[ironic][neutron] nf_conntrack_helper now disabled by default

Julia Kreger juliaashleykreger at gmail.com
Mon Jan 7 16:48:48 UTC 2019 

Thanks for bringing this up Derek!
Comments below.

On Mon, Jan 7, 2019 at 8:30 AM Derek Higgins <derekh at redhat.com> wrote:
>
> Hi All,
>
> Shortly before the holidays CI jobs moved from xenial to bionic, for
> Ironic this meant a bunch failures[1], all have now been dealt with,
> with the exception of the UEFI job. It turns out that during this job
> our (virtual) baremetal nodes use tftp to download a ipxe image. In
> order to track these tftp connections we have been making use of the
> fact that nf_conntrack_helper has been enabled by default. In newer
> kernel versions[2] this is no longer the case and I'm now trying to
> figure out the best way to deal with the new behaviour. I've put
> together some possible solutions along with some details on why they
> are not ideal and would appreciate some opinions

The git commit message suggests that users should explicitly put in rules such
that the traffic is matched. I feel like the kernel change ends up
being a behavior
change in this case.

I think the reasonable path forward is to have a configuration
parameter that the
l3 agent can use to determine to set the netfilter connection tracker helper.

Doing so, allows us to raise this behavior change to operators minimizing the
need of them having to troubleshoot it in production, and gives them a choice
in the direction that they wish to take.

[trim]

> 3. Enable the contrack helper in the router network namespace when it
> is created[3]
> This works for ironic CI, but there may be better solutions that can
> be worked within neutron that I'm not aware of. Of the 3 options above
> this would be most transparent to other operators as the original
> behaviour would be maintained.
>
My thoughts exactly.

> thoughts on any of the above? or better solutions?

I think we should just raise it as a configuration option. Coupled with a
release note, provides operators visibility to the kernel change.

>
> 1 - https://storyboard.openstack.org/#!/story/2004604
> 2 - https://kernel.googlesource.com/pub/scm/linux/kernel/git/horms/ipvs-next/+/3bb398d925ec73e42b778cf823c8f4aecae359ea
> 3 - https://review.openstack.org/#/c/628493/1
>

More information about the openstack-discuss mailing list