OpenStack Installation Guide for Ubuntu in Installation Guide Executable not found: conntrack (filter match = conntrack)

Probably a package dependency issue. However, the installation guide does not support versions of Ubuntu newer than 14.04, the last LTS release. I cannot replicate this issue on 14.04. If you want to continue using 15.04, which I'm fairly sure includes Kilo rather than Liberty, open a bug for the neutron packages.

Hi Matt,

I refreshed the system with Ubuntu 15.10 and was able to reproduce it. Openstack Liberty is included in 15.10.
It did not stop normal functioning and I would like to know what would happen if the conntrack package is not installed.

Is it security risk or is it connection tracking for individual VMs via Host or is it something else ?

Thanks for reading and your time.

Hi Rushikesh,

This doesn't appear to belong in this tracker, which is about problems in documentation, so I've tagged it up with Ubuntu's neutron package for you.

Looking at the filters for neutron:

  neutron/rootwrap.d/l3.filters

has the only reference to conntrack; neutron-l3-agent has the correct depends on conntrack but I'm guessing that the linuxbridge configuration you're using is not trying todo l3 routing.

So I'm a bit puzzled as to why this is needed.

Could you paste the full stacktrace from your error logs so we can see where the call is being made from please.

Hi James,

Following is the full stacktrace.

2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack [req-69a3ea03-f2bc-4d88-9fc7-485ebc3722b3 - - - - -] Failed execute conntrack command ['conntrack', '-D', '-f', 'ipv4', '-d', 'x.y.z.148', '-w', 6, '-s', 'x.y.z.145']
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Traceback (most recent call last):
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_conntrack.py", line 72, in _delete_conntrack_state
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack extra_ok_codes=[1])
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack raise RuntimeError(m)
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack RuntimeError:
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'conntrack', '-D', '-f', 'ipv4', '-d', 'x.y.z.148', '-w', '6', '-s', 'x.y.z.145']
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Exit code: 96
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Stdin:
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Stdout:
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Stderr: /usr/bin/neutron-rootwrap: Executable not found: conntrack (filter match = conntrack)
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack
2015-11-04 20:17:02.484 4333 INFO neutron.agent.securitygroups_rpc [req-2b633c95-430d-415b-9d0c-f0687f1656ae 4fee825c04e04bcc8779fbc0e1c75154 d8c1e9ee4f6e429199a85389ab64868d - - -] Security group member updated [u'04641584-d2eb-45e3-b6b9-a5e6d38bbb9b']
2015-11-04 20:17:02.729 4333 INFO neutron.agent.securitygroups_rpc [req-69a3ea03-f2bc-4d88-9fc7-485ebc3722b3 - - - - -] Refresh firewall rules

To completely disable L3 I had to set all following settings to False in /etc/openstack-dashboard/local_settings.py
OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': False,
    'enable_quotas': False,
    'enable_ipv6': False,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_lb': False,
    'enable_firewall': False,
    'enable_vpn': False,
    'enable_fip_topology_check': False
}

James,

I can confirm this issue as a missing dependency. The neutron Linux bridge and Open vSwitch L2 agents and L3 agent use a library [1] that calls conntrack for various reasons... typically security group management. Currently, only the neutron-l3-agent package depends on conntrack, but neither of the L2 agents depend on it. Compute nodes usually only run the L2 agent and therefore lack conntrack.

[1] https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py

[Expired for neutron (Ubuntu Xenial) because there has been no activity for 60 days.]

[Expired for neutron (Ubuntu Wily) because there has been no activity for 60 days.]

This bug was fixed in the package neutron - 2:8.0.0~b2-0ubuntu5

---------------
neutron (2:8.0.0~b2-0ubuntu5) xenial; urgency=medium

  * d/control,neutron-plugin-openvswitch-agent.*: Add transitional package for
    upgrades, ensure that old init and upstart configurations are removed
    (LP: #1548242).
  * d/*.default,neutron-server.init.in: Revert commits which mistakenly
    tied ovs or linuxbridge agents to the neutron-server package (LP: #1548245).
  * d/control,neutron-{plugin-}linuxbridge-agent.*: Rename
    neutron-plugin-linuxbridge-agent -> neutron-linuxbridge-agent inline with
    other agent packages (LP: #1548244).
  * d/control: Add dependency on conntrack for openvswitch and linuxbridge
    packages (LP: #1514731).
  * d/control,*.install,*.init.in,*.service.in,*.update.in: Re-jig locations
    of ml2 plugin and associated agent files so that openvswitch, linuxbridge
    and sriov agents no longer need to include ml2_conf.ini (LP: #1527005).
  * d/control,neutron-{plugin-}sriov-agent.*: Rename
    neutron-plugin-sriov-agent -> neutron-sriov-agent inline with
    other agent packages (LP: #1548244).
  * d/tests/*: Refactor and reduce tests; ML2 is the only plugin now in neutron
    core, so no need to continue to carry infrastructure for testing other
    plugins.
  * d/control: Drop old Breaks/Replaces on quantum-* packages.

 -- James Page <email address hidden> Mon, 22 Feb 2016 13:47:02 +0000