Bug 1175460

Summary: AIO packstack fails - bridge module not installed
Product: [Community] RDO Reporter: Richard W.M. Jones <rjones>
Component: openstack-packstackAssignee: Lukas Bezdicka <lbezdick>
Status: CLOSED DUPLICATE QA Contact: Ami Jeain <ajeain>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aortega, apevec, derekh, herrold, ichavero, lbezdick, lhh, rjones, sclewis, yeylon
Target Milestone: ---Keywords: OtherQA
Target Release: Juno   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2014.2-0.13.dev1395.gaabe0a2.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1132129 Environment:
Last Closed: 2015-02-05 22:11:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1132129    
Bug Blocks: 1175340    

Description Richard W.M. Jones 2014-12-17 19:04:51 UTC 
Cloning this bug since it still happens in Rawhide (why are changes
not going into Rawhide first?)

openstack-packstack-2014.2-0.12.dev1370.ge46bee1.fc22.noarch

+++ This bug was initially created as a clone of Bug #1132129 +++

Description of problem:

192.168.122.164_neutron.pp:                       [ ERROR ]           
Applying Puppet manifests                         [ ERROR ]

ERROR : Error appeared during Puppet run: 192.168.122.164_neutron.pp
Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of [0]
You will find full trace in log /var/tmp/packstack/20140820-133613-UqwCAn/manifests/192.168.122.164_neutron.pp.log
Please check log file /var/tmp/packstack/20140820-133613-UqwCAn/openstack-setup.log for more information

[...]

--- Additional comment from Lon Hohberger on 2014-08-20 15:04:34 EDT ---

This is not environmental.  The RHEL release of initscripts as of 6.5 has an issue where the default sysctl.conf has the following lines contained therein:

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

These sysctl modules are part of the bridge module, so running 'sysctl -p /etc/sysctl.conf' causes error 255 to be returned with errors being printed to standard output.

This appears to be the default in initscripts-9.03.40.

This causes issues in packstack versions after: https://github.com/stackforge/packstack/commit/76920d69f017e8cbbec0c60435866c85ad258f92

--- Additional comment from Lon Hohberger on 2014-08-20 15:07:34 EDT ---

Simply adding -e will fix it:

[root@localhost ~]# sysctl -e -p /etc/sysctl.conf > /dev/null; echo $?
0
[root@localhost ~]# sysctl  -p /etc/sysctl.conf > /dev/null; echo $?
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
255
Comment 1 Richard W.M. Jones 2014-12-17 19:07:34 UTC 
I was able to work around this by hand-applying the patch
(see gerrit) to this file:
/usr/share/openstack-puppet/modules/packstack/manifests/neutron/bridge.pp
Comment 2 Ivan Chavero 2014-12-17 22:26:20 UTC 
i've tested for this bug on fedora 21 and couldn't reproduce. 
i'll test in rawhide to see if it presents
Comment 3 Alvaro Lopez Ortega 2014-12-18 06:26:14 UTC 
Ivan, Wouldn't it be easier to compare the manifests/neutron/bridge.pp file from the two different RPMs?
Comment 4 Ivan Chavero 2014-12-18 09:07:40 UTC 
the patch was removed in this commit: 
https://github.com/stackforge/packstack/commit/1151170f534b2e44d9dd3549befa0021e01a1b74
because the cause of this problem does not present anymore neither in Fedora 21 or Fedora rawhide:

# sysctl  -p /etc/sysctl.conf > /dev/null; echo $?
0


Did the your environment was tampered a little before running packstack?
Comment 5 Richard W.M. Jones 2014-12-18 09:11:54 UTC 
It's a virtual machine that starts off freshly created with only @Core
packages installed, so there is no "tampering" going on.  However I've
no idea who/what installs the rules in the sysctl.conf file (not me,
obviously), nor how to find out.  It could be packstack itself?
Comment 6 Richard W.M. Jones 2014-12-18 09:49:33 UTC 
The entire contents of /etc/sysctl.conf (after running packstack) are:

$ cat /etc/sysctl.conf 
# HEADER: This file was autogenerated at 2014-12-17 18:52:35 +0000
# HEADER: by puppet.  While it can still be managed manually, it
# HEADER: is definitely not recommended.
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.tcp_keepalive_intvl=1
net.ipv4.tcp_keepalive_time=5
net.ipv4.tcp_keepalive_probes=5
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=1
Comment 7 Richard W.M. Jones 2014-12-18 09:50:04 UTC 
# sysctl  -p /etc/sysctl.conf > /dev/null; echo $?
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory
255
Comment 8 Richard W.M. Jones 2014-12-18 09:51:52 UTC 
It looks like packstack itself is making this change.
See:

/usr/share/openstack-puppet/modules/packstack/manifests/neutron/bridge.pp

which contains:

    } -> file_line { '/etc/sysctl.conf bridge-nf-call-ip6tables':
        path  => '/etc/sysctl.conf',
        line  => 'net.bridge.bridge-nf-call-ip6tables=1',
        match => 'net.bridge.bridge-nf-call-ip6tables\s*=',
    } -> file_line { '/etc/sysctl.conf bridge-nf-call-iptables':
        path  => '/etc/sysctl.conf',
        line  => 'net.bridge.bridge-nf-call-iptables=1',
        match => 'net.bridge.bridge-nf-call-iptables\s*=',
    } -> file_line { '/etc/sysctl.conf bridge-nf-call-arptables':
        path  => '/etc/sysctl.conf',
        line  => 'net.bridge.bridge-nf-call-arptables=1',
        match => 'net.bridge.bridge-nf-call-arptables\s*=',
Comment 9 Richard W.M. Jones 2014-12-18 10:27:53 UTC 
OK I see what's going on.

The /proc/sys/net/bridge/* files are only created after br_netfilter
(kernel module) is loaded:

[root@packstack packstack]# modprobe br_netfilter
[root@packstack packstack]# ls /proc/sys/net/bridge/
bridge-nf-call-arptables  bridge-nf-filter-pppoe-tagged
bridge-nf-call-ip6tables  bridge-nf-filter-vlan-tagged
bridge-nf-call-iptables   bridge-nf-pass-vlan-input-dev
[root@packstack packstack]# sysctl  -p /etc/sysctl.conf > /dev/null; echo $?
0

So I'm guessing that packstack or something else needs to load
that module.
Comment 10 Alan Pevec (Fedora) 2015-02-05 22:11:01 UTC 
F22+ check fails after recent kernel update on F21, followup proposed in dup bz.

*** This bug has been marked as a duplicate of bug 1189681 ***