Cloning this bug since it still happens in Rawhide (why are changes not going into Rawhide first?) openstack-packstack-2014.2-0.12.dev1370.ge46bee1.fc22.noarch +++ This bug was initially created as a clone of Bug #1132129 +++ Description of problem: 192.168.122.164_neutron.pp: [ ERROR ] Applying Puppet manifests [ ERROR ] ERROR : Error appeared during Puppet run: 192.168.122.164_neutron.pp Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of [0] You will find full trace in log /var/tmp/packstack/20140820-133613-UqwCAn/manifests/192.168.122.164_neutron.pp.log Please check log file /var/tmp/packstack/20140820-133613-UqwCAn/openstack-setup.log for more information [...] --- Additional comment from Lon Hohberger on 2014-08-20 15:04:34 EDT --- This is not environmental. The RHEL release of initscripts as of 6.5 has an issue where the default sysctl.conf has the following lines contained therein: # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 These sysctl modules are part of the bridge module, so running 'sysctl -p /etc/sysctl.conf' causes error 255 to be returned with errors being printed to standard output. This appears to be the default in initscripts-9.03.40. This causes issues in packstack versions after: https://github.com/stackforge/packstack/commit/76920d69f017e8cbbec0c60435866c85ad258f92 --- Additional comment from Lon Hohberger on 2014-08-20 15:07:34 EDT --- Simply adding -e will fix it: [root@localhost ~]# sysctl -e -p /etc/sysctl.conf > /dev/null; echo $? 0 [root@localhost ~]# sysctl -p /etc/sysctl.conf > /dev/null; echo $? error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key 255
I was able to work around this by hand-applying the patch (see gerrit) to this file: /usr/share/openstack-puppet/modules/packstack/manifests/neutron/bridge.pp
i've tested for this bug on fedora 21 and couldn't reproduce. i'll test in rawhide to see if it presents
Ivan, Wouldn't it be easier to compare the manifests/neutron/bridge.pp file from the two different RPMs?
the patch was removed in this commit: https://github.com/stackforge/packstack/commit/1151170f534b2e44d9dd3549befa0021e01a1b74 because the cause of this problem does not present anymore neither in Fedora 21 or Fedora rawhide: # sysctl -p /etc/sysctl.conf > /dev/null; echo $? 0 Did the your environment was tampered a little before running packstack?
It's a virtual machine that starts off freshly created with only @Core packages installed, so there is no "tampering" going on. However I've no idea who/what installs the rules in the sysctl.conf file (not me, obviously), nor how to find out. It could be packstack itself?
The entire contents of /etc/sysctl.conf (after running packstack) are: $ cat /etc/sysctl.conf # HEADER: This file was autogenerated at 2014-12-17 18:52:35 +0000 # HEADER: by puppet. While it can still be managed manually, it # HEADER: is definitely not recommended. # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.tcp_keepalive_intvl=1 net.ipv4.tcp_keepalive_time=5 net.ipv4.tcp_keepalive_probes=5 net.ipv4.ip_forward=1 net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1
# sysctl -p /etc/sysctl.conf > /dev/null; echo $? sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory 255
It looks like packstack itself is making this change. See: /usr/share/openstack-puppet/modules/packstack/manifests/neutron/bridge.pp which contains: } -> file_line { '/etc/sysctl.conf bridge-nf-call-ip6tables': path => '/etc/sysctl.conf', line => 'net.bridge.bridge-nf-call-ip6tables=1', match => 'net.bridge.bridge-nf-call-ip6tables\s*=', } -> file_line { '/etc/sysctl.conf bridge-nf-call-iptables': path => '/etc/sysctl.conf', line => 'net.bridge.bridge-nf-call-iptables=1', match => 'net.bridge.bridge-nf-call-iptables\s*=', } -> file_line { '/etc/sysctl.conf bridge-nf-call-arptables': path => '/etc/sysctl.conf', line => 'net.bridge.bridge-nf-call-arptables=1', match => 'net.bridge.bridge-nf-call-arptables\s*=',
OK I see what's going on. The /proc/sys/net/bridge/* files are only created after br_netfilter (kernel module) is loaded: [root@packstack packstack]# modprobe br_netfilter [root@packstack packstack]# ls /proc/sys/net/bridge/ bridge-nf-call-arptables bridge-nf-filter-pppoe-tagged bridge-nf-call-ip6tables bridge-nf-filter-vlan-tagged bridge-nf-call-iptables bridge-nf-pass-vlan-input-dev [root@packstack packstack]# sysctl -p /etc/sysctl.conf > /dev/null; echo $? 0 So I'm guessing that packstack or something else needs to load that module.
F22+ check fails after recent kernel update on F21, followup proposed in dup bz. *** This bug has been marked as a duplicate of bug 1189681 ***