Bug 981144
Summary: | need to set net.bridge.bridge-nf-call-iptables=1 for --allinone installation | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Etsuji Nakai <enakai> | |
Component: | openstack-packstack | Assignee: | RHOS Maint <rhos-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 3.0 | CC: | aortega, breeler, derekh, jkt, mlopes, mmagr, sclewis, sgordon, sradvan | |
Target Milestone: | Upstream M3 | |||
Target Release: | 4.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openstack-packstack-2013.2.1-0.3.dev722.el6ost | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Kernel parameters were not correctly set during packstack installation due to interfering puppet processes.
Consequence:
Security groups did not function and parameters were not set at boot time.
Fix:
Interfering puppet processes are disabled and the following kernel parameters are now set in /etc/sysctl.conf:
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=1
Result:
Installation now operates as expected due to kernel parameters being set successfully.
|
Story Points: | --- | |
Clone Of: | ||||
: | 981469 997941 (view as bug list) | Environment: | ||
Last Closed: | 2013-12-20 00:12:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 981469, 997941 |
Description
Etsuji Nakai
2013-07-04 06:30:21 UTC
(In reply to Etsuji Nakai from comment #0) > Describe the issue: > For the single node deployment with "packstack --allinone", following kernel > parms should be set so that the security group works correctly. > > net.bridge.bridge-nf-call-ip6tables = 1 > net.bridge.bridge-nf-call-iptables = 1 > net.bridge.bridge-nf-call-arptables = 1 If this is actually the case I think the correct approach is to update PackStack to handle this, not document around it (though if these steps are required I am sure we will need to cover it in the other guide for users performing manual setup). Reopened. Used openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch to install openstack: # packstack --allinone -d Result: ======= # grep nf-call- /etc/sysctl.conf net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-arptables=0 From logs it looks OK: [0;36mnotice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-ip6tables]/ensure: created[0m [0;36mnotice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-iptables]/ensure: created[0m [0;36mnotice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-arptables]/ensure: created[0m And from my RDO testing: [para@virtual-rhel ~]$ cat /etc/sysctl.conf | grep "net.bridge" net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1 [para@virtual-rhel ~]$ rpm -q openstack-packstack openstack-packstack-2013.2.1-0.10.dev763.el6.noarch Will try also ost version, but since these packages are made from the same tarball I think it should not be different. So indeed it's the same for ost package: [para@virtual-rhel ~]$ cat /etc/sysctl.conf | grep "net.bridge" ; rpm -q openstack-packstack net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1 openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch [para@virtual-rhel ~]$ I guess we are missing something here. I even tried to reboot (in case this is changed in boot time somehow), but the values stayed the same. Verified NVR: openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch It seems like non packstack puppet processes, affected the configuration. I disabled them and the values in /etc/sysctl.conf look OK now (tested several times). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |