Bug 997941
| Summary: | need to set net.bridge.bridge-nf-call-iptables=1 for --allinone installation | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Scott Lewis <sclewis> | ||||||
| Component: | openstack-packstack | Assignee: | Martin Magr <mmagr> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 3.0 | CC: | aortega, breeler, derekh, enakai, hateya, jkt, mmagr, sgordon, yeylon | ||||||
| Target Milestone: | z2 | Keywords: | Triaged, ZStream | ||||||
| Target Release: | 3.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | openstack-packstack-2013.1.1-0.31.dev677.el6ost | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Previously, when running "packstack --allinone", certain kernel parameters were not set. Without this configuration security groups did not work correctly. This has been fixed and security groups now work correctly.
|
Story Points: | --- | ||||||
| Clone Of: | 981144 | Environment: | |||||||
| Last Closed: | 2013-09-03 19:59:15 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 981144 | ||||||||
| Bug Blocks: | 981469 | ||||||||
| Attachments: |
|
||||||||
|
Comment 4
Martin Magr
2013-08-21 11:49:10 UTC
(In reply to Martin Magr from comment #4) > With this change when neutron is installed on each compute node: > > 1. module /etc/sysconfig/modules/openstack-neutron.modules is created with > content: > https://review.openstack.org/#/c/36835/5/packstack/puppet/modules/packstack/ > templates/openstack-neutron.modules.erb > > 2. following lines are added to /etc/sysctl.conf: > net.bridge.bridge-nf-call-ip6tables = 1 > net.bridge.bridge-nf-call-iptables = 1 > net.bridge.bridge-nf-call-arptables = 1 I installed OpenStack using openstack-packstack-2013.1.1-0.30.dev672 using the --allinone option. in /etc/sysctl.conf I see a differance in the 3rd line from what you have mentioned. net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables=0 Shall I reopen the bug? If you check the code changing the config file [1] there is only one possibility that two would apply and third not. Application of Nova's manifest had to fail before finishing the third edit. So this might not be issue of this fix. Could you please check what's written in the /var/tmp/packstack/<timestamp>-<random>/manifests/<ip>_nova.pp.log file? [1] https://review.openstack.org/#/c/36835/5/packstack/puppet/modules/packstack/manifests/neutron/bridge.pp Created attachment 789047 [details]
nova.pp.log
Martin,
I did not find any indication of failure on this file.
Please have a look.
Sorry I was wrong, could you also upload neutron.pp.log? Created attachment 789169 [details]
quantum.pp.log
From the log I see following: notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-iptables]/ensure: created notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-ip6tables]/ensure: created notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-arptables]/ensure: created Are you sure that this log is from the run when the sysctl.conf edit failed? Another possibility might be that those two editation happened in parallel hence one modification was lost. But from the log it seems that there has been enough time between each modification. NEEDINFO for Martin Magr: I am writing the Doc Text for bug advisories. In order to clarify to the user what this bug fixes, could you please state what the symptoms would have been that the user would have seen before the bug was fixed? I assume there must have been some security error? If you check the original bug #981144, you can find out that without such configuration security groups don't work correctly. (In reply to Martin Magr from comment #10) > From the log I see following: > > notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf > bridge-nf-call-iptables]/ensure: created > notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf > bridge-nf-call-ip6tables]/ensure: created > notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf > bridge-nf-call-arptables]/ensure: created > > Are you sure that this log is from the run when the sysctl.conf edit failed? > > Another possibility might be that those two editation happened in parallel > hence one modification was lost. But from the log it seems that there has > been enough time between each modification. Yes. I used packstack on a clean RHEL6.4 In addition to that: I ran packstack two more times (using two additional servers). I noticed a different result each time: In Comment #5 We had: net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables=0 Now I get: Server A: net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 Server B: net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-arptables=0 * Tested with: openstack-packstack-2013.1.1-0.30.dev672.el6ost.noarch Verified NVR: openstack-packstack-2013.1.1-0.31.dev677.el6ost.noarch Installed openstack via packstack on 3 different servers as all-in-one: $ packstack --allinone Verified the following attributes in /etc/sysctl.conf net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1186.html |