997941 – need to set net.bridge.bridge-nf-call-iptables=1 for --allinone installation

Bug 997941 - need to set net.bridge.bridge-nf-call-iptables=1 for --allinone installation

Summary: need to set net.bridge.bridge-nf-call-iptables=1 for --allinone installation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-packstack
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z2
Target Release:	3.0
Assignee:	Martin Magr
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Depends On:	981144
Blocks:	981469
TreeView+	depends on / blocked

Reported:	2013-08-16 15:07 UTC by Scott Lewis
Modified:	2019-09-10 14:08 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-packstack-2013.1.1-0.31.dev677.el6ost
Doc Type:	Bug Fix
Doc Text:	Previously, when running "packstack --allinone", certain kernel parameters were not set. Without this configuration security groups did not work correctly. This has been fixed and security groups now work correctly.
Clone Of:	981144
Environment:
Last Closed:	2013-09-03 19:59:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
nova.pp.log (89.28 KB, text/x-log) 2013-08-22 06:14 UTC, Nir Magnezi	no flags	Details
quantum.pp.log (65.94 KB, text/x-log) 2013-08-22 12:16 UTC, Nir Magnezi	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	36835	None	None	None	Never
OpenStack gerrit	42362	None	None	None	Never
OpenStack gerrit	43680	None	None	None	Never
Red Hat Product Errata	RHBA-2013:1186	normal	SHIPPED_LIVE	Red Hat OpenStack 3.0 bug fix advisory	2013-09-03 23:55:39 UTC

Comment 4 Martin Magr 2013-08-21 11:49:10 UTC

With this change when neutron is installed on each compute node:

1. module /etc/sysconfig/modules/openstack-neutron.modules is created with content: https://review.openstack.org/#/c/36835/5/packstack/puppet/modules/packstack/templates/openstack-neutron.modules.erb

2. following lines are added to /etc/sysctl.conf:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

Comment 5 Nir Magnezi 2013-08-21 14:46:46 UTC

(In reply to Martin Magr from comment #4)
> With this change when neutron is installed on each compute node:
> 
> 1. module /etc/sysconfig/modules/openstack-neutron.modules is created with
> content:
> https://review.openstack.org/#/c/36835/5/packstack/puppet/modules/packstack/
> templates/openstack-neutron.modules.erb
> 
> 2. following lines are added to /etc/sysctl.conf:
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> net.bridge.bridge-nf-call-arptables = 1


I installed OpenStack using openstack-packstack-2013.1.1-0.30.dev672 using the --allinone option.

in /etc/sysctl.conf I see a differance in the 3rd line from what you have mentioned.

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables=0

Shall I reopen the bug?

Comment 6 Martin Magr 2013-08-21 15:18:38 UTC

If you check the code changing the config file [1] there is only one possibility that two would apply and third not. Application of Nova's manifest had to fail before finishing the third edit. So this might not be issue of this fix. Could you please check what's written in the /var/tmp/packstack/<timestamp>-<random>/manifests/<ip>_nova.pp.log file?

[1] https://review.openstack.org/#/c/36835/5/packstack/puppet/modules/packstack/manifests/neutron/bridge.pp

Comment 7 Nir Magnezi 2013-08-22 06:14:45 UTC

Created attachment 789047 [details]
nova.pp.log

Martin,
I did not find any indication of failure on this file.
Please have a look.

Comment 8 Martin Magr 2013-08-22 08:30:02 UTC

Sorry I was wrong, could you also upload neutron.pp.log?

Comment 9 Nir Magnezi 2013-08-22 12:16:44 UTC

Created attachment 789169 [details]
quantum.pp.log

Comment 10 Martin Magr 2013-08-22 14:08:32 UTC

From the log I see following:

notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-iptables]/ensure: created
notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-ip6tables]/ensure: created
notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf bridge-nf-call-arptables]/ensure: created

Are you sure that this log is from the run when the sysctl.conf edit failed?

Another possibility might be that those two editation happened in parallel hence one modification was lost. But from the log it seems that there has been enough time between each modification.

Comment 11 Bruce Reeler 2013-08-23 07:44:24 UTC

NEEDINFO for Martin Magr:
I am writing the Doc Text for bug advisories. In order to clarify to the user what this bug fixes, could you please state what the symptoms would have been that the user would have seen before the bug was fixed?  I assume there must have been some security error?

Comment 12 Martin Magr 2013-08-23 08:47:17 UTC

If you check the original bug #981144, you can find out that without such configuration security groups don't work correctly.

Comment 13 Nir Magnezi 2013-08-25 10:49:10 UTC

(In reply to Martin Magr from comment #10)
> From the log I see following:
> 
> notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf
> bridge-nf-call-iptables]/ensure: created
> notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf
> bridge-nf-call-ip6tables]/ensure: created
> notice: /Stage[main]/Packstack::Neutron::Bridge/File_line[/etc/sysctl.conf
> bridge-nf-call-arptables]/ensure: created
> 
> Are you sure that this log is from the run when the sysctl.conf edit failed?
> 
> Another possibility might be that those two editation happened in parallel
> hence one modification was lost. But from the log it seems that there has
> been enough time between each modification.

Yes.
I used packstack on a clean RHEL6.4

In addition to that:

I ran packstack two more times (using two additional servers).
I noticed a different result each time:

In Comment #5 We had:

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables=0

Now I get:

Server A:
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

Server B:
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-arptables=0

* Tested with: openstack-packstack-2013.1.1-0.30.dev672.el6ost.noarch

Comment 17 Nir Magnezi 2013-08-28 11:58:01 UTC

Verified NVR: openstack-packstack-2013.1.1-0.31.dev677.el6ost.noarch

Installed openstack via packstack on 3 different servers as all-in-one:
$ packstack --allinone

Verified the following attributes in /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=1

Comment 18 errata-xmlrpc 2013-09-03 19:59:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1186.html

Note You need to log in before you can comment on or make changes to this bug.