[neutron][metering] Dublicated Neutron Meter Rules in different projects kills metering

merlin.blom at bertelsmann.de merlin.blom at bertelsmann.de
Thu Feb 13 09:49:17 UTC 2020 

I want to use Neutron Meter with gnocchi to report the egress bandwidth used
for public traffic.
So I created neutron meter labels and neutron meter rules to include all
ipv4 traffic:
+-------------------+-------------------------------------------------------
---------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------------------
---------------------------------------------+
| direction | egress |
| id | f2c9b9a8-0af3-40a5-a718-6e841bad111d |
| is_excluded | False |
| location | cloud='', project.domain_id='default', project.domain_name=, |
| | project.id='80120067cd7949908e44dce45aeb7712', project.name='billing',
region_name='xxx', |
| | zone= |
| metering_label_id | d0068fc8-4a3e-4108-aa11-e3c171d4d1e1 |
| name | None |
| project_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
+-------------------+-------------------------------------------------------
---------------------------------------------+

And excluded all private nets:
+-------------------+-------------------------------------------------------
---------------------------------------------+
| Field | Value |
+-------------------+-------------------------------------------------------
---------------------------------------------+
| direction | egress |
| id | 838c9631-665b-42b6-b1e9-539983a38573 |
| is_excluded | True |
| location | cloud='', project.domain_id='default', project.domain_name=, |
| | project.id='80120067cd7949908e44dce45aeb7712', project.name='billing',
region_name='xxx', |
| | zone= |
| metering_label_id | 435652e6-e985-4351-a31a-954bace9eea0 |
| name | None |
| project_id | None |
| remote_ip_prefix | 10.0.0.0/8 |
+-------------------+-------------------------------------------------------
---------------------------------------------+

It works fine for just one project but if I apply it to all projects it
fails and no measures are recorded in gnocchi.

The neutron-metering-agent.log shows the following warning:
Feb 13 09:14:18 xxx_host neutron-metering-agent: 2020-02-13 09:14:09.648
4732 WARNING neutron.agent.linux.iptables_manager
[req-4c38f1f5-2db4-4d4a-9c1f-9585b1b50427 65c6d4bdcbc7469a910f6361b7f70f27
80120067cd7949908e44dce45aeb7712 - - -] Duplicate iptables rule detected.
This may indicate a bug in the iptables rule generation code. Line: -A
neutron-meter-r-28155d45-d16 -s 10.0.0.0/8 -o qg-c61bafef-ea -j RETURN

I would expect that it is possible to have similar rules for different
projects.

What do you think? Is it part of the rule creation code?

In the iptables_manager code the function is criticized:
 
<https://github.com/openstack/neutron/blob/86e4f141159072421a19080455caba1b0
efef776/neutron/agent/linux/iptables_manager.py>
https://github.com/openstack/neutron/blob/86e4f141159072421a19080455caba1b0e
fef776/neutron/agent/linux/iptables_manager.py
# TODO(kevinbenton): remove this function and the next one. They are
        # just oversized brooms to sweep bugs under the rug!!! We generate
the
        # rules and we shouldn't be generating duplicates.
        def _weed_out_duplicates(line):
            if line in seen_lines:
                thing = 'chain' if line.startswith(':') else 'rule'
                LOG.warning("Duplicate iptables %(thing)s detected. This "
                            "may indicate a bug in the iptables "
                            "%(thing)s generation code. Line: %(line)s",
                            {'thing': thing, 'line': line})
                return False
            seen_lines.add(line)
            # Leave it alone
            return True

 

 <https://bugs.launchpad.net/neutron/+bug/1863068>
https://bugs.launchpad.net/neutron/+bug/1863068

 

Merlin Blom

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200213/988994ab/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5195 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200213/988994ab/attachment-0001.bin>

More information about the openstack-discuss mailing list