Bug 1489070 - iptables manager may fail to apply firewall rules if another iptables* process is being executed
Summary: iptables manager may fail to apply firewall rules if another iptables* proces...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: async
: 10.0 (Newton)
Assignee: Ihar Hrachyshka
QA Contact: Toni Freger
URL:
Whiteboard:
: 1491803 (view as bug list)
Depends On: 1489066 1489071 1489072 1489074 1489081
Blocks: 1489069 1504790 1504791 1505518 1505520 1505522 1505524 1505525 1505526 1505529
TreeView+ depends on / blocked
 
Reported: 2017-09-06 16:03 UTC by Ihar Hrachyshka
Modified: 2020-12-14 09:54 UTC (History)
16 users (show)

Fixed In Version: openstack-neutron-9.4.1-2.el7ost
Doc Type: Known Issue
Doc Text:
The new iptables version that ships with RHEL 7.4 includes a new --wait parameter. This parameter allows iptables commands issued in parallel to wait until a lock is released by the prior command. For OpenStack, the neutron service provides the iptables locking but only on the routers level. As such, when processing routers (for example, during a fullsync after the l3 agent is started), some iptables commands issued by neutron may fail because they are experiencing this lock and require the --wait parameter that is not available in neutron yet. Any routers affected by this will cause malfunctions of some floating IPs, or some instances may not access the metadata API during cloud-init. We recommend that you do not upgrade to RHEL 7.4 until neutron is released with a fix that adopts the new iptables --wait parameter.
Clone Of: 1489066
: 1504790 1504791 (view as bug list)
Environment:
Last Closed: 2017-10-16 20:02:49 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1712185 0 None None None 2017-09-06 16:03:50 UTC
OpenStack gerrit 495974 0 None None None 2017-09-06 16:03:50 UTC
Red Hat Knowledge Base (Solution) 3204701 0 None None None 2017-10-03 12:50:45 UTC
Red Hat Product Errata RHBA-2017:2896 0 normal SHIPPED_LIVE openstack-neutron bug fix advisory 2017-10-17 00:02:25 UTC

Comment 1 Jakub Libosvar 2017-09-25 14:26:33 UTC
*** Bug 1491803 has been marked as a duplicate of this bug. ***

Comment 14 Toni Freger 2017-10-16 11:21:22 UTC
Tested on latest OSP10 with openstack-neutron-9.4.1-2.el7ost
Tempest ran for several hours no errors were found in l3/dhcp/ovs agents.

Comment 16 errata-xmlrpc 2017-10-16 20:02:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2896


Note You need to log in before you can comment on or make changes to this bug.