[linuxbridge] ebtables delete arp protect chain fails

Bug #1887281 reported by Lukas Steiner
46
This bug affects 9 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Lukas Steiner

Bug Description

After stopping or deleting an instance the linuxbridge-agent tries to clean up the ARP protect firewall rules and fails with

```
 neutron_lib.exceptions.ProcessExecutionError: Exit code: 4; Stdin: ; Stdout: ; Stderr: ebtables v1.8.4 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain neutronARP-tapc6f37d57-46
```

Flushing the chain with `ebtables -F chain` before deleting it, seems to solve the problem. Same for the neutronMAC-tapc6f37d57-46 chain. There're two rules which aren't removed before the agent tries to delete the chain:

```
Bridge chain: neutronMAC-tapc6f37d57-46, entries: 1, policy: DROP
-i tapc6f37d57-46 --among-src fa:16:3e:f1:de:e -j RETURN
Bridge chain: neutronARP-tapc6f37d57-46, entries: 1, policy: RETURN
-p ARP --arp-ip-src 192.168.1.148 -j ACCEPT
```

OpenStack Version: ussuri
Linux distro: CentOS 8

Tags: linuxbridge
tags: added: linuxbridge
summary: - ebtables delete arp protect chain failes
+ [linuxbridge] ebtables delete arp protect chain failes
summary: - [linuxbridge] ebtables delete arp protect chain failes
+ [linuxbridge] ebtables delete arp protect chain fails
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/740588

Changed in neutron:
assignee: nobody → Lukas Steiner (steinerlukas)
status: New → In Progress
Changed in neutron:
importance: Undecided → Medium
description: updated
Revision history for this message
Igor Gnatenko (i-gnatenko-brain) wrote :

Any news here? Linked Merge Request fixes problem in our deployment.

Revision history for this message
Tiago Quadra (tiago-biospective) wrote :

Linked Merge Request fixes problems in our deployment as well.

Revision history for this message
Thiago Martins (martinx) wrote :

I was facing this problem in an Ubuntu 20.04 install as well! OpenStack-Ansible Ussuri.

The patch solved the problem, thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/740588
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2207b885449667a7bc377f427b9123165223dbde
Submitter: Zuul
Branch: master

commit 2207b885449667a7bc377f427b9123165223dbde
Author: Lukas Steiner <email address hidden>
Date: Sun Jul 12 14:10:26 2020 +0200

    Flush ebtables arp protect chains before deleting them

    When a port is removed, the linuxbridge agent cleans up the chains
    neutronARP-* and neutronMAC-*, but in some cases this chains still
    contains rules and ebtables fails with `CHAIN_USER_DEL failed (Device or
    resource busy)`. Flushing the chains before deleting them, fixes that
    issue.

    Change-Id: Icfcf8c5406cfdc47fabf012e82ed56c345a73af8
    Closes-Bug: #1887281

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Satish Patel (satish-txt) wrote :

Its in master branch but not in stable/victoria so i have to wait until it get push out to stable/victoria

Revision history for this message
Satish Patel (satish-txt) wrote :

Any dealline here to merge this patch to stable/victoria branch?

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Victoria backport is in the gate now. I just rechecked it and I hope it will be fine now.

Revision history for this message
Tobias Urdin (tobias-urdin) wrote :

Now that it's merged, any planned new releases for all stable backports? Need to get this out to OS packages.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.3.1

This issue was fixed in the openstack/neutron 15.3.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.3.0

This issue was fixed in the openstack/neutron 16.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 17.1.0

This issue was fixed in the openstack/neutron 17.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.0.0.0rc1

This issue was fixed in the openstack/neutron 18.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.