I have verified the fixed package, see attached terminal output. Steps taken: - check package version - verify nf_tables is used - check default chains have not been created yet - run test case - check if default chain has been created
After that I upgraded the iptables packages on my neutron and compute hosts and rebooted them. Without any manual intervention the linuxbridge-agent was started and I could start a new instance which entered the "Running" state and had network connectivity. The linuxbridge-agent logs did not contain errors regarding iptables after the reboot. ** Attachment added: "bug1898547_verification" https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1898547/+attachment/5431817/+files/bug1898547_verification ** Tags removed: verification-needed-groovy ** Tags added: verification-done-groovy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1898547 Title: neutron-linuxbridge-agent fails to start with iptables 1.8.5 Status in Ubuntu on IBM z Systems: Fix Committed Status in iptables package in Ubuntu: Fix Committed Status in neutron package in Ubuntu: Invalid Status in iptables source package in Groovy: Fix Committed Status in neutron source package in Groovy: Invalid Status in iptables source package in Hirsute: Fix Committed Status in neutron source package in Hirsute: Invalid Bug description: [Impact] With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start. The log file shows many errors like: 2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed This can be demonstrated with a simple test case: iptables-restore <<EOF *filter :INPUT - [0:0] COMMIT EOF This fails with iptables 1.8.5 and is a known upstream bug that was subsequently fixed in upstream commit https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f As such, neutron-linuxbridge-agent is not able to be used successfully on groovy. This fix to iptables is required to allow neutron- linuxbridge-agent to successfully run. In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this bug by backporting the upstream fix from commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently sitting in hirsute-proposed waiting for autopkgtests to complete to finish migration. For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved and is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged for groovy) [Test Case] This can be reproduced by the test case. [Regression Potential] * This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy. One possible regression would be if any users of iptables-restore were relying on this failing behaviour, but since this has only failed for groovy and no other Ubuntu releases this is highly unlikely. The other possibility is that the patch introduces some other failure, however as stated above, close analysis of the patch shows it only introduces new behaviour when the policy is specified as '-' - so this should be impossible. * In the event of a regression, iptables can be reverted back to a rebuild of 1.8.5-3ubuntu1 by simply backing out this patch. [Other Info] * Details regarding an explicit test verification of neutron- linuxbridge-agent will be added soon. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1898547/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
