Neutron failing to deploy with "Policy DROP not allowed for user defined chains."

asked 2019-02-20

Marco Schuster

So, I managed to fix the neutron/nova/keystone integration from the previous question (running Rocky on a Debian Testing env with a controller and a compute node), but still I cannot spawn a "hello world" cirros instance.

I am using openstack server create --flavor 0 --image cirros --nic net-id=xxx provider-instance1 to create the instance, but after a couple of minutes it goes to ERROR status with the message nova.exception.BuildAbortException: Build of instance xxxx aborted: Failed to allocate the network(s), not rescheduling. in the logs on the compute node.

The problem seems to be somewhere in neutron:

2019-02-20 17:18:17.789 31660 DEBUG neutron.agent.linux.utils [req-00598802-3c30-472b-8ebb-503c35b3b082 - - - - -] Running command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ebtables', '-t', 'nat', '--concurrent', '-N', 'neutronMAC-tap88d37460-4b', '-P', 'DROP'] create_process /usr/lib/python3/dist-packages/neutron/agent/linux/
2019-02-20 17:18:18.017 31660 ERROR neutron.agent.linux.utils [req-00598802-3c30-472b-8ebb-503c35b3b082 - - - - -] Exit code: 255; Stdin: ; Stdout: ; Stderr: Policy DROP not allowed for user defined chains.

From a quick googling around, apparently neutron uses ebtables to do ARP spoof prevention. How do I either fix this error, or disable all kinds of "security" (as I am in a private demo cloud anyway and VLAN/routing separation is more than enough for me)?

did you fixed ? i have same problem on debian 10 rocky opestack

oxy ( 2019-10-22 )

answered 2019-10-30

oxy

ok got it fixed

its a bug in debian buster

update-alternatives --list ebtables update-alternatives --config ebtables

Selection Path Priority Status

  • 0 /usr/sbin/ebtables-nft 20 auto mode 1 /usr/sbin/ebtables-legacy 10 manual mode 2 /usr/sbin/ebtables-nft 20 manual mode

change it for legacy

1 /usr/sbin/ebtables-legacy 10 manual mode

and there is no error

answered 2020-07-31

Andrew Bogott

I encountered the same issue, and oxy's suggestion seems to resolve the issue. For those who want to automate things, the one-line solution is:

# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

