iptables manager wrongly deletes other agents' rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Calico's Felix agent generates iptables chains that intentionally
include rules that the Neutron iptables_manager code considers to be
duplicates - as revealed by logs like these from the DHCP agent:
2017-02-02 18:50:29.482 3376 WARNING neutron.
2017-02-02 18:50:29.483 3376 WARNING neutron.
2017-02-02 18:50:29.483 3376 WARNING neutron.
2017-02-02 18:50:29.483 3376 WARNING neutron.
IIUC, iptables_manager then reprograms iptables with these 'duplicates'
removed, and thereby breaks Calico's iptables.
Changed in neutron: | |
assignee: | nobody → Neil Jerram (neil-jerram) |
status: | New → In Progress |
Changed in neutron: | |
assignee: | Neil Jerram (neil-jerram) → nobody |
Changed in neutron: | |
status: | In Progress → Won't Fix |
If I recall correctly this behavior is considered buggy by neutron. Better to check with Kevin before diving in a fix campaign.
http:// git.openstack. org/cgit/ openstack/ neutron/ tree/neutron/ agent/linux/ iptables_ manager. py#n620