git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[kolla] neutron-l3-agent namespace NAT table not working?


Do you happen to have the bug ID for Centos?

On Sun, Jan 5, 2020 at 2:11 PM Jon Masters <jcm at jonmasters.org> wrote:

> This turns out to a not well documented bug in the CentOS7.7 kernel that
> causes exactly nat rules not to run as I was seeing. Oh dear god was this
> nasty as whatever to find and workaround.
>
> --
> Computer Architect
>
>
> > On Jan 4, 2020, at 10:39, Jon Masters <jcm at jonmasters.org> wrote:
> >
> > Excuse top posting on my phone. Also, yes, the namespaces are as
> described. Itâ??s just that the (correct) nat rules for the qrouter netns are
> never running, in spite of the two interfaces existing in that ns and
> correctly attached to the vswitch.
> >
> > --
> > Computer Architect
> >
> >
> >>> On Jan 4, 2020, at 07:56, Sean Mooney <smooney at redhat.com> wrote:
> >>>
> >>> On Sat, 2020-01-04 at 10:46 +0100, Slawek Kaplonski wrote:
> >>> Hi,
> >>>
> >>> Is this qrouter namespace created with all those rules in container or
> in the host directly?
> >>> Do You have qr-xxx and qg-xxx ports from br-int in this qrouter
> namespace?
> >> in kolla the l3 agent should be running with net=host so the container
> should be useing the hosts
> >> root namespace  and it will create network namespaces as needed for the
> different routers.
> >>
> >> the ip table rules should be in the router sub namespaces.
> >>
> >>>
> >>>>> On 4 Jan 2020, at 05:44, Jon Masters <jcm at jonmasters.org> wrote:
> >>>>
> >>>> Hi there,
> >>>>
> >>>> I've got a weird problem with the neutron-l3-agent container on my
> deployment. It comes up, sets up the iptables
> >>>> rules in the qrouter namespace (and I can see these using "ip
> netns...") but traffic isn't having DNAT or SNAT
> >>>> applied. What's most strange is that manually adding a LOG jump
> target to the iptables nat PRE/POSTROUTING chains
> >>>> (after enabling nf logging sent to the host kernel, confirmed that
> works) doesn't result in any log entries. It's as
> >>>> if the nat table isn't being applied at all for any packets
> traversing the qrouter namespace. This is driving me
> >>>> crazy :)
> >>>>
> >>>> Anyone got some quick suggestions? (assume I tried the obvious stuff).
> >>>>
> >>>> Jon.
> >>>>
> >>>> --
> >>>> Computer Architect
> >>>
> >>> â??
> >>> Slawek Kaplonski
> >>> Senior software engineer
> >>> Red Hat
> >>>
> >>>
> >>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200105/755a39fe/attachment.html>