role openstack_hosts fails to add br_netfilter to /etc/modules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Low
|
Michael Gugino | ||
Liberty |
Fix Released
|
Low
|
Michael Gugino | ||
Trunk |
Fix Released
|
Low
|
Michael Gugino |
Bug Description
When running the role openstack_hosts against a target host, br_netfilter is not loaded. This appears to be due to a commit in v3.17 which changed the kernel module netfilter's behavior detailed in http://
The text of this commit message is "netfilter: bridge: move br_netfilter out of the core"
Ubuntu 14.04 was originally released with kernel 3.13, however the most recent iteration ships with kernel 3.19. This bug most likely only effects Ubuntu releases (and other releases potentially in the future) kernel version 3.19 and later.
As a result, the task 'Adding new system tuning' fails with the following messages:
---------------
failed: [compute1] => (item={'value': 0, 'key': 'net.bridge.
msg: setting net.bridge.
...ignoring
ok: [controller1] => (item={'value': 0, 'key': 'net.bridge.
failed: [compute1] => (item={'value': 0, 'key': 'net.bridge.
msg: setting net.bridge.
...ignoring
ok: [controller1] => (item={'value': 0, 'key': 'net.bridge.
failed: [compute1] => (item={'value': 0, 'key': 'net.bridge.
msg: setting net.bridge.
...ignoring
---------------
The potential impact of this bug is that by default, the aforementioned values default to 1 instead of 0. Thus, if the module is loaded after the system calls 'sysctl -p', the correct values of 0 will not be applied. This will result in the lxc_host's iptables filtering lxc_container traffic inadvertently. More details of potential impact can be found here: http://
Since this module was previously loaded automatically when a bridge was created, I believe we should add this module to roles and playbooks as necessary to correct the condition.
I believe this bug may also be a candidate for back-porting.
I submitted proposed fix https:/ /review. openstack. org/#/c/ 266021/ for review.