[kolla] neutron-l3-agent namespace NAT table not working?
Jan Vondra
jan.vondra at ultimum.io
Mon Jan 6 00:25:55 UTC 2020
Could you send us more details about your deployment - e.g. kolla version
and image info? And please try to check neutron-openvswitch-agent log -
errors regarding applying iptables rules should be there.
I've encountered similar behavior when trying to run a nftables OS image
(Debian 10) on iptables OS image (Ubuntu 16.04). You can try it by running
sudo update-alternatives --query iptables
If it's the case, option to force legacy iptables has been added -
https://review.opendev.org/#/c/685967/.
Best regards,
Jan
Dne po 6. 1. 2020 0:56 uživatel Laurent Dumont <laurentfdumont at gmail.com>
napsal:
> Do you happen to have the bug ID for Centos?
>
> On Sun, Jan 5, 2020 at 2:11 PM Jon Masters <jcm at jonmasters.org> wrote:
>
>> This turns out to a not well documented bug in the CentOS7.7 kernel that
>> causes exactly nat rules not to run as I was seeing. Oh dear god was this
>> nasty as whatever to find and workaround.
>>
>> --
>> Computer Architect
>>
>>
>> > On Jan 4, 2020, at 10:39, Jon Masters <jcm at jonmasters.org> wrote:
>> >
>> > Excuse top posting on my phone. Also, yes, the namespaces are as
>> described. It’s just that the (correct) nat rules for the qrouter netns are
>> never running, in spite of the two interfaces existing in that ns and
>> correctly attached to the vswitch.
>> >
>> > --
>> > Computer Architect
>> >
>> >
>> >>> On Jan 4, 2020, at 07:56, Sean Mooney <smooney at redhat.com> wrote:
>> >>>
>> >>> On Sat, 2020-01-04 at 10:46 +0100, Slawek Kaplonski wrote:
>> >>> Hi,
>> >>>
>> >>> Is this qrouter namespace created with all those rules in container
>> or in the host directly?
>> >>> Do You have qr-xxx and qg-xxx ports from br-int in this qrouter
>> namespace?
>> >> in kolla the l3 agent should be running with net=host so the container
>> should be useing the hosts
>> >> root namespace and it will create network namespaces as needed for
>> the different routers.
>> >>
>> >> the ip table rules should be in the router sub namespaces.
>> >>
>> >>>
>> >>>>> On 4 Jan 2020, at 05:44, Jon Masters <jcm at jonmasters.org> wrote:
>> >>>>
>> >>>> Hi there,
>> >>>>
>> >>>> I've got a weird problem with the neutron-l3-agent container on my
>> deployment. It comes up, sets up the iptables
>> >>>> rules in the qrouter namespace (and I can see these using "ip
>> netns...") but traffic isn't having DNAT or SNAT
>> >>>> applied. What's most strange is that manually adding a LOG jump
>> target to the iptables nat PRE/POSTROUTING chains
>> >>>> (after enabling nf logging sent to the host kernel, confirmed that
>> works) doesn't result in any log entries. It's as
>> >>>> if the nat table isn't being applied at all for any packets
>> traversing the qrouter namespace. This is driving me
>> >>>> crazy :)
>> >>>>
>> >>>> Anyone got some quick suggestions? (assume I tried the obvious
>> stuff).
>> >>>>
>> >>>> Jon.
>> >>>>
>> >>>> --
>> >>>> Computer Architect
>> >>>
>> >>> —
>> >>> Slawek Kaplonski
>> >>> Senior software engineer
>> >>> Red Hat
>> >>>
>> >>>
>> >>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200106/852ed223/attachment.html>
More information about the openstack-discuss
mailing list