neutron-linuxbridge-agent 在 Openstack Ussuri 中崩溃

neutron-linuxbridge-agent 在 Openstack Ussuri 中崩溃

在我们新安装的 Openstack Ussuri 中,neutron-linuxbridge-agent 在两个计算节点上都崩溃了。安装过程按照 Ubuntu (20.04) 的说明进行,网址为https://docs.openstack.org/install-guide

neutron-linuxbridge-agent.log 显示

2021-02-09 20:40:30.921 54590 ERROR neutron.agent.linux.utils [req-c6741275-9bd6-47a3-894c-856cb5ad0e62 - - - - -] Exit code: 4; Stdin: ; Stdout: ; Stderr: ebtables v1.8.4 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain neutronARP-tap0a9b5e3a-21
[...]
2021-02-09 20:40:30.923 54590 ERROR oslo_service.service neutron_lib.exceptions.ProcessExecutionError: Exit code: 4; Stdin: ; Stdout: ; Stderr: ebtables v1.8.4 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain neutronARP-tap0a9b5e3a-21
2021-02-09 20:40:30.923 54590 ERROR oslo_service.service
2021-02-09 20:40:30.923 54590 ERROR oslo_service.service
2021-02-09 20:40:30.929 54590 INFO neutron.plugins.ml2.drivers.agent._common_agent [-] Stopping Linux bridge agent agent.

重新启动代理会产生相同的结果。看起来是 nf_tables 的问题。但我们没有手动配置 nf_tables。有什么想法吗?

日志文件的相关部分:https://pastebin.com/7fSVBqdd

中子配置:https://pastebin.com/Yg0HpwXc

编辑:当我删除日志文件中提到的所有 nf_tables 规则时,我可以启动代理:

nft flush chain bridge nat neutronARP-tap0a9b5e3a-21

当然,这不是解决方案,而只是一种快速的解决方法......

答案1

代码中有一个错误,此补丁将修复该问题:

diff --git a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
index d65e2bb..6ed3f7e 100644
--- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
+++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
@@ -87,8 +87,7 @@
         ebtables(['-D', chain, '-i', vif, '-j',
                   chain_name(vif), '-p', 'ARP'], table=table)
     for vif in vifs:
-        if chain_exists(chain_name(vif), current_rules):
-            ebtables(['-X', chain_name(vif)], table=table)
+        chain_delete(chain_name(vif), table, current_rules)
     _delete_mac_spoofing_protection(vifs, current_rules, table=table,
                                     chain=chain)
 
@@ -154,6 +153,13 @@
     return False
 
 
+def chain_delete(chain, table, current_rules):
+    # flush and delete chain if exists
+    if chain_exists(chain, current_rules):
+        ebtables(['-F', chain], table=table)
+        ebtables(['-X', chain], table=table)
+
+
 def vif_jump_present(vif, current_rules):
     searches = (('-i %s' % vif), ('-j %s' % chain_name(vif)), ('-p ARP'))
     for line in current_rules:
@@ -212,9 +218,7 @@
         ebtables(['-D', chain, '-i', vif, '-j',
                   _mac_chain_name(vif)], table=table)
     for vif in vifs:
-        chain = _mac_chain_name(vif)
-        if chain_exists(chain, current_rules):
-            ebtables(['-X', chain], table=table)
+        chain_delete(_mac_chain_name(vif), table, current_rules)
 
 
 # Used to scope ebtables commands in testing

使用 Ansible 来部署它:

---
- name: Neutron hotfix patch
  hosts: all
  tasks: 
    - name: copy patch 
      copy: 
        src: 2207b88.diff
        dest: /openstack/venvs/neutron-21.2.0/lib/python3.8/site-packages
    - name: Apply patch
      shell: cd /openstack/venvs/neutron-21.2.0/lib/python3.8/site-packages && git apply 2207b88.diff

    - systemd:
        name: neutron-linuxbridge-agent.service
        state: restarted

相关内容