Ubuntu
neutron package

linuxbridge agent requires use of br_netfilter module

Bug #1621854 reported by James Page
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Fix Released
High
Unassigned
neutron (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Mixed in with bug 1621651 was a piece of information that with the linuxbridge agent, the br_netfilter module needs to be loaded on the host system, otherwise security rules will silently fail to be applied to instances:

2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent [req-7422fadb-d790-4825-aeeb-e6bed6eee188 - - - - -] Error in agent loop. Devices info: {'current': set(['tap7e4f7c40-86', 'tap9a4ed18e-82', 'tap34eb30e9-ef', 'tap3beb1db4-6d']), 'timestamps': {'tap7e4f7c40-86': 1473371191.1141872, 'tap9a4ed18e-82': 1473371191.1141872, 'tap34eb30e9-ef': 1473371191.1141872, 'tap3beb1db4-6d': None}, 'removed': set([]), 'added': set(['tap7e4f7c40-86', 'tap9a4ed18e-82', 'tap3beb1db4-6d']), 'updated': set([u'tap7e4f7c40-86', u'tap9a4ed18e-82'])}
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent Traceback (most recent call last):
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/agent/_common_agent.py", line 450, in daemon_loop
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent sync = self.process_network_devices(device_info)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/osprofiler/profiler.py", line 154, in wrapper
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent return f(*args, **kwargs)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/agent/_common_agent.py", line 200, in process_network_devices
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent device_info.get('updated'))
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 265, in setup_port_filters
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent self.prepare_devices_filter(new_devices)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 130, in decorated_function
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent *args, **kwargs)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 138, in prepare_devices_filter
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent self._apply_port_filter(device_ids)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 163, in _apply_port_filter
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent self.firewall.prepare_port_filter(device)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py", line 170, in prepare_port_filter
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent self._enable_netfilter_for_bridges()
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py", line 114, in _enable_netfilter_for_bridges
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent run_as_root=True)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py", line 138, in execute
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent raise RuntimeError(msg)
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent RuntimeError: Exit code: 255; Stdin: ; Stdout: ; Stderr: sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent
2016-09-08 21:46:45.383 26458 ERROR neutron.plugins.ml2.drivers.agent._common_agent

See original description
James Page (james-page)
description: updated
James Page (james-page)
summary: - linuxbridge agents requires use of br_netfilter module
+ linuxbridge agent requires use of br_netfilter module
Changed in cloud-archive:
importance: Undecided → High
Changed in neutron (Ubuntu):
importance: Undecided → High
Revision history for this message
James Page (james-page) wrote :

There is precedent for loading modules in ExecStartPre stanzas, so adding an attempt to load the br_netfilter module to the lb agent for newton.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:9.0.0~b3-0ubuntu3

---------------
neutron (2:9.0.0~b3-0ubuntu3) yakkety; urgency=medium

  * d/neutron-linuxbridge-agent.service.in: Attempt load of br_netfilter
    module prior to starting service, ensuring that security rules will
    be applied to instances (LP: #1621854).

 -- James Page <email address hidden> Fri, 09 Sep 2016 14:31:25 +0100

Changed in neutron (Ubuntu):
status: New → Fix Released
James Page (james-page)
Changed in cloud-archive:
status: New → Fix Committed
Revision history for this message
James Page (james-page) wrote :

This bug was fixed in the package neutron - 2:9.0.0~b3-0ubuntu3~cloud0
---------------

 neutron (2:9.0.0~b3-0ubuntu3~cloud0) xenial-newton; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 neutron (2:9.0.0~b3-0ubuntu3) yakkety; urgency=medium
 .
   * d/neutron-linuxbridge-agent.service.in: Attempt load of br_netfilter
     module prior to starting service, ensuring that security rules will
     be applied to instances (LP: #1621854).

Changed in cloud-archive:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.