1713329 – Functional tests failing with "Test leaked ebtables rules" error

Bug 1713329 - Functional tests failing with "Test leaked ebtables rules" error

Summary: Functional tests failing with "Test leaked ebtables rules" error

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	15.0 (Stein)
Assignee:	Slawek Kaplonski
QA Contact:	Candido Campos
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-23 12:16 UTC by Slawek Kaplonski
Modified:	2019-09-26 10:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-neutron-14.0.3-0.20190704180411.9f4e596.el8ost
Doc Type:	Known Issue
Doc Text:	Red Hat OpenStack Platform deployments that use the Linux bridge ML2 driver and agent are unprotected against Address Resolution Protocol (ARP) spoofing. The version of Ethernet bridge frame table administration (ebtables) that is part of Red Hat Enterprise Linux 8 is incompatible with the Linux bridge ML2 driver. The Linux Bridge ML2 driver and agent were deprecated in Red Hat OpenStack Platform 11, and should not be used. Red Hat recommends that you use instead the ML2 Open Virtual Network (OVN) driver and services, the default deployed by the Red Hat OpenStack Platform director.
Clone Of:
Environment:
Last Closed:	2019-09-21 11:22:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2019:2811	0	None	None	None	2019-09-21 11:22:49 UTC

Comment 2 Slawek Kaplonski 2019-06-14 10:38:30 UTC

I did a small investigation on this one and I found that tests are failing with error like:

2019-06-14 05:56:35.110 26575 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'test-26150a31-5291-4b93-9ac0-a8c143a680ae', 'ebtables', '-t', 'nat', '--concurrent', '-A', 'neutronMAC-test-veth0be0dc', '-i', 'test-veth0be0dc',
'--among-src', 'fa:16:3e:e6:dd:20', '-j', 'RETURN'] execute_rootwrap_daemon /home/cloud-user/neutron/neutron/agent/linux/utils.py:103
2019-06-14 05:56:35.129 26575 ERROR neutron.agent.linux.utils [-] Exit code: 255; Stdin: ; Stdout: ; Stderr: Unknown argument: '--among-src'.


So I checked manually:

$ sudo ebtables -t nat --concurrent -A OUTPUT --among-src fa:16:3e:e6:dd:20 -j RETURN
Unknown argument: '--among-src'.


And looked into man page where I found "BUGS" section:

BUGS
       The version of ebtables this man page ships with does not support the broute table. Also there is  no  support  for
       the among match. And finally, this list is probably not complete.


So it looks that this will simply not work and we have to workaround it somehow.

Comment 3 Slawek Kaplonski 2019-06-14 12:11:05 UTC

I opened bug agains RHEL for that https://bugzilla.redhat.com/show_bug.cgi?id=1720637

Comment 16 errata-xmlrpc 2019-09-21 11:22:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811

Note You need to log in before you can comment on or make changes to this bug.