Bug 1489070
| Summary: | iptables manager may fail to apply firewall rules if another iptables* process is being executed | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Ihar Hrachyshka <ihrachys> | |
| Component: | openstack-neutron | Assignee: | Ihar Hrachyshka <ihrachys> | |
| Status: | CLOSED ERRATA | QA Contact: | Toni Freger <tfreger> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 12.0 (Pike) | CC: | amuller, cfields, chrisw, ihrachys, jjoyce, jlibosva, mschuppe, nyechiel, pablo.iranzo, pcaruana, ragiman, rcernin, samccann, sclewis, srevivo, tfreger | |
| Target Milestone: | async | Keywords: | Triaged, ZStream | |
| Target Release: | 10.0 (Newton) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-neutron-9.4.1-2.el7ost | Doc Type: | Known Issue | |
| Doc Text: |
The new iptables version that ships with RHEL 7.4 includes a new --wait parameter. This parameter allows iptables commands issued in parallel to wait until a lock is released by the prior command. For OpenStack, the neutron service provides the iptables locking but only on the routers level.
As such, when processing routers (for example, during a fullsync after the l3 agent is started), some iptables commands issued by neutron may fail because they are experiencing this lock and require the --wait parameter that is not available in neutron yet. Any routers affected by this will cause malfunctions of some floating IPs, or some instances may not access the metadata API during cloud-init.
We recommend that you do not upgrade to RHEL 7.4 until neutron is released with a fix that adopts the new iptables --wait parameter.
|
Story Points: | --- | |
| Clone Of: | 1489066 | |||
| : | 1504790 1504791 (view as bug list) | Environment: | ||
| Last Closed: | 2017-10-16 20:02:49 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1489066, 1489071, 1489072, 1489074, 1489081 | |||
| Bug Blocks: | 1489069, 1504790, 1504791, 1505518, 1505520, 1505522, 1505524, 1505525, 1505526, 1505529 | |||
|
Comment 1
Jakub Libosvar
2017-09-25 14:26:33 UTC
Tested on latest OSP10 with openstack-neutron-9.4.1-2.el7ost Tempest ran for several hours no errors were found in l3/dhcp/ovs agents. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2896 |