[openstack-dev] [neutron] iptables routes are not being injected to router namespace

Brian Haley brian.haley at hp.com
Wed Jan 21 21:24:11 UTC 2015


On 01/21/2015 02:29 PM, Xavier León wrote:
> On Tue, Jan 20, 2015 at 10:32 PM, Brian Haley <brian.haley at hp.com> wrote:
>> On 01/20/2015 09:20 AM, Xavier León wrote:
>>> Hi all,
>>>
>>> we've been doing some tests with openstack kilo and found
>>> out a problem: iptables routes are not being injected to the
>>> router namespace.
>>>
>>> Scenario:
>>> - a private network NOT connected to the outside world.
>>> - a router with only one interface connected to the private network.
>>> - a vm instance connected to the private network as well.
<snip>
>> Are you sure the l3-agent is running?  You should have seen wrapped rules from
>> it in most of these tables, for example:
>>
>> # Generated by iptables-save v1.4.21 on Tue Jan 20 16:29:19 2015
>> *filter
>> :INPUT ACCEPT [34:10882]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [1:84]
>> :neutron-filter-top - [0:0]
>> :neutron-l3-agent-FORWARD - [0:0]
>> :neutron-l3-agent-INPUT - [0:0]
>> :neutron-l3-agent-OUTPUT - [0:0]
>> :neutron-l3-agent-local - [0:0]
>> [...]
> 
> Yes, the l3-agent is up and running. I see these rules when executing
> the same test in juno but not in kilo. FYI, it's a all-in-one devstack
> deployment.
> 
>>
>> I would check the log files for any errors.
> 
> There are no errors in the logs.
> 
> After digging a bit more, we have seen that setting the config value
> of enable_isolated_metadata to True (default: False) in dhcp_agent.ini
> solves the problem in our scenario.
> However, this change in configuration was not necessary before (our
> tests passed in juno for that matter with that setting to False). So
> we were wondering if there has been a change in how the metadata
> service is accessed in such scenarios, a new issue because of the l3
> agent refactoring or any other problem in our setup we haven't
> narrowed yet.

There have been some changes recently in the code, perhaps:

https://review.openstack.org/#/c/135467/

Or just look at some of the other recent changes in the repository?

-Brian



More information about the OpenStack-dev mailing list