OpenStack Installation Guide for Ubuntu in Installation Guide Executable not found: conntrack (filter match = conntrack)

Bug #1514731 reported by Rushikesh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron (Ubuntu)
High
James Page
Wily
High
Unassigned
Xenial
High
James Page

Bug Description

On a fresh install of Ubuntu 15.04 and Openstack Liberty from given doc link.
Networking is using neutron ML2 with providers network and no floating ips.

On Virtual Machine create, there is error in neutron-plugin-linuxbridge-agent.log as
Executable not found: conntrack (filter match = conntrack)

Doing # apt-get install conntrack
fixes it however nowhere its mentioned to install this binary as part of setup documentation.

-----------------------------------
Release: 0.1 on 2015-11-10 00:58
SHA: 73000342eb55abe66b5eb713908b37f78278a0f9
Source: http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/install-guide/source/index.rst
URL: http://docs.openstack.org/liberty/install-guide-ubuntu/

Changed in openstack-manuals:
assignee: nobody → Ruchi Parmar (ruchiparmar143)
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

Probably a package dependency issue. However, the installation guide does not support versions of Ubuntu newer than 14.04, the last LTS release. I cannot replicate this issue on 14.04. If you want to continue using 15.04, which I'm fairly sure includes Kilo rather than Liberty, open a bug for the neutron packages.

Changed in openstack-manuals:
status: New → Won't Fix
assignee: Ruchi Parmar (ruchiparmar143) → nobody
Revision history for this message
Rushikesh (rushikesh7) wrote :

Hi Matt,

I refreshed the system with Ubuntu 15.10 and was able to reproduce it. Openstack Liberty is included in 15.10.
It did not stop normal functioning and I would like to know what would happen if the conntrack package is not installed.

Is it security risk or is it connection tracking for individual VMs via Host or is it something else ?

Thanks for reading and your time.

Revision history for this message
Tom Fifield (fifieldt) wrote :

Hi Rushikesh,

This doesn't appear to belong in this tracker, which is about problems in documentation, so I've tagged it up with Ubuntu's neutron package for you.

no longer affects: ubuntu
James Page (james-page)
Changed in neutron (Ubuntu Wily):
importance: Undecided → High
Changed in neutron (Ubuntu Xenial):
importance: Undecided → High
Revision history for this message
James Page (james-page) wrote :

Looking at the filters for neutron:

  neutron/rootwrap.d/l3.filters

has the only reference to conntrack; neutron-l3-agent has the correct depends on conntrack but I'm guessing that the linuxbridge configuration you're using is not trying todo l3 routing.

So I'm a bit puzzled as to why this is needed.

Revision history for this message
James Page (james-page) wrote :

Could you paste the full stacktrace from your error logs so we can see where the call is being made from please.

Changed in neutron (Ubuntu Xenial):
status: New → Incomplete
Changed in neutron (Ubuntu Wily):
status: New → Incomplete
Revision history for this message
Rushikesh (rushikesh7) wrote :

Hi James,

Following is the full stacktrace.

2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack [req-69a3ea03-f2bc-4d88-9fc7-485ebc3722b3 - - - - -] Failed execute conntrack command ['conntrack', '-D', '-f', 'ipv4', '-d', 'x.y.z.148', '-w', 6, '-s', 'x.y.z.145']
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Traceback (most recent call last):
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/ip_conntrack.py", line 72, in _delete_conntrack_state
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack extra_ok_codes=[1])
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 159, in execute
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack raise RuntimeError(m)
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack RuntimeError:
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'conntrack', '-D', '-f', 'ipv4', '-d', 'x.y.z.148', '-w', '6', '-s', 'x.y.z.145']
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Exit code: 96
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Stdin:
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Stdout:
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack Stderr: /usr/bin/neutron-rootwrap: Executable not found: conntrack (filter match = conntrack)
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack
2015-11-04 20:17:01.391 4333 ERROR neutron.agent.linux.ip_conntrack
2015-11-04 20:17:02.484 4333 INFO neutron.agent.securitygroups_rpc [req-2b633c95-430d-415b-9d0c-f0687f1656ae 4fee825c04e04bcc8779fbc0e1c75154 d8c1e9ee4f6e429199a85389ab64868d - - -] Security group member updated [u'04641584-d2eb-45e3-b6b9-a5e6d38bbb9b']
2015-11-04 20:17:02.729 4333 INFO neutron.agent.securitygroups_rpc [req-69a3ea03-f2bc-4d88-9fc7-485ebc3722b3 - - - - -] Refresh firewall rules

To completely disable L3 I had to set all following settings to False in /etc/openstack-dashboard/local_settings.py
OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': False,
    'enable_quotas': False,
    'enable_ipv6': False,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_lb': False,
    'enable_firewall': False,
    'enable_vpn': False,
    'enable_fip_topology_check': False
}

Revision history for this message
Matt Kassawara (ionosphere80) wrote :

James,

I can confirm this issue as a missing dependency. The neutron Linux bridge and Open vSwitch L2 agents and L3 agent use a library [1] that calls conntrack for various reasons... typically security group management. Currently, only the neutron-l3-agent package depends on conntrack, but neither of the L2 agents depend on it. Compute nodes usually only run the L2 agent and therefore lack conntrack.

[1] https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py

no longer affects: openstack-manuals
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron (Ubuntu Xenial) because there has been no activity for 60 days.]

Changed in neutron (Ubuntu Xenial):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron (Ubuntu Wily) because there has been no activity for 60 days.]

Changed in neutron (Ubuntu Wily):
status: Incomplete → Expired
James Page (james-page)
Changed in neutron (Ubuntu Wily):
status: Expired → Won't Fix
Changed in neutron (Ubuntu Xenial):
status: Expired → New
James Page (james-page)
Changed in neutron (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → James Page (james-page)
James Page (james-page)
Changed in neutron (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:8.0.0~b2-0ubuntu5

---------------
neutron (2:8.0.0~b2-0ubuntu5) xenial; urgency=medium

  * d/control,neutron-plugin-openvswitch-agent.*: Add transitional package for
    upgrades, ensure that old init and upstart configurations are removed
    (LP: #1548242).
  * d/*.default,neutron-server.init.in: Revert commits which mistakenly
    tied ovs or linuxbridge agents to the neutron-server package (LP: #1548245).
  * d/control,neutron-{plugin-}linuxbridge-agent.*: Rename
    neutron-plugin-linuxbridge-agent -> neutron-linuxbridge-agent inline with
    other agent packages (LP: #1548244).
  * d/control: Add dependency on conntrack for openvswitch and linuxbridge
    packages (LP: #1514731).
  * d/control,*.install,*.init.in,*.service.in,*.update.in: Re-jig locations
    of ml2 plugin and associated agent files so that openvswitch, linuxbridge
    and sriov agents no longer need to include ml2_conf.ini (LP: #1527005).
  * d/control,neutron-{plugin-}sriov-agent.*: Rename
    neutron-plugin-sriov-agent -> neutron-sriov-agent inline with
    other agent packages (LP: #1548244).
  * d/tests/*: Refactor and reduce tests; ML2 is the only plugin now in neutron
    core, so no need to continue to carry infrastructure for testing other
    plugins.
  * d/control: Drop old Breaks/Replaces on quantum-* packages.

 -- James Page <email address hidden> Mon, 22 Feb 2016 13:47:02 +0000

Changed in neutron (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers