Description of problem: When trying to setup an OSP15 undercloud, the openvswitch agent container cannot create the iptables rules required to forward traffic. 2019-03-05 15:41:56.814 534226 DEBUG neutron.agent.securitygroups_rpc [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Init firewall settings (driver=iptables_hybrid) init_firewall /usr/lib/python3.6/site-packages/neutron/agent/securitygroups_rpc.py:76 2019-03-05 15:41:56.839 534226 DEBUG oslo_concurrency.lockutils [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Lock "conntrack" acquired by "neutron.agent.linux.ip_conntrack.get_conntrack" :: waited 0.000s inner /usr/lib/python3.6/site-packages/oslo_concurrency/lockutils.py:327 2019-03-05 15:41:56.840 534226 DEBUG neutron.agent.linux.utils [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Running command (rootwrap daemon): ['iptables-save', '-t', 'raw'] execute_rootwrap_daemon /usr/lib/python3.6/site-packages/neutron/agent/linux/utils.py:103 2019-03-05 15:41:56.847 534226 DEBUG oslo_rootwrap.client [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Popen for ['sudo', 'neutron-rootwrap-daemon', '/etc/neutron/rootwrap.conf'] command has been instantiated _initialize /usr/lib/python3.6/site-packages/oslo_rootwrap/client.py:73 2019-03-05 15:41:57.078 534226 INFO oslo_rootwrap.client [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Spawned new rootwrap daemon process with pid=534237 2019-03-05 15:41:57.095 534226 ERROR neutron.agent.linux.utils [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Exit code: 1; Stdin: ; Stdout: Table `raw' does not exist ; Stderr: 2019-03-05 15:41:57.096 534226 DEBUG oslo_concurrency.lockutils [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Lock "conntrack" released by "neutron.agent.linux.ip_conntrack.get_conntrack" :: held 0.257s inner /usr/lib/python3.6/site-packages/oslo_concurrency/lockutils.py:339 2019-03-05 15:41:57.096 534226 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-a004e117-dba8-42bf-81fe-abf7a9f2faab - - - - -] Exit code: 1; Stdin: ; Stdout: Table `raw' does not exist ; Stderr: Agent terminated!: neutron_lib.exceptions.ProcessExecutionError: Exit code: 1; Stdin: ; Stdout: Table `raw' does not exist 2019-03-05 15:41:57.098 534226 INFO oslo_rootwrap.client [-] Stopping rootwrap daemon process with pid=534237 Version-Release number of selected component (if applicable): openstack-neutron-openvswitch-14.0.0-0.20190226194817.d1c2f77.el8ost.noarch How reproducible: every time Steps to Reproduce: 1. install undercloud 2. systemctl restart tripleo_neutron_ovs_agent 3. Actual results: No iptables rules are created by the ovs agent Expected results: iptables rules are correctly created Additional info:
This is why the ovs agent keeps restarting. I commented out https://git.openstack.org/cgit/openstack/neutron/tree/neutron/agent/linux/ip_conntrack.py#n75 in the container and it stopped restarting and created the iptables. It seems that iptables-save it raw doesn't work with the nftables backend even though there is a raw nftables.
U/S change merged