Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-13682

"Block OUTPUT SYN packets to this node on other haproxy nodes" play blocks minor upgrade in Cisco ACI environment

XMLWordPrintable

    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • openstack-tripleo-heat-templates-14.3.1-17.1.20250604104201.e7c7ce3.el8ost openstack-tripleo-heat-templates-14.3.1-17.1.20250604111154.e7c7ce3.el9ost
    • rhos-ops-day1day2-upgrades
    • None
    • Hide
      .Fixes minor update failures related to raw tables with Cisco ACI equipment

      Before this update, a minor update from 17.1.3 to 17.1.4 failed on Cisco ACI because the "raw" table had not been created, so the nft insert failed. With this update, you can check whether the raw table exists so you can use it, or use a filter table instead.
      Show
      .Fixes minor update failures related to raw tables with Cisco ACI equipment Before this update, a minor update from 17.1.3 to 17.1.4 failed on Cisco ACI because the "raw" table had not been created, so the nft insert failed. With this update, you can check whether the raw table exists so you can use it, or use a filter table instead.
    • Bug Fix
    • Done
    • RHOS Upgrades 2025 Sprint 2
    • 1
    • Moderate

      To Reproduce Steps to reproduce the behavior:
      A fix for https://bugzilla.redhat.com/show_bug.cgi?id=2314658 switched from adding rule to filter table to adding them to raw table. The problem is that it looks like raw table will not be initialized unless standard Neutron mechanism drivers (ML2/OVN or ML2/OVS) are used.

      For standard mechanism drivers we have hardcoded rules in raw table to allow Geneve and VXLAN traffic. But it looks like Cisco ACI doesn't have similar rules and raw table is not created in this case.

      As a result, "Block OUTPUT SYN packets to this node on other haproxy nodes" play fails while spamming similar errors:

      insert rule ip raw OUTPUT ip daddr 192.168.1.1 tcp dport 8000 tcp flags syn / fin,syn,rst,ack meta time 1738157008-1738158208 counter drop comment controller-0_haproxy_
drop
               ^^^\nError: No such file or directory; did you mean table ‘filter’ in family ip?

      Expected behavior
      I expect TripleO to create raw table if it doesn't exist if we want to insert rules there.

      Bug impact
      Minor update is blocked

      Known workaround
      We will try to pre-create raw table and re-try.

              rhn-engineering-lbezdick Lukas Bezdicka
              rhn-support-astupnik Alex Stupnikov
              rhos-dfg-upgrades
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: