search

networkop / cx

Containerised Cumulus VX
18 stars 3 forks source link

ebtables : The kernel doesn't support the ebtables 'filter' table #13

Open Sispheor opened 4 months ago

Sispheor commented 4 months ago

Hi,

New issue spotted ! 😛

From the container, trying to add an access port with this command:

root@leaf-1:/# nv set interface swp1 bridge domain br_default access 165
root@leaf-1:/# nv config apply

Error:

  STDERR:
[sudo] password for nvue: error: cmd '/sbin/ebtables  -t filter --atomic-file /tmp/.acl.595429/ebtables.save.filter --atomic-save ' failed with the following error:
(The kernel doesn't support the ebtables 'filter' table.)

I'm on top of a Rocky 9 Linux VM. I have installed the package ebtables-legacy. So ebtables is available in the kernel.

I think the prob is that nvue is using an hard coded path for ebtables: /sbin/ebtables.

root@leaf-1:/# /sbin/ebtables --list 
The kernel doesn't support the ebtables 'filter' table.

But, still form the container, if I use the realpath:

root@leaf-1:/# which ebtables
/usr/sbin/ebtables

root@leaf-1:/# /usr/sbin/ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Sispheor commented 4 months ago

So, a workaround:

# docker build \
# --force-rm=true \
# -t cx_ebtables:5.3.0 \
# -f cx_ebtables.Dockerfile .

from networkop/cx:5.3.0

RUN rm /sbin/ebtables
RUN ln -s /usr/sbin/ebtables /sbin/ebtables

I still have couple or error when applying

root@leaf-1:/# nv set interface swp27 bridge domain br_default access 165

root@leaf-1:/# nv config apply
Warning: The following files have been changed since the last save, and they WILL be overwritten.
    - /etc/hosts
    - /etc/hostname
    - /etc/resolv.conf

Are you sure? [y/N] y
Install of '/etc/hosts' failed: [PosixPath('/etc/hosts.part'), PosixPath('/etc/hosts')]
Install of '/etc/hostname' failed: [PosixPath('/etc/hostname.part'), PosixPath('/etc/hostname')]
Install of '/etc/resolv.conf' failed: [PosixPath('/etc/resolv.conf.part'), PosixPath('/etc/resolv.conf')]
Unable to run 'install_acls.sh' script: 

  RAN: sudo -S bash /var/lib/nvue/config/install_acls.sh

  STDOUT:
warning: Detected platform is Cumulus VX
warning: Running in no-hw-sync mode. No rules will be programmed in hw
Reading rule file /etc/cumulus/acl/policy.d/50_nvue.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/50_nvue.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Installing acl policy
failed.

  STDERR:
[sudo] password for nvue: error: cmd '/sbin/ebtables  -t filter --atomic-file /tmp/.acl.10878/ebtables.save.filter --atomic-save ' failed with the following error:
(Unknown argument: '/tmp/.acl.10878/ebtables.save.filter'.)
Unable to restart services (ifreload-nvue.service,systemd-hostnamed.service,rsyslog.service):
  Job for ifreload-nvue.service failed because the control process exited with error code.
During restart of ifreload-nvue.service:
  Failed to start ifreload wrapper service (for NVUE compatibility).
  Failed to start ifreload wrapper service (for NVUE compatibility).
  Failed to start ifreload wrapper service (for NVUE compatibility).
  Failed to start ifreload wrapper service (for NVUE compatibility).

But in the end my access port is working and I can ping my host.

Now the weird thing is that from a real Cumulus Linux the patch is:

which ebtables
/usr/sbin/ebtables

So I don't understand why nvue tries to call /sbin/ebtables

The Debian version from real Cumulus switch:

cat /etc/debian_version 
10.13

From the container:

root@leaf-1:/# cat /etc/debian_version 
10.12