cx icon indicating copy to clipboard operation
cx copied to clipboard

Published 20 hours ago verified publisher icon networkop

ebtables : The kernel doesn't support the ebtables 'filter' table

Open Sispheor opened this issue 1 year ago • 2 comments

Hi,

New issue spotted ! 😛

From the container, trying to add an access port with this command:

root@leaf-1:/# nv set interface swp1 bridge domain br_default access 165
root@leaf-1:/# nv config apply

Error:

  STDERR:
[sudo] password for nvue: error: cmd '/sbin/ebtables  -t filter --atomic-file /tmp/.acl.595429/ebtables.save.filter --atomic-save ' failed with the following error:
(The kernel doesn't support the ebtables 'filter' table.)

I'm on top of a Rocky 9 Linux VM. I have installed the package ebtables-legacy. So ebtables is available in the kernel.

I think the prob is that nvue is using an hard coded path for ebtables: /sbin/ebtables.

root@leaf-1:/# /sbin/ebtables --list 
The kernel doesn't support the ebtables 'filter' table.

But, still form the container, if I use the realpath:

root@leaf-1:/# which ebtables
/usr/sbin/ebtables

root@leaf-1:/# /usr/sbin/ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Sispheor avatar Feb 29 '24 08:02 Sispheor

So, a workaround:

# docker build \
# --force-rm=true \
# -t cx_ebtables:5.3.0 \
# -f cx_ebtables.Dockerfile .

from networkop/cx:5.3.0

RUN rm /sbin/ebtables
RUN ln -s /usr/sbin/ebtables /sbin/ebtables

I still have couple or error when applying

root@leaf-1:/# nv set interface swp27 bridge domain br_default access 165

root@leaf-1:/# nv config apply
Warning: The following files have been changed since the last save, and they WILL be overwritten.
	- /etc/hosts
	- /etc/hostname
	- /etc/resolv.conf

Are you sure? [y/N] y
Install of '/etc/hosts' failed: [PosixPath('/etc/hosts.part'), PosixPath('/etc/hosts')]
Install of '/etc/hostname' failed: [PosixPath('/etc/hostname.part'), PosixPath('/etc/hostname')]
Install of '/etc/resolv.conf' failed: [PosixPath('/etc/resolv.conf.part'), PosixPath('/etc/resolv.conf')]
Unable to run 'install_acls.sh' script: 

  RAN: sudo -S bash /var/lib/nvue/config/install_acls.sh

  STDOUT:
warning: Detected platform is Cumulus VX
warning: Running in no-hw-sync mode. No rules will be programmed in hw
Reading rule file /etc/cumulus/acl/policy.d/50_nvue.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/50_nvue.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Installing acl policy
failed.


  STDERR:
[sudo] password for nvue: error: cmd '/sbin/ebtables  -t filter --atomic-file /tmp/.acl.10878/ebtables.save.filter --atomic-save ' failed with the following error:
(Unknown argument: '/tmp/.acl.10878/ebtables.save.filter'.)
Unable to restart services (ifreload-nvue.service,systemd-hostnamed.service,rsyslog.service):
  Job for ifreload-nvue.service failed because the control process exited with error code.
During restart of ifreload-nvue.service:
  Failed to start ifreload wrapper service (for NVUE compatibility).
  Failed to start ifreload wrapper service (for NVUE compatibility).
  Failed to start ifreload wrapper service (for NVUE compatibility).
  Failed to start ifreload wrapper service (for NVUE compatibility).

But in the end my access port is working and I can ping my host.

Now the weird thing is that from a real Cumulus Linux the patch is:

which ebtables
/usr/sbin/ebtables

So I don't understand why nvue tries to call /sbin/ebtables

The Debian version from real Cumulus switch:

cat /etc/debian_version 
10.13

From the container:

root@leaf-1:/# cat /etc/debian_version 
10.12

Sispheor avatar Feb 29 '24 09:02 Sispheor

The hardcoded /sbin/ebtables path is in /usr/cumulus/bin/cl-acltool

So one could do: RUN sed -i 's|/sbin/ebtables|/usr/sbin/ebtables|g' /usr/cumulus/bin/cl-acltool

However, having ebtables working is likely essential to the proper functioning of the container.

One issue is that the ebtables kernel module must be loaded in the host, before starting the CVX container

A second issue is that the tool tries to load non-existing files:

RUN sed -i 's|if rule_cnts[table] > 0|if rule_cnts[table] > 0 and os.path.isfile(rule_newfilenames[table])|g' /usr/cumulus/bin/cl-acltool

jbemmel avatar Nov 09 '24 15:11 jbemmel