Open Stack

On 09/19/2017 03:49 AM, Jean-Philippe Méthot wrote:
> We fixed our floating ip problem, or at least we believe we did so. We 
> cleaned out the neutron lock files and since then, no floating ip issues.
> 
> However, we’re still getting the iptables error messages on l3-agent boot.

You will probable want this very recent patch to stable/ocata for that:

https://review.openstack.org/#/c/501317/

-Brian

>> Le 19 sept. 2017 à 14:08, Remo Mattei <remo at italy1.com 
>> <mailto:remo at italy1.com>> a écrit :
>>
>> Ouch no deployment tools? Nevertheless I will check the version I have 
>>  on mine
>>
>> Remo
>>
>> Il giorno 18 set 2017, alle ore 19:43, Jean-Philippe Méthot 
>> <jp.methot at planethoster.info <mailto:jp.methot at planethoster.info>> ha 
>> scritto:
>>
>> I use RDO Ocata without any deployment tool
>> Neutron version is openstack-neutron-10.0.3-1.el7.noarch
>>
>> It's from August 28th.
>>
>> Jean-Philippe Méthot
>> Openstack system administrator
>> Administrateur système Openstack
>> PlanetHoster inc.
>>
>>
>>
>>
>>> Le 19 sept. 2017 à 11:00, Remo Mattei <remo at italy1.com 
>>> <mailto:remo at italy1.com>> a écrit :
>>>
>>> are you running RDO / Juju? What is the version?
>>>
>>> Thanks
>>>
>>> On 9/18/17 6:40 PM, Jean-Philippe Méthot wrote:
>>>> Hi,
>>>>
>>>> Thank you for your reply. We did restart all neutron services, 
>>>> several times. We also restarted the servers but the issue is still 
>>>> there.
>>>>
>>>> Best regards,
>>>>
>>>> Jean-Philippe Méthot
>>>> Openstack system administrator
>>>> Administrateur système Openstack
>>>> PlanetHoster inc.
>>>>
>>>>
>>>>
>>>>
>>>>> Le 19 sept. 2017 à 10:01, Remo Mattei <remo at italy1.com 
>>>>> <mailto:remo at italy1.com>> a écrit :
>>>>>
>>>>> I saw something similar did you restart all the services after the 
>>>>> upgrade? Just wonder. I saw some other issue when I upgraded from 
>>>>> 7.3 to 7.4 where it gave me some vif error after all servers reboot 
>>>>> the problem has been gone.
>>>>>
>>>>> Let me know.
>>>>>
>>>>> Il giorno 18 set 2017, alle ore 17:02, JP Japan 
>>>>> <jp.methot at planethoster.info <mailto:jp.methot at planethoster.info>> 
>>>>> ha scritto:
>>>>>
>>>>> Sorry, I ended up sending the previous email a bit too quickly. 
>>>>> Here’s some more info about our setup.
>>>>>
>>>>> -It’s running latest Ocata with Openvswitch and network dedicated 
>>>>> nodes.
>>>>> -The network nodes are L3HA
>>>>> -There’s no DVR here.
>>>>>
>>>>>> Le 19 sept. 2017 à 08:51, JP Japan <jp.methot at planethoster.info 
>>>>>> <mailto:jp.methot at planethoster.info>> a écrit :
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> A few days ago, we made two big changes on our production 
>>>>>> infrastructure: we updated to latest Ocata and we changed the 
>>>>>> outgoing port on our network node to a lacp port. We made the 
>>>>>> change by switching the port in br-ex in openvswitch to the new 
>>>>>> lacp-backed port. Ever since these two things happened right after 
>>>>>> the other, we’ve ran into two issues, one which has much worse 
>>>>>> consequences than the other:
>>>>>>
>>>>>> 1.We can’t add floating ips to instances anymore. The interface 
>>>>>> says the operation completed successfully, the database gets 
>>>>>> updated, but the IP address doesn’t exist in the network namespace 
>>>>>> on the network nodes. Strangely enough, the iptables rules in the 
>>>>>> NAT table do exist. The port just doesn’t receive the new address. 
>>>>>> Adding the floating ip address manually to the virtual interface 
>>>>>> with "ip netns exec *qrouter namespace id* ip addr add *ip 
>>>>>> address* dev *virtual interface*" solves this, but is in no way a 
>>>>>> permanent solution.
>>>>>>
>>>>>> 2.We’re getting an error message in the L3-agent whenever it 
>>>>>> starts informing us it was unable to add some rules in iptables 
>>>>>> because there’s a lock on xtables, while as far as we know, the 
>>>>>> L3-agent itself is the one holding the lock. Here’s the error:
>>>>>>
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager # 
>>>>>> Generated by iptables_manager
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager *nat
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager -I 
>>>>>> neutron-l3-agent-PREROUTING 7 -d 169.254.169.254/32 -i qr-+ -p tcp 
>>>>>> -m tcp --dport 80 -j REDIRECT --to-ports 9697
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager COMMIT
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager # 
>>>>>> Completed by iptables_manager
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager ; 
>>>>>> Stdout: ; Stderr: Another app is currently holding the xtables 
>>>>>> lock. Perhaps you want to use the -w option?
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager
>>>>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager
>>>>>>
>>>>>> It’s not clear exactly how this is affecting the setup, as 
>>>>>> metadata is still going through properly (most likely through the 
>>>>>> DHCP) but it’s quite worrying.
>>>>>> _______________________________________________
>>>>>> Mailing list: 
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>> Post to     : openstack at lists.openstack.org 
>>>>>> <mailto:openstack at lists.openstack.org>
>>>>>> Unsubscribe : 
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>
>>>>> Jean-Philippe Méthot
>>>>> Openstack system administrator
>>>>> PlanetHoster inc.
>>>>> _______________________________________________
>>>>> Mailing list: 
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to     : openstack at lists.openstack.org 
>>>>> <mailto:openstack at lists.openstack.org>
>>>>> Unsubscribe : 
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>
>>
> 
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>