| 2020-10-05 12:02:07 |
Albert Damen |
bug |
|
|
added bug |
| 2020-10-05 12:02:07 |
Albert Damen |
attachment added |
|
neutron-linuxbridge-agent.log https://bugs.launchpad.net/bugs/1898547/+attachment/5417816/+files/neutron-linuxbridge-agent.log |
|
| 2020-10-21 08:39:51 |
Albert Damen |
neutron (Ubuntu): status |
New |
Invalid |
|
| 2020-10-21 17:44:13 |
Albert Damen |
bug task added |
|
iptables (Ubuntu) |
|
| 2020-10-21 17:52:47 |
Oibaf |
bug |
|
|
added subscriber Oibaf |
| 2020-11-02 11:14:21 |
Launchpad Janitor |
iptables (Ubuntu): status |
New |
Confirmed |
|
| 2020-11-02 11:27:45 |
James Page |
nominated for series |
|
Ubuntu Hirsute |
|
| 2020-11-02 11:27:45 |
James Page |
bug task added |
|
iptables (Ubuntu Hirsute) |
|
| 2020-11-02 11:27:45 |
James Page |
bug task added |
|
neutron (Ubuntu Hirsute) |
|
| 2020-11-02 11:27:45 |
James Page |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-11-02 11:27:45 |
James Page |
bug task added |
|
iptables (Ubuntu Groovy) |
|
| 2020-11-02 11:27:45 |
James Page |
bug task added |
|
neutron (Ubuntu Groovy) |
|
| 2020-11-02 11:27:55 |
James Page |
neutron (Ubuntu Groovy): status |
New |
Invalid |
|
| 2020-11-02 11:47:41 |
James Page |
iptables (Ubuntu Hirsute): importance |
Undecided |
High |
|
| 2020-11-02 11:47:43 |
James Page |
iptables (Ubuntu Groovy): importance |
Undecided |
High |
|
| 2020-11-02 11:47:46 |
James Page |
iptables (Ubuntu Groovy): status |
New |
Triaged |
|
| 2020-11-02 11:47:48 |
James Page |
iptables (Ubuntu Hirsute): status |
Confirmed |
Triaged |
|
| 2020-11-03 01:29:31 |
Alex Murray |
iptables (Ubuntu Groovy): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-11-03 01:29:33 |
Alex Murray |
iptables (Ubuntu Hirsute): assignee |
|
Alex Murray (alexmurray) |
|
| 2020-11-03 07:07:36 |
Frank Heimes |
bug |
|
|
added subscriber Frank Heimes |
| 2020-11-04 21:06:43 |
Jamie Strandboge |
iptables (Ubuntu Hirsute): status |
Triaged |
Fix Committed |
|
| 2020-11-05 04:10:56 |
Alex Murray |
iptables (Ubuntu Groovy): status |
Triaged |
In Progress |
|
| 2020-11-05 04:36:13 |
Alex Murray |
description |
Ubuntu Groovy (20.10)
kernel 5.8.0-20-generic
neutron-linuxbridge-agent: 2:17.0.0~git2020091014.215a541bd4-0ubuntu1
iptables: 1.8.5-3ubuntu1 (nf_tables)
iptables-restore points to xtables-nft-multi
After upgrading iptables from 1.8.4 to 1.8.5 and rebooting the neutron network node, neutron-linuxbridge-agent didn't properly start anymore.
The log file shows many errors like:
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed
Downgrading iptables to 1.8.4 solves the problem.
Trying to do what the linuxbridge agent does:
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent *filter
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent :FORWARD - [0:0]
shows that
iptables-restore <<EOF
*filter
:INPUT - [0:0]
COMMIT
EOF
works fine with iptables 1.8.4 but fails with 1.8.5
Workaround
It seems neutron-linuxbridge agent tries to create the default chains (like INPUT) with a "-" as policy. By making sure the chains already exist (and are shown with iptables-save) the agent doesn't try to create those default chains and the agent starts fine.
So just running:
sudo iptables -F OUTPUT
sudo iptables -F OUTPUT -t raw
sudo ip6tables -F OUTPUT
sudo ip6tables -F OUTPUT -t raw
is enough to get neutron-linuxbridge-agent working with iptables 1.8.5. |
[Impact]
With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start.
The log file shows many errors like:
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed
This can be demonstrated with a simple test case:
iptables-restore <<EOF
*filter
:INPUT - [0:0]
COMMIT
EOF
This fails with iptables 1.8.5 and is a known upstream bug that was subsequently fixed in upstream commit https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f
As such, neutron-linuxbridge-agent is not able to be used successfully on groovy. This fix to iptables is required to allow neutron-linuxbridge-agent to successfully run.
In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this bug by backporting the upstream fix from commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently sitting in hirsute-proposed waiting for autopkgtests to complete to finish migration.
For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged for groovy)
[Test Case]
This can be reproduced by the test case.
[Regression Potential]
* This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy.
* In the event of a regression, iptables can be reverted back to a rebuild of 1.8.5-3ubuntu1 by simply backing out this patch.
[Other Info]
* Details regarding an explicit test verification of neutron-linuxbridge-agent will be added soon. |
|
| 2020-11-05 14:51:53 |
Łukasz Zemczak |
iptables (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
| 2020-11-05 14:51:55 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2020-11-05 14:51:57 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2020-11-05 14:52:00 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-groovy |
|
| 2020-11-05 15:06:15 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
| 2020-11-05 15:06:27 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Fix Committed |
|
| 2020-11-05 15:06:43 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2020-11-05 23:12:14 |
Alex Murray |
description |
[Impact]
With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start.
The log file shows many errors like:
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed
This can be demonstrated with a simple test case:
iptables-restore <<EOF
*filter
:INPUT - [0:0]
COMMIT
EOF
This fails with iptables 1.8.5 and is a known upstream bug that was subsequently fixed in upstream commit https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f
As such, neutron-linuxbridge-agent is not able to be used successfully on groovy. This fix to iptables is required to allow neutron-linuxbridge-agent to successfully run.
In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this bug by backporting the upstream fix from commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently sitting in hirsute-proposed waiting for autopkgtests to complete to finish migration.
For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged for groovy)
[Test Case]
This can be reproduced by the test case.
[Regression Potential]
* This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy.
* In the event of a regression, iptables can be reverted back to a rebuild of 1.8.5-3ubuntu1 by simply backing out this patch.
[Other Info]
* Details regarding an explicit test verification of neutron-linuxbridge-agent will be added soon. |
[Impact]
With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start.
The log file shows many errors like:
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed
This can be demonstrated with a simple test case:
iptables-restore <<EOF
*filter
:INPUT - [0:0]
COMMIT
EOF
This fails with iptables 1.8.5 and is a known upstream bug that was subsequently fixed in upstream commit https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f
As such, neutron-linuxbridge-agent is not able to be used successfully on groovy. This fix to iptables is required to allow neutron-linuxbridge-agent to successfully run.
In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this bug by backporting the upstream fix from commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently sitting in hirsute-proposed waiting for autopkgtests to complete to finish migration.
For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged for groovy)
[Test Case]
This can be reproduced by the test case.
[Regression Potential]
* This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy. One possible regression would be if any users of iptables-restore
were relying on this failing behaviour, but since this has only failed for
groovy and no other Ubuntu releases this is highly unlikely. The other
possibility is that the patch introduces some other failure, however
as stated above, close analysis of the patch shows it only introduces
new behaviour when the policy is specified as '-' - so this should be
impossible.
* In the event of a regression, iptables can be reverted back to a rebuild of 1.8.5-3ubuntu1 by simply backing out this patch.
[Other Info]
* Details regarding an explicit test verification of neutron-linuxbridge-agent will be added soon. |
|
| 2020-11-06 09:23:43 |
Albert Damen |
attachment added |
|
bug1898547_verification https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1898547/+attachment/5431817/+files/bug1898547_verification |
|
| 2020-11-06 09:24:05 |
Albert Damen |
tags |
verification-needed verification-needed-groovy |
verification-done-groovy verification-needed |
|
| 2020-11-10 21:32:58 |
Launchpad Janitor |
iptables (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2020-11-12 22:56:59 |
Alex Murray |
tags |
verification-done-groovy verification-needed |
verification-done-groovy |
|
| 2020-11-16 10:01:31 |
Launchpad Janitor |
iptables (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2020-11-16 10:01:36 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2020-11-16 10:20:42 |
Andrew Cloke |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
