[Bug 1898547] Re: neutron-linuxbridge-agent fails to start with iptables 1.8.5

Alex Murray 1898547 at bugs.launchpad.net
Fri Nov 13 06:23:10 UTC 2020 

jdstrand sponsored this to groovy-proposed and autopkgtests have all
passed - ~ubuntu-sru - could you please review?

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1898547

Title:
  neutron-linuxbridge-agent fails to start with iptables 1.8.5

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in iptables package in Ubuntu:
  Fix Released
Status in neutron package in Ubuntu:
  Invalid
Status in iptables source package in Groovy:
  Fix Committed
Status in neutron source package in Groovy:
  Invalid
Status in iptables source package in Hirsute:
  Fix Released
Status in neutron source package in Hirsute:
  Invalid

Bug description:
  [Impact]

  With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start.

  The log file shows many errors like:

  2020-10-05 10:20:37.998 551 ERROR
  neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr:
  iptables-restore: line 29 failed

  This can be demonstrated with a simple test case:

  iptables-restore <<EOF
  *filter
  :INPUT - [0:0]
  COMMIT
  EOF

  This fails with iptables 1.8.5 and is a known upstream bug that was
  subsequently fixed in upstream commit
  https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f

  As such, neutron-linuxbridge-agent is not able to be used successfully
  on groovy. This fix to iptables is required to allow neutron-
  linuxbridge-agent to successfully run.

  In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this
  bug by backporting the upstream fix from commit
  0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently
  sitting in hirsute-proposed waiting for autopkgtests to complete to
  finish migration.

  For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved
  and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged
  for groovy)

  [Test Case]

  This can be reproduced by the test case.

  [Regression Potential]

   * This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy. One possible regression would be if any users of iptables-restore
  were relying on this failing behaviour, but since this has only failed for
  groovy and no other Ubuntu releases this is highly unlikely. The other
  possibility is that the patch introduces some other failure, however 
  as stated above, close analysis of the patch shows it only introduces
  new behaviour when the policy is specified as '-' - so this should be
  impossible.

   * In the event of a regression, iptables can be reverted back to a
  rebuild of 1.8.5-3ubuntu1 by simply backing out this patch.

  [Other Info]

   * Details regarding an explicit test verification of neutron-
  linuxbridge-agent will be added soon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1898547/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list