Neutron failing to deploy with "Policy DROP not allowed for user defined chains."

asked 2019-02-20 10:38:20 -0500

Marco Schuster gravatar image

So, I managed to fix the neutron/nova/keystone integration from the previous question (running Rocky on a Debian Testing env with a controller and a compute node), but still I cannot spawn a "hello world" cirros instance.

I am using openstack server create --flavor 0 --image cirros --nic net-id=xxx provider-instance1 to create the instance, but after a couple of minutes it goes to ERROR status with the message nova.exception.BuildAbortException: Build of instance xxxx aborted: Failed to allocate the network(s), not rescheduling. in the logs on the compute node.

The problem seems to be somewhere in neutron:

2019-02-20 17:18:17.789 31660 DEBUG neutron.agent.linux.utils [req-00598802-3c30-472b-8ebb-503c35b3b082 - - - - -] Running command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ebtables', '-t', 'nat', '--concurrent', '-N', 'neutronMAC-tap88d37460-4b', '-P', 'DROP'] create_process /usr/lib/python3/dist-packages/neutron/agent/linux/
2019-02-20 17:18:18.017 31660 ERROR neutron.agent.linux.utils [req-00598802-3c30-472b-8ebb-503c35b3b082 - - - - -] Exit code: 255; Stdin: ; Stdout: ; Stderr: Policy DROP not allowed for user defined chains.

From a quick googling around, apparently neutron uses ebtables to do ARP spoof prevention. How do I either fix this error, or disable all kinds of "security" (as I am in a private demo cloud anyway and VLAN/routing separation is more than enough for me)?

edit retag flag offensive close merge delete