.

Ihar Hrachyshka (ihar-hrachyshka)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/422019

Ihar Hrachyshka (ihar-hrachyshka)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/422020

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/422020
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c96a1f791257eed43c4df1adcd290bb26001aee5
Submitter: Jenkins
Branch: stable/mitaka

commit c96a1f791257eed43c4df1adcd290bb26001aee5
Author: Huan Xie <email address hidden>
Date: Tue Jul 12 22:48:01 2016 -0700

    XenAPI: add support for conntrack with XenServer

    With XenServer as hypervisor, the commands neutron-ovs-agent in
    compute node run are actually executed in Dom0. But current Dom0
    plugin doesn't allow conntrack command, this patch is to add such
    support.
    Also, the exitcode the commands returned in Dom0 will pass through
    Dom0 to neutron to make sure the plugin is only aimed executing
    commands, it doesn't deal with business scenario.

    Closes-Bug: #1603400

    Change-Id: I304788240bcd590ec211bca052fe64594a4e6eca
    (cherry picked from commit 0d8483391dd7aa19304e3f1e2b6ea3bee040a279)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/422019
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=02c621e2b94f6622f4540d0eb7554ae91e4b096d
Submitter: Jenkins
Branch: stable/newton

commit 02c621e2b94f6622f4540d0eb7554ae91e4b096d
Author: Huan Xie <email address hidden>
Date: Tue Jul 12 22:48:01 2016 -0700

    XenAPI: add support for conntrack with XenServer

    With XenServer as hypervisor, the commands neutron-ovs-agent in
    compute node run are actually executed in Dom0. But current Dom0
    plugin doesn't allow conntrack command, this patch is to add such
    support.
    Also, the exitcode the commands returned in Dom0 will pass through
    Dom0 to neutron to make sure the plugin is only aimed executing
    commands, it doesn't deal with business scenario.

    Closes-Bug: #1603400

    Change-Id: I304788240bcd590ec211bca052fe64594a4e6eca
    (cherry picked from commit 0d8483391dd7aa19304e3f1e2b6ea3bee040a279)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 9.2.0

This issue was fixed in the openstack/neutron 9.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 8.4.0

This issue was fixed in the openstack/neutron 8.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.