1489070 – iptables manager may fail to apply firewall rules if another iptables* process is being executed

Bug 1489070 - iptables manager may fail to apply firewall rules if another iptables* process is being executed

Summary: iptables manager may fail to apply firewall rules if another iptables* proces...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	async
Target Release:	10.0 (Newton)
Assignee:	Ihar Hrachyshka
QA Contact:	Toni Freger
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1491803 (view as bug list)
Depends On:	1489066 1489071 1489072 1489074 1489081
Blocks:	1489069 1504790 1504791 1505518 1505520 1505522 1505524 1505525 1505526 1505529
TreeView+	depends on / blocked

Reported:	2017-09-06 16:03 UTC by Ihar Hrachyshka
Modified:	2020-12-14 09:54 UTC (History)
CC List:	16 users (show)
Fixed In Version:	openstack-neutron-9.4.1-2.el7ost
Doc Type:	Known Issue
Doc Text:	The new iptables version that ships with RHEL 7.4 includes a new --wait parameter. This parameter allows iptables commands issued in parallel to wait until a lock is released by the prior command. For OpenStack, the neutron service provides the iptables locking but only on the routers level. As such, when processing routers (for example, during a fullsync after the l3 agent is started), some iptables commands issued by neutron may fail because they are experiencing this lock and require the --wait parameter that is not available in neutron yet. Any routers affected by this will cause malfunctions of some floating IPs, or some instances may not access the metadata API during cloud-init. We recommend that you do not upgrade to RHEL 7.4 until neutron is released with a fix that adopts the new iptables --wait parameter.
Clone Of:	1489066
Clones:	1504790 1504791 (view as bug list)
Environment:
Last Closed:	2017-10-16 20:02:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1712185	None	None	None	2017-09-06 16:03:50 UTC
OpenStack gerrit	495974	None	None	None	2017-09-06 16:03:50 UTC
Red Hat Knowledge Base (Solution)	3204701	None	None	None	2017-10-03 12:50:45 UTC
Red Hat Product Errata	RHBA-2017:2896	normal	SHIPPED_LIVE	openstack-neutron bug fix advisory	2017-10-17 00:02:25 UTC

Comment 1 Jakub Libosvar 2017-09-25 14:26:33 UTC

*** Bug 1491803 has been marked as a duplicate of this bug. ***

Comment 14 Toni Freger 2017-10-16 11:21:22 UTC

Tested on latest OSP10 with openstack-neutron-9.4.1-2.el7ost
Tempest ran for several hours no errors were found in l3/dhcp/ovs agents.

Comment 16 errata-xmlrpc 2017-10-16 20:02:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2896

Note You need to log in before you can comment on or make changes to this bug.