Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1713329

Summary: Functional tests failing with "Test leaked ebtables rules" error
Product: Red Hat OpenStack Reporter: Slawek Kaplonski <skaplons>
Component: openstack-neutronAssignee: Slawek Kaplonski <skaplons>
Status: CLOSED ERRATA QA Contact: Candido Campos <ccamposr>
Severity: high Docs Contact:
Priority: high    
Version: 15.0 (Stein)CC: amuller, bcafarel, chrisw, ekuris, gregraka, njohnston, scohen
Target Milestone: betaKeywords: AutomationBlocker, Triaged
Target Release: 15.0 (Stein)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-14.0.3-0.20190704180411.9f4e596.el8ost Doc Type: Known Issue
Doc Text:
Red Hat OpenStack Platform deployments that use the Linux bridge ML2 driver and agent are unprotected against Address Resolution Protocol (ARP) spoofing. The version of Ethernet bridge frame table administration (ebtables) that is part of Red Hat Enterprise Linux 8 is incompatible with the Linux bridge ML2 driver. The Linux Bridge ML2 driver and agent were deprecated in Red Hat OpenStack Platform 11, and should not be used. Red Hat recommends that you use instead the ML2 Open Virtual Network (OVN) driver and services, the default deployed by the Red Hat OpenStack Platform director.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-21 11:22:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Slawek Kaplonski 2019-06-14 10:38:30 UTC 
I did a small investigation on this one and I found that tests are failing with error like:

2019-06-14 05:56:35.110 26575 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'test-26150a31-5291-4b93-9ac0-a8c143a680ae', 'ebtables', '-t', 'nat', '--concurrent', '-A', 'neutronMAC-test-veth0be0dc', '-i', 'test-veth0be0dc',
'--among-src', 'fa:16:3e:e6:dd:20', '-j', 'RETURN'] execute_rootwrap_daemon /home/cloud-user/neutron/neutron/agent/linux/utils.py:103
2019-06-14 05:56:35.129 26575 ERROR neutron.agent.linux.utils [-] Exit code: 255; Stdin: ; Stdout: ; Stderr: Unknown argument: '--among-src'.


So I checked manually:

$ sudo ebtables -t nat --concurrent -A OUTPUT --among-src fa:16:3e:e6:dd:20 -j RETURN
Unknown argument: '--among-src'.


And looked into man page where I found "BUGS" section:

BUGS
       The version of ebtables this man page ships with does not support the broute table. Also there is  no  support  for
       the among match. And finally, this list is probably not complete.


So it looks that this will simply not work and we have to workaround it somehow.
Comment 3 Slawek Kaplonski 2019-06-14 12:11:05 UTC 
I opened bug agains RHEL for that https://bugzilla.redhat.com/show_bug.cgi?id=1720637
Comment 16 errata-xmlrpc 2019-09-21 11:22:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811