Ask Your Question

Neutron failing to deploy with "Policy DROP not allowed for user defined chains."

asked 2019-02-20 10:38:20 -0500

Marco Schuster gravatar image

So, I managed to fix the neutron/nova/keystone integration from the previous question (running Rocky on a Debian Testing env with a controller and a compute node), but still I cannot spawn a "hello world" cirros instance.

I am using openstack server create --flavor 0 --image cirros --nic net-id=xxx provider-instance1 to create the instance, but after a couple of minutes it goes to ERROR status with the message nova.exception.BuildAbortException: Build of instance xxxx aborted: Failed to allocate the network(s), not rescheduling. in the logs on the compute node.

The problem seems to be somewhere in neutron:

2019-02-20 17:18:17.789 31660 DEBUG neutron.agent.linux.utils [req-00598802-3c30-472b-8ebb-503c35b3b082 - - - - -] Running command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ebtables', '-t', 'nat', '--concurrent', '-N', 'neutronMAC-tap88d37460-4b', '-P', 'DROP'] create_process /usr/lib/python3/dist-packages/neutron/agent/linux/
2019-02-20 17:18:18.017 31660 ERROR neutron.agent.linux.utils [req-00598802-3c30-472b-8ebb-503c35b3b082 - - - - -] Exit code: 255; Stdin: ; Stdout: ; Stderr: Policy DROP not allowed for user defined chains.

From a quick googling around, apparently neutron uses ebtables to do ARP spoof prevention. How do I either fix this error, or disable all kinds of "security" (as I am in a private demo cloud anyway and VLAN/routing separation is more than enough for me)?

edit retag flag offensive close merge delete


did you fixed ? i have same problem on debian 10 rocky opestack

oxy gravatar imageoxy ( 2019-10-22 10:35:13 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2019-10-30 11:25:10 -0500

oxy gravatar image

ok got it fixed

its a bug in debian buster

update-alternatives --list ebtables update-alternatives --config ebtables

Selection Path Priority Status

  • 0 /usr/sbin/ebtables-nft 20 auto mode 1 /usr/sbin/ebtables-legacy 10 manual mode 2 /usr/sbin/ebtables-nft 20 manual mode

change it for legacy

1 /usr/sbin/ebtables-legacy 10 manual mode

and there is no error

edit flag offensive delete link more

answered 2020-07-31 18:30:38 -0500

Andrew Bogott gravatar image

I encountered the same issue, and oxy's suggestion seems to resolve the issue. For those who want to automate things, the one-line solution is:

# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2019-02-20 10:38:20 -0500

Seen: 404 times

Last updated: Oct 30 '19