Re: [Openstack] Floating IP not being added in namespace anymore

[Jean-Philippe Méthot]

It seems that adding this patch did not solve the issue. I’m still getting 
those iptable errors.


Jean-Philippe Méthot
Openstack system administrator
Administrateur système Openstack
PlanetHoster inc.




> Le 19 sept. 2017 à 10:37, Jean-Philippe Méthot <jp.met...@planethoster.info> 
> a écrit :
> 
> Hi,
> 
> I do not have this fix. Seems it’s too recent for the latest RDO-Ocata. I 
> will apply it, it should solve the iptables issue. I have a hunch it’s not 
> the cause of the missing floatingip issue though, but I will try.
> 
> Thank you for your help,
> 
> Jean-Philippe Méthot
> Openstack system administrator
> Administrateur système Openstack
> PlanetHoster inc.
> 
> 
> 
> 
>> Le 19 sept. 2017 à 09:51, Ajay Kalambur (akalambu) <akala...@cisco.com 
>> <mailto:akala...@cisco.com>> a écrit :
>> 
>> Do you have this fix
>> https://review.openstack.org/#/c/501317/ 
>> <https://review.openstack.org/#/c/501317/>
>> 
>> 
>> Ajay
>> 
>> From: JP Japan <jp.met...@planethoster.info 
>> <mailto:jp.met...@planethoster.info>>
>> Date: Monday, September 18, 2017 at 5:02 PM
>> To: "openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>" 
>> <openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>>
>> Subject: Re: [Openstack] Floating IP not being added in namespace anymore
>> 
>> Sorry, I ended up sending the previous email a bit too quickly. Here’s some 
>> more info about our setup.
>> 
>> -It’s running latest Ocata with Openvswitch and network dedicated nodes.
>> -The network nodes are L3HA
>> -There’s no DVR here.
>> 
>>> Le 19 sept. 2017 à 08:51, JP Japan <jp.met...@planethoster.info 
>>> <mailto:jp.met...@planethoster.info>> a écrit :
>>> 
>>> Hi,
>>> 
>>> A few days ago, we made two big changes on our production infrastructure: 
>>> we updated to latest Ocata and we changed the outgoing port on our network 
>>> node to a lacp port. We made the change by switching the port in br-ex in 
>>> openvswitch to the new lacp-backed port. Ever since these two things 
>>> happened right after the other, we’ve ran into two issues, one which has 
>>> much worse consequences than the other:
>>> 
>>> 1.We can’t add floating ips to instances anymore. The interface says the 
>>> operation completed successfully, the database gets updated, but the IP 
>>> address doesn’t exist in the network namespace on the network nodes. 
>>> Strangely enough, the iptables rules in the NAT table do exist. The port 
>>> just doesn’t receive the new address. Adding the floating ip address 
>>> manually to the virtual interface with "ip netns exec *qrouter namespace 
>>> id* ip addr add *ip address* dev *virtual interface*" solves this, but is 
>>> in no way a permanent solution.
>>> 
>>> 2.We’re getting an error message in the L3-agent whenever it starts 
>>> informing us it was unable to add some rules in iptables because there’s a 
>>> lock on xtables, while as far as we know, the L3-agent itself is the one 
>>> holding the lock. Here’s the error: 
>>> 
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager # Generated 
>>> by iptables_manager
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager *nat
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager -I 
>>> neutron-l3-agent-PREROUTING 7 -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp 
>>> --dport 80 -j REDIRECT --to-ports 9697
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager COMMIT
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager # Completed 
>>> by iptables_manager
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager ; Stdout: ; 
>>> Stderr: Another app is currently holding the xtables lock. Perhaps you want 
>>> to use the -w option?
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager
>>> 2017-09-18 13:00:55.426 18575 ERROR neutron.callbacks.manager 
>>> 
>>> It’s not clear exactly how this is affecting the setup, as metadata is 
>>> still going through properly (most likely through the DHCP) but it’s quite 
>>> worrying.
>>> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>> Post to     : openstack@lists.openstack.org 
>>> <mailto:openstack@lists.openstack.org>
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> 
>> Jean-Philippe Méthot
>> Openstack system administrator
>> PlanetHoster inc.
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack