I have manually setup a fresh OpenStack Pike HA environment based on Ubuntu 16.04.3 in conjunction with DVR. Firewall creation works in case of centralized routers, but when a firewall gets attached to a distributed router, the firewall gets stuck in "PENDUNG UPDATE". The log file contains the following exception:
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server [req-28e7a23e-fa55-4358-9977-c1db08435624 dddfba8e02f746799a6408a523e6cd25 ed2d2efd86dd40e7a45491d8502318d3 - - -] Exception during message handling: AttributeError: 'DvrEdgeHaRouter' object has no attribute 'dist_fip_count'
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server Traceback (most recent call last):
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/oslo_messaging/rpc/server.py", line 160, in _process_incoming
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server res = self.dispatcher.dispatch(message)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 213, in dispatch
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server return self._do_dispatch(endpoint, method, ctxt, args)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 183, in _do_dispatch
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server result = func(ctxt, **new_args)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/oslo_log/helpers.py", line 67, in wrapper
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server return method(*args, **kwargs)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py", line 284, in create_firewall
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server firewall)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py", line 89, in create_firewall
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server self._setup_firewall(agent_mode, apply_list, firewall)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py", line 195, in _setup_firewall
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server agent_mode, router_info)
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py", line 119, in _get_ipt_mgrs_with_if_prefix
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server if router_info.dist_fip_count:
2017-09-06 13:58:29.572 22581 ERROR oslo_messaging.rpc.server AttributeError: 'DvrEdgeHaRouter' object has no attribute 'dist_fip_count'
Some version information:
$ pip list | grep neutron
neutron (11.0.0)
neutron-fwaas (11.0.0)
neutron-fwaas-dashboard (1.0.1.dev1)
neutron-lbaas (11.0.0)
neutron-lbaas-dashboard (3.0.1)
neutron-lib (1.9.1)
##############################
l3_agent.ini
##############################
[DEFAULT]
agent_mode = dvr_snat
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[agent]
extensions = fwaas
[fwaas]
agent_version = v1
driver = iptables
enabled = true
##############################
neutron.conf
##############################
[DEFAULT]
allow_overlapping_ips = true
auth_strategy = keystone
base_mac = 02:05:69:00:00:00
bind_host = 10.30.200.101
bind_port = 9696
core_plugin = ml2
debug = false
default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=WARN,oslo.messaging=WARN,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=WARN,dogpile.core.dogpile=WARN,oslo_service=WARN,neutron=WARN
dhcp_agents_per_network = 2
dns_domain = openstack.mycompany.com.
dvr_base_mac = 0A:05:69:00:00:00
endpoint_type = internalURL
host = os-network01
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
l3_ha = true
l3_ha_net_cidr = 169.254.192.0/18
log_dir = /var/log/neutron
max_l3_agents_per_router = 2
min_l3_agents_per_router = 2
notify_nova_on_port_data_changes = true
notify_nova_on_port_status_changes = true
router_distributed = true
service_plugins = router,firewall,qos,lbaasv2
state_path = /var/lib/neutron
transport_url = rabbit://neutron:neutronpass@os-rabbit01:5672,neutron:neutronpass@os-rabbit02:5672/openstack
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[database]
connection = mysql+pymysql://neutron:neutronDBpass@os-controller/neutron
max_retries = -1
[keystone_authtoken]
auth_type = password
auth_uri = https://os-cloud.mycompany.com:5000
auth_url = http://os-identity:35357
memcached_servers = os-memcache:11211
password = neutronpass
project_domain_name = default
project_name = service
user_domain_name = default
username = neutron
[nova]
auth_type = password
auth_url = http://os-identity:35357
endpoint_type = internal
password = novapass
project_domain_name = default
project_name = service
region_name = RegionOne
user_domain_name = default
username = nova
[oslo_concurrency]
lock_path = /var/lock/neutron
[oslo_messaging_notifications]
driver = messagingv2
[oslo_messaging_rabbit]
amqp_durable_queues = true
rabbit_ha_queues = true
rabbit_retry_backoff = 2
rabbit_retry_interval = 1
[oslo_middleware]
enable_proxy_headers_parsing = true
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
##############################
fwaas_driver.ini
##############################
[fwaas]
enabled = true
driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
May someone please have a look.
While the neutron base code changed in April 2017, the FWaaS code did not, so there's a bug.
The code needs to change something like this:
< if router_
--
> if router_