[Bug 1898547] Re: neutron-linuxbridge-agent fails to start with iptables 1.8.5

Frank Heimes 1898547 at bugs.launchpad.net
Thu Nov 5 15:06:15 UTC 2020 

** Also affects: ubuntu-z-systems
   Importance: Undecided
       Status: New

** Changed in: ubuntu-z-systems
       Status: New => Fix Committed

** Changed in: ubuntu-z-systems
     Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1898547

Title:
  neutron-linuxbridge-agent fails to start with iptables 1.8.5

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in iptables package in Ubuntu:
  Fix Committed
Status in neutron package in Ubuntu:
  Invalid
Status in iptables source package in Groovy:
  Fix Committed
Status in neutron source package in Groovy:
  Invalid
Status in iptables source package in Hirsute:
  Fix Committed
Status in neutron source package in Hirsute:
  Invalid

Bug description:
  [Impact]

  With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start.

  The log file shows many errors like:

  2020-10-05 10:20:37.998 551 ERROR
  neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr:
  iptables-restore: line 29 failed

  This can be demonstrated with a simple test case:

  iptables-restore <<EOF
  *filter
  :INPUT - [0:0]
  COMMIT
  EOF

  This fails with iptables 1.8.5 and is a known upstream bug that was
  subsequently fixed in upstream commit
  https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f

  As such, neutron-linuxbridge-agent is not able to be used successfully
  on groovy. This fix to iptables is required to allow neutron-
  linuxbridge-agent to successfully run.

  In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this
  bug by backporting the upstream fix from commit
  0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently
  sitting in hirsute-proposed waiting for autopkgtests to complete to
  finish migration.

  For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved
  and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged
  for groovy)

  [Test Case]

  This can be reproduced by the test case.

  
  [Regression Potential] 

   * This is a low risk update since it only affects the behaviour when
  a policy of '-' is specified and so does not affect any users of
  iptables that specify an explicit policy (like ACCEPT, REJECT etc).
  Since this '-' behaviour is currently broken it has a very low chance
  of causing a regression as it does not affect any code paths the use
  an explicit policy.

   * In the event of a regression, iptables can be reverted back to a
  rebuild of 1.8.5-3ubuntu1 by simply backing out this patch.

  [Other Info]
   
   * Details regarding an explicit test verification of neutron-linuxbridge-agent will be added soon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1898547/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list