[Wallaby] Interface operations not supported for ovn_metadata_agent
Dear openstack community, I am trying to get metadata service to work on a TripleO Wallaby Openstack. Upon successful creation of the virtual machine in a geneve type internal network, namespace gets created on the compute node which hosts the VM: [root@overcloud-computesriov-0 ~]# ip netns list ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c (id: 0) [root@overcloud-computesriov-0 ~]# ip netns exec ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tapfae7b699-31@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fa:16:3e:d0:d6:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::ac69:a2ff:feb3:89c9/64 scope link valid_lft forever preferred_lft forever The problem is that the VM cannot reach the metadata service IP 169.254.169.254 even though it has the route to it via 10.0.0.2 (DHCP port in the internal network). I can also see ovn_metadata_agent crashing every 6 seconds with the following: 2025-05-05 13:22:39.044 226779 INFO neutron.common.config [-] Logging enabled! 2025-05-05 13:22:39.044 226779 INFO neutron.common.config [-] /usr/bin/networking-ovn-metadata-agent version 18.6.1.dev209 2025-05-05 13:22:39.050 226779 WARNING oslo_config.cfg [-] Deprecated: Option "heartbeat_in_pthread" from group "oslo_messaging_rabbit" is deprecated for removal. Its value may be silently ignored in the future. 2025-05-05 13:22:39.064 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:127.0.0.1:6640: connecting... 2025-05-05 13:22:39.064 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:127.0.0.1:6640: connected 2025-05-05 13:22:39.095 226779 INFO neutron.agent.ovn.metadata.agent [-] Loaded chassis name 983d11af-8faf-4f85-99c2-62c00ed8165b (UUID: 983d11af-8faf-4f85-99c2-62c00ed8165b) and ovn bridge br-int. 2025-05-05 13:22:39.108 226779 INFO neutron.agent.ovn.metadata.ovsdb [-] Getting OvsdbSbOvnIdl for MetadataAgent with retry 2025-05-05 13:22:39.108 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.91:6642: connecting... 2025-05-05 13:22:39.109 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.91:6642: connected 2025-05-05 13:22:39.126 226779 INFO oslo_service.service [-] Starting 2 workers 2025-05-05 13:22:39.136 226779 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/neutron/neutron.conf', '--config-file', '/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini', '--privsep_context', 'neutron.privileged.default', '--privsep_sock_path', '/tmp/tmpnbw1fxbg/privsep.sock'] 2025-05-05 13:22:39.171 226809 INFO neutron.agent.ovn.metadata.ovsdb [-] Getting OvsdbSbOvnIdl for MetadataAgent with retry 2025-05-05 13:22:39.173 226809 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.95:6642: connecting... 2025-05-05 13:22:39.174 226810 INFO neutron.agent.ovn.metadata.ovsdb [-] Getting OvsdbSbOvnIdl for MetadataAgent with retry 2025-05-05 13:22:39.175 226809 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.95:6642: connected 2025-05-05 13:22:39.176 226810 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.67:6642: connecting... 2025-05-05 13:22:39.178 226810 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.67:6642: connected 2025-05-05 13:22:39.204 226809 INFO eventlet.wsgi.server [-] (226809) wsgi starting up on http:/var/lib/neutron/metadata_proxy 2025-05-05 13:22:39.209 226810 INFO eventlet.wsgi.server [-] (226810) wsgi starting up on http:/var/lib/neutron/metadata_proxy 2025-05-05 13:22:40.270 226779 INFO oslo.privsep.daemon [-] Spawned new privsep daemon via rootwrap 2025-05-05 13:22:40.167 226859 INFO oslo.privsep.daemon [-] privsep daemon starting 2025-05-05 13:22:40.175 226859 INFO oslo.privsep.daemon [-] privsep process running with uid/gid: 0/0 2025-05-05 13:22:40.180 226859 INFO oslo.privsep.daemon [-] privsep process running with capabilities (eff/prm/inh): CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/none 2025-05-05 13:22:40.180 226859 INFO oslo.privsep.daemon [-] privsep daemon running as pid 226859 2025-05-05 13:22:40.972 226779 INFO neutron.agent.ovn.metadata.agent [-] Provisioning metadata for network fae7b699-3086-4213-bec7-9d91737c934c 2025-05-05 13:22:41.159 226779 CRITICAL neutron [-] Unhandled error: neutron.privileged.agent.linux.ip_lib.InterfaceOperationNotSupported: Operation not supported on interface tapfae7b699-31, namespace ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c. 2025-05-05 13:22:41.159 226779 ERROR neutron Traceback (most recent call last): 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/bin/networking-ovn-metadata-agent", line 10, in <module> 2025-05-05 13:22:41.159 226779 ERROR neutron sys.exit(main()) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/cmd/eventlet/agents/ovn_metadata.py", line 24, in main 2025-05-05 13:22:41.159 226779 ERROR neutron metadata_agent.main() 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata_agent.py", line 41, in main 2025-05-05 13:22:41.159 226779 ERROR neutron agt.start() 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 278, in start 2025-05-05 13:22:41.159 226779 ERROR neutron self.sync() 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 61, in wrapped 2025-05-05 13:22:41.159 226779 ERROR neutron return f(*args, **kwargs) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 357, in sync 2025-05-05 13:22:41.159 226779 ERROR neutron self.provision_datapath(datapath) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 585, in provision_datapath 2025-05-05 13:22:41.159 226779 ERROR neutron ip2.addr.delete(cidr) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 544, in delete 2025-05-05 13:22:41.159 226779 ERROR neutron delete_ip_address(cidr, self.name, self._parent.namespace) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 842, in delete_ip_address 2025-05-05 13:22:41.159 226779 ERROR neutron net.version, str(net.ip), net.prefixlen, device, namespace) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 247, in _wrap 2025-05-05 13:22:41.159 226779 ERROR neutron return self.channel.remote_call(name, args, kwargs) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/oslo_privsep/daemon.py", line 224, in remote_call 2025-05-05 13:22:41.159 226779 ERROR neutron raise exc_type(*result[2]) 2025-05-05 13:22:41.159 226779 ERROR neutron neutron.privileged.agent.linux.ip_lib.InterfaceOperationNotSupported: Operation not supported on interface tapfae7b699-31, namespace ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c. 2025-05-05 13:22:41.159 226779 ERROR neutron 2025-05-05 13:22:41.592 226810 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting 2025-05-05 13:22:41.592 226809 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting 2025-05-05 13:22:41.593 226810 INFO eventlet.wsgi.server [-] (226810) wsgi exited, is_accepting=True 2025-05-05 13:22:41.593 226809 INFO eventlet.wsgi.server [-] (226809) wsgi exited, is_accepting=True I can confirm that I tried assigning and deleting the IP to the interface tapfae7b699-31 from the host and from the container (podman exec -it --user root container-id bash) and succeeded. I didn't succeed to assign IP to the interface with a regular neutron user (podman exec -it container-id bash). Also, nova metadata service hosted on the controller is accessible from the compute node: [root@overcloud-computesriov-0 ~]# curl http://10.100.22.127:8775 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 2009-04-04 Did anyone come across anything like this? Best regards, Davorin
Hi, On 5/5/25 9:42 AM, davorin.mikulic@gmail.com wrote:
Dear openstack community,
I am trying to get metadata service to work on a TripleO Wallaby Openstack.
First, Wallaby is unmaintained upstream, so my first advice would be to upgrade to Caracal/2024.1, but not sure if TripleO supports that. My guess based on below is there is a privsep config issue of some kind as you mentioned you can run commands by hand - are other operations failing similarly? -Brian
Upon successful creation of the virtual machine in a geneve type internal network, namespace gets created on the compute node which hosts the VM: [root@overcloud-computesriov-0 ~]# ip netns list ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c (id: 0) [root@overcloud-computesriov-0 ~]# ip netns exec ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tapfae7b699-31@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fa:16:3e:d0:d6:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::ac69:a2ff:feb3:89c9/64 scope link valid_lft forever preferred_lft forever
The problem is that the VM cannot reach the metadata service IP 169.254.169.254 even though it has the route to it via 10.0.0.2 (DHCP port in the internal network). I can also see ovn_metadata_agent crashing every 6 seconds with the following:
2025-05-05 13:22:39.044 226779 INFO neutron.common.config [-] Logging enabled! 2025-05-05 13:22:39.044 226779 INFO neutron.common.config [-] /usr/bin/networking-ovn-metadata-agent version 18.6.1.dev209 2025-05-05 13:22:39.050 226779 WARNING oslo_config.cfg [-] Deprecated: Option "heartbeat_in_pthread" from group "oslo_messaging_rabbit" is deprecated for removal. Its value may be silently ignored in the future. 2025-05-05 13:22:39.064 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:127.0.0.1:6640: connecting... 2025-05-05 13:22:39.064 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:127.0.0.1:6640: connected 2025-05-05 13:22:39.095 226779 INFO neutron.agent.ovn.metadata.agent [-] Loaded chassis name 983d11af-8faf-4f85-99c2-62c00ed8165b (UUID: 983d11af-8faf-4f85-99c2-62c00ed8165b) and ovn bridge br-int. 2025-05-05 13:22:39.108 226779 INFO neutron.agent.ovn.metadata.ovsdb [-] Getting OvsdbSbOvnIdl for MetadataAgent with retry 2025-05-05 13:22:39.108 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.91:6642: connecting... 2025-05-05 13:22:39.109 226779 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.91:6642: connected 2025-05-05 13:22:39.126 226779 INFO oslo_service.service [-] Starting 2 workers 2025-05-05 13:22:39.136 226779 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/neutron/neutron.conf', '--config-file', '/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini', '--privsep_context', 'neutron.privileged.default', '--privsep_sock_path', '/tmp/tmpnbw1fxbg/privsep.sock'] 2025-05-05 13:22:39.171 226809 INFO neutron.agent.ovn.metadata.ovsdb [-] Getting OvsdbSbOvnIdl for MetadataAgent with retry 2025-05-05 13:22:39.173 226809 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.95:6642: connecting... 2025-05-05 13:22:39.174 226810 INFO neutron.agent.ovn.metadata.ovsdb [-] Getting OvsdbSbOvnIdl for MetadataAgent with retry 2025-05-05 13:22:39.175 226809 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.95:6642: connected 2025-05-05 13:22:39.176 226810 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.67:6642: connecting... 2025-05-05 13:22:39.178 226810 INFO ovsdbapp.backend.ovs_idl.vlog [-] tcp:10.100.22.67:6642: connected 2025-05-05 13:22:39.204 226809 INFO eventlet.wsgi.server [-] (226809) wsgi starting up on http:/var/lib/neutron/metadata_proxy 2025-05-05 13:22:39.209 226810 INFO eventlet.wsgi.server [-] (226810) wsgi starting up on http:/var/lib/neutron/metadata_proxy 2025-05-05 13:22:40.270 226779 INFO oslo.privsep.daemon [-] Spawned new privsep daemon via rootwrap 2025-05-05 13:22:40.167 226859 INFO oslo.privsep.daemon [-] privsep daemon starting 2025-05-05 13:22:40.175 226859 INFO oslo.privsep.daemon [-] privsep process running with uid/gid: 0/0 2025-05-05 13:22:40.180 226859 INFO oslo.privsep.daemon [-] privsep process running with capabilities (eff/prm/inh): CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/none 2025-05-05 13:22:40.180 226859 INFO oslo.privsep.daemon [-] privsep daemon running as pid 226859 2025-05-05 13:22:40.972 226779 INFO neutron.agent.ovn.metadata.agent [-] Provisioning metadata for network fae7b699-3086-4213-bec7-9d91737c934c 2025-05-05 13:22:41.159 226779 CRITICAL neutron [-] Unhandled error: neutron.privileged.agent.linux.ip_lib.InterfaceOperationNotSupported: Operation not supported on interface tapfae7b699-31, namespace ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c. 2025-05-05 13:22:41.159 226779 ERROR neutron Traceback (most recent call last): 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/bin/networking-ovn-metadata-agent", line 10, in <module> 2025-05-05 13:22:41.159 226779 ERROR neutron sys.exit(main()) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/cmd/eventlet/agents/ovn_metadata.py", line 24, in main 2025-05-05 13:22:41.159 226779 ERROR neutron metadata_agent.main() 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata_agent.py", line 41, in main 2025-05-05 13:22:41.159 226779 ERROR neutron agt.start() 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 278, in start 2025-05-05 13:22:41.159 226779 ERROR neutron self.sync() 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 61, in wrapped 2025-05-05 13:22:41.159 226779 ERROR neutron return f(*args, **kwargs) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 357, in sync 2025-05-05 13:22:41.159 226779 ERROR neutron self.provision_datapath(datapath) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/ovn/metadata/agent.py", line 585, in provision_datapath 2025-05-05 13:22:41.159 226779 ERROR neutron ip2.addr.delete(cidr) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 544, in delete 2025-05-05 13:22:41.159 226779 ERROR neutron delete_ip_address(cidr, self.name, self._parent.namespace) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 842, in delete_ip_address 2025-05-05 13:22:41.159 226779 ERROR neutron net.version, str(net.ip), net.prefixlen, device, namespace) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 247, in _wrap 2025-05-05 13:22:41.159 226779 ERROR neutron return self.channel.remote_call(name, args, kwargs) 2025-05-05 13:22:41.159 226779 ERROR neutron File "/usr/lib/python3.6/site-packages/oslo_privsep/daemon.py", line 224, in remote_call 2025-05-05 13:22:41.159 226779 ERROR neutron raise exc_type(*result[2]) 2025-05-05 13:22:41.159 226779 ERROR neutron neutron.privileged.agent.linux.ip_lib.InterfaceOperationNotSupported: Operation not supported on interface tapfae7b699-31, namespace ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c. 2025-05-05 13:22:41.159 226779 ERROR neutron 2025-05-05 13:22:41.592 226810 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting 2025-05-05 13:22:41.592 226809 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting 2025-05-05 13:22:41.593 226810 INFO eventlet.wsgi.server [-] (226810) wsgi exited, is_accepting=True 2025-05-05 13:22:41.593 226809 INFO eventlet.wsgi.server [-] (226809) wsgi exited, is_accepting=True
I can confirm that I tried assigning and deleting the IP to the interface tapfae7b699-31 from the host and from the container (podman exec -it --user root container-id bash) and succeeded. I didn't succeed to assign IP to the interface with a regular neutron user (podman exec -it container-id bash).
Also, nova metadata service hosted on the controller is accessible from the compute node: [root@overcloud-computesriov-0 ~]# curl http://10.100.22.127:8775 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 2009-04-04
Did anyone come across anything like this?
Best regards, Davorin
Hello Brian, Thanks for your answer. The thing is that I need Wallaby because of compatibility with the specific version of Openshift (v4.17) which I would like to deploy on top of Openstack. I also suspected that privsep is not configured properly but based on the line in the log: 2025-05-05 13:22:40.180 226859 INFO oslo.privsep.daemon [-] privsep process running with capabilities (eff/prm/inh): CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/none it is supposed to have SYS_ADMIN privileges which should allow for the modification of the interface. I also tried explicitly passing SYS_ADMIN privileges through [privsep] part of neutron.conf but the result was the same. No other operations are failing similarly. Best regards, Davorin
On 06/05/2025 07:11, davorin.mikulic@gmail.com wrote:
Hello Brian,
Thanks for your answer.
The thing is that I need Wallaby because of compatibility with the specific version of Openshift (v4.17) which I would like to deploy on top of Openstack.
so to answer brian's question about tripleo, the last release it supported was Zed so there are no upstream release that are still supported that were supported by tripleo. if openshift cares or even really i know what version of openstack is deploy such that using a later version would break the integration you should report those issues as a bug because it should be forwards compatible.
I also suspected that privsep is not configured properly but based on the line in the log: 2025-05-05 13:22:40.180 226859 INFO oslo.privsep.daemon [-] privsep process running with capabilities (eff/prm/inh): CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_NET_ADMIN|CAP_SYS_ADMIN/none it is supposed to have SYS_ADMIN privileges which should allow for the modification of the interface. I also tried explicitly passing SYS_ADMIN privileges through [privsep] part of neutron.conf but the result was the same.
i don't think the capabilities are configure able via the neutron config. that questionable if they are configurable form a security point of view. the config is only intened to allow you to chagne if the deamon is pre-spanwed and or the binary to use to spawn it in general.
No other operations are failing similarly.
im not inclined to think this is a privsep issue but i have 2 guesses/suggestion about where to look 1 its related to the binary comaptiblity between the package in the contier and teh host kernel (less likely since it worked when you exected in) 2 its an issue with selinux. 3 your kernel or ovs version does not supprot a feature its trying to enable the operation not supported issue can happen if your using a incompatible iptables binary i belive (i dont know the full deatils) that depend on teh version of centos/rhel you have deploy the legacy iptables model or the newer nftabls module can be used as a backend if the tool in the tool in the container is expecting nftables but your kernel is using legacy iptable then you can get not supprot errors i belive. beyond that the kernel ioctl interface can chagne between kernel version and gcc versions so sometime you need to bind mount the host binary or use a continer build with the host os to get it to alingn. i.e. the ip tools binary in teh contaner can be incompatible with the host kernel because the ioctl abi depend on the kernel headers and gcc version used to compile it. downstream our wallaby based release OSP (17.1) was support on rhel 8 during upgrades form train and rhel 9.2 for its main OS durign the full lifecycle. i think if you try to run the rhel8 version of the contienr on rhel9 without bind mounting it can fail like this? im not an expert on that and its been a few years since i looked at this so take that with a grain or salt. so for option 1 have you confirm the the container is built for the same Major version of the OS as its running on? you mentioned doing an exec into the container as root and it worked which implies they are aligned but good to check that in anycase. i have not looked at the code specifically but form the backtrace it looks liek its trying to delete an ip address so i assume its going to invoke the equivelent of `ip a del <ip addres> dev <interface>` although perhaps via the iproute2 python lib instead fo the shell. the iproute2 python package has the same ABI compatibility issues as the cli tools the fact the back trace has py3.6 implies its a centos 8 container since centos 9 would use 3.9. the other common issue is selinux, i would check the audit logs if you installed the systemd-container package that can also impact how selinux is applied to the comamnd in the contaienr in some cases due to changes in the behvior of podman and libvirt. if it was selinux or a general privsep issue i would have expected a permission denieed error instead of operation not supported. so that is less likely which is why i listed it second increasingly unlikely is that your kernel or ovs version does not supprot deleteing an ip adress form an interface. The only way i can think of that realisticly happening is if you disabled ipv4 or ipv6 on this host but neutron was still trying to use it. Operation not supproted might be a reasonable respoce if you tried to delete an ipv6 adress on a host that has ipv6 disabled on all interfaces for example. im not sure if any of the 3 options above are you actuall problem but those are 3 thing i would rule out first before assumeing its privsep related.
Best regards, Davorin
Hi, Correct the proccess is trying to delete IPv6 address. I got the thing to work by deleting IPv6 address from the interface: [root@overcloud-computesriov-0 ~]# ip -netns ovnmeta-fae7b699-3086-4213-bec7-9d91737c934c addr del fe80::ac69:a2ff:feb3:89c9/64 dev tapfae7b699-31 [root@overcloud-computesriov-0 ~]# ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: tapfae7b699-31@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fa:16:3e:d0:d6:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 169.254.169.254/32 brd 169.254.169.254 scope global tapfae7b699-31 valid_lft forever preferred_lft forever inet 10.0.0.2/16 brd 10.0.255.255 scope global tapfae7b699-31 valid_lft forever preferred_lft forever Now the metadata service is accessible and it looks as it should. I will try to figure out what is making the IPv6 address attach to the interface by default since I installed Wallaby on CentOS 9 machines (it is compatible with CentOS8 which is EOL). I earlier had some problems because of this so I had to work around them. I will let you know what I find. Thank you very much! Br, Davorin
Also I checked versions of ip commands on the host (CentOS9) and the container (CentOS8) and there is indeed a mismatch as Sean suspected: Host: [root@overcloud-computesriov-0 ~]# ip -V ip utility, iproute2-6.2.0, libbpf 1.4.0 Container: root@overcloud-computesriov-0 ~]# podman exec -it d6d9ac1a314d bash bash-4.4$ ip -V ip utility, iproute2-6.2.0, libbpf 0.5.0 What is interesting is that container adds the right ip address after I manually delete it with no problem. Also I can delete any ip manually from the container as well. But process is unable to delete the undeeded IPv6 on creation of the VM nor DHCP and metadata IPv4 addresses after VM deletion. From the logs I can also see that it is unable to delete the veth pair after VM deletion. I am guessing that add commands are more forgiving than add commands regarding the syntax. If someone can think of any workaround for this please feel free to share. :) Best regards, Davorin
On 06/05/2025 14:45, davorin.mikulic@gmail.com wrote:
Also I checked versions of ip commands on the host (CentOS9) and the container (CentOS8) and there is indeed a mismatch as Sean suspected:
Host: [root@overcloud-computesriov-0 ~]# ip -V ip utility, iproute2-6.2.0, libbpf 1.4.0
Container: root@overcloud-computesriov-0 ~]# podman exec -it d6d9ac1a314d bash bash-4.4$ ip -V ip utility, iproute2-6.2.0, libbpf 0.5.0
What is interesting is that container adds the right ip address after I manually delete it with no problem. Also I can delete any ip manually from the container as well.
But process is unable to delete the undeeded IPv6 on creation of the VM nor DHCP and metadata IPv4 addresses after VM deletion. From the logs I can also see that it is unable to delete the veth pair after VM deletion.
I am guessing that add commands are more forgiving than add commands regarding the syntax.
If someone can think of any workaround for this please feel free to share. :)
the two some what obvious workaround the come to mind are as follows bind mount the host ip util into the container, that bascaily adding -v /usr/bin/ip:/usr/bin/ip to the podman command line or matching the contaiern and os version. i belive triple also has a script to allow specific comannd to be executed on the host and i tought it already used that for iptables so updating the ip command to use that wrapper may also be an option. i'm not sure how practical any of those options are for your deployment however. This would be a tripleo bug or a operator(human) one rather then a neturon bug as its related ot how its been packaged and deployed in your specific env. i belive downstream we allowed rhel 9 openstack container to be run on rhel 8 host but not the other way around. with that said i know for things like libvirt we built 2 version and required that the container and host os were the same i dont know which camp the ovn metadta container fell into(must align host and guest os or can differ with a wrapper to paper over the differnce). i also dont know exactly where that was implemtned in tripleo so i cant point you at an example.
Best regards, Davorin
Dear Sean, I tried adding "--volume /usr/sbin/ip:/usr/sbin/ip" and some different iterations but the result was the same. Also with that, ip command was missing some other dependencies. For now I'll just manage around these by manual deletion of unneeded IPs and namespaces when needed. It seems that my platform is due for update and that new openstack is deployed on top of openshift anyway. Thank you very much for your help! Best regards, Davorin
Dear everyone, I have a working WA for the problem. There is a problem with pyroute2 0.6.6 version which is installed in the container. I upgraded the version to 0.6.11 and replaced the running container. I got it to work by editing the container image and replacing it as following: [root@overcloud-computesriov-16 new_ovn_metadata_agent_image]# cat Dockerfile FROM uc4tb27.ctlplane.tb27.cld:8787/tripleowallaby/openstack-neutron-metadata-agent-ovn:current-tripleo USER root # Just upgrade pyroute2 directly using existing pip RUN python3 -m pip install --no-cache-dir --upgrade "pyroute2==0.6.11" # (Optional) Switch back to original user USER neutron [root@overcloud-computesriov-16 new_ovn_metadata_agent_image]# podman build -t custom-neutron-metadata-agent . podman container run --name ovn_metadata_agent --cgroupns=host --conmon-pidfile /run/ovn_metadata_agent.pid --detach=true --env KOLLA_CONFIG_STRATEGY=COPY_ALWAYS --env TRIPLEO_CONFIG_HASH=b0f0231085155addf0474368939de6e0 --healthcheck-command /openstack/healthcheck --label config_id=tripleo_step4 --label container_name=ovn_metadata_agent --label managed_by=tripleo_ansible --label "config_data={'cgroupns': 'host', 'environment': {'KOLLA_CONFIG_STRATEGY': 'COPY_ALWAYS', 'TRIPLEO_CONFIG_HASH': 'b0f0231085155addf0474368939de6e0'}, 'healthcheck': {'test': '/openstack/healthcheck'}, 'image': 'uc4tb27.ctlplane.tb27.cld:8787/tripleowallaby/openstack-neutron-metadata-agent-ovn:current-tripleo', 'net': 'host', 'pid': 'host', 'privileged': True, 'restart': 'always', 'start_order': 1, 'volumes': ['/etc/hosts:/etc/hosts:ro', '/etc/localtime:/etc/localtime:ro', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', '/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', '/dev/log:/dev/log', '/etc/puppet:/etc/puppet:ro', '/var/log/containers/neutron:/var/log/neutron:z', '/var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro', '/var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro', '/lib/modules:/lib/modules:ro', '/run/openvswitch:/run/openvswitch:shared,z', '/var/lib/neutron:/var/lib/neutron:shared,z', '/run/netns:/run/netns:shared', '/var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z', '/var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro', '/usr/sbin/ip:/usr/sbin/ip']}" --log-driver k8s-file --log-opt path=/var/log/containers/stdouts/ovn_metadata_agent.log --network host --pid host --privileged=true --volume /etc/hosts:/etc/hosts:ro --volume /etc/localtime:/etc/localtime:ro --volume /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro --volume /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro --volume /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro --volume /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro --volume /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro --volume /dev/log:/dev/log --volume /etc/puppet:/etc/puppet:ro --volume /var/log/containers/neutron:/var/log/neutron:z --volume /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro --volume /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro --volume /lib/modules:/lib/modules:ro --volume /run/openvswitch:/run/openvswitch:shared,z --volume /var/lib/neutron:/var/lib/neutron:shared,z --volume /run/netns:/run/netns:shared --volume /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z --volume /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro localhost/custom-neutron-metadata-agent:latest 245 podman container run --replace --name ovn_metadata_agent --cgroupns=host --conmon-pidfile /run/ovn_metadata_agent.pid --detach=true --env KOLLA_CONFIG_STRATEGY=COPY_ALWAYS --env TRIPLEO_CONFIG_HASH=b0f0231085155addf0474368939de6e0 --healthcheck-command /openstack/healthcheck --label config_id=tripleo_step4 --label container_name=ovn_metadata_agent --label managed_by=tripleo_ansible --label "config_data={'cgroupns': 'host', 'environment': {'KOLLA_CONFIG_STRATEGY': 'COPY_ALWAYS', 'TRIPLEO_CONFIG_HASH': 'b0f0231085155addf0474368939de6e0'}, 'healthcheck': {'test': '/openstack/healthcheck'}, 'image': 'uc4tb27.ctlplane.tb27.cld:8787/tripleowallaby/openstack-neutron-metadata-agent-ovn:current-tripleo', 'net': 'host', 'pid': 'host', 'privileged': True, 'restart': 'always', 'start_order': 1, 'volumes': ['/etc/hosts:/etc/hosts:ro', '/etc/localtime:/etc/localtime:ro', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', '/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', '/dev/log:/dev/log', '/etc/puppet:/etc/puppet:ro', '/var/log/containers/neutron:/var/log/neutron:z', '/var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro', '/var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro', '/lib/modules:/lib/modules:ro', '/run/openvswitch:/run/openvswitch:shared,z', '/var/lib/neutron:/var/lib/neutron:shared,z', '/run/netns:/run/netns:shared', '/var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z', '/var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro', '/usr/sbin/ip:/usr/sbin/ip']}" --log-driver k8s-file --log-opt path=/var/log/containers/stdouts/ovn_metadata_agent.log --network host --pid host --privileged=true --volume /etc/hosts:/etc/hosts:ro --volume /etc/localtime:/etc/localtime:ro --volume /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro --volume /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro --volume /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro --volume /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro --volume /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro --volume /dev/log:/dev/log --volume /etc/puppet:/etc/puppet:ro --volume /var/log/containers/neutron:/var/log/neutron:z --volume /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro --volume /var/lib/config-data/puppet-generated/neutron:/var/lib/kolla/config_files/src:ro --volume /lib/modules:/lib/modules:ro --volume /run/openvswitch:/run/openvswitch:shared,z --volume /var/lib/neutron:/var/lib/neutron:shared,z --volume /run/netns:/run/netns:shared --volume /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z --volume /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro localhost/custom-neutron-metadata-agent:latest Thanks everyone! Best regards, Davorin
participants (3)
-
Brian Haley
-
davorin.mikulic@gmail.com
-
Sean Mooney