Handle attempt to enable br_netfilter in namespace

When the process is using the IptablesFirewall driver and is running in namespaces, there is no /proc/sys/net/bridge in the namespace available and enable of netfilter for bridge fails with stacktrace in logs. This patch handles the exception thrown during a failed attempted to retrieve net.bridge variable names and prints an info message in agent logs instead of printing a stacktrace. Change-Id: I1ff6cedbf933ac54ef4bbf1d44fc8f57f68d57fc Closes-bug: 1658343
2017-01-22 08:20:32 +00:00 · 2017-01-22 08:20:32 +00:00 · 750c491df7
commit 750c491df7
parent 4ae6790d82
1 changed files with 11 additions and 2 deletions
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -105,8 +105,17 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
        # enabled by default or not (Ubuntu - yes, Redhat - no, for
        # example).
        LOG.debug("Enabling netfilter for bridges")
-        entries = utils.execute(['sysctl', '-N', 'net.bridge'],
-                                run_as_root=True).splitlines()
+        try:
+            entries = utils.execute(
+                ['sysctl', '-N', 'net.bridge'], run_as_root=True,
+                log_fail_as_error=False).splitlines()
+        except utils.ProcessExecutionError:
+            LOG.info(_LI("Process is probably running in namespace or "
+                         "kernel module br_netfilter is not loaded. "
+                         "Please ensure that netfilter options for bridge "
+                         "are enabled to provide working security groups."))
+            return
+
        for proto in ('ip', 'ip6'):
            knob = 'net.bridge.bridge-nf-call-%stables' % proto
            if 'net.bridge.bridge-nf-call-%stables' % proto not in entries: