Bug 1034538
| Summary: | Packstack puppet module firewall for Quickstack: newer version needed to support resilient iptables rules | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Gilles Dubreuil <gdubreui> |
| Component: | openstack-packstack | Assignee: | Francesco Vollero <fvollero> |
| Status: | CLOSED ERRATA | QA Contact: | Attila Darazs <adarazs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.0 | CC: | ajeain, aortega, cwolfe, derekh, fvollero, gdubreui, ichavero, mmagr, oblaut, yeylon |
| Target Milestone: | z2 | Keywords: | TestOnly, ZStream |
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-packstack-2013.2.1-0.23.dev979.el6ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-03-04 19:12:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1034532 | ||
|
Description
Gilles Dubreuil
2013-11-26 04:29:44 UTC
Gilles, could you please check whether the system is booting in the right runlevel? As far as I remember it ought to be 3 to get the iptables rules restored. Related bug. Please check it out: https://bugzilla.redhat.com/show_bug.cgi?id=1023955 Alvaro, Unfortunately this isn't the case. The purpose of this BZ is to get upstream firewall module 0.2.0+ version in order to have support for fw rules resiliency. The implementation is different then current one which does it via iptables-save. Hi Gilles, the problem with the new version of puppetlabs-firewall is that the parser is kinda broken for our needs, it's generating broken rules that will make packstack unusable as in: https://github.com/puppetlabs/puppetlabs-firewall/issues/141 Anyway i'm trying to fix it to have it done, but due to the 'queue' that pull requests have in puppetlabs even if I fix in time, i'm skeptic gonna be in time for our release. The lack of resilient firewall rules ended up not having anything to do with this Puppet module (but the iptable's service runlevel are saved/restored). This would impact many different pieces of code in our puppet modules, and thus this change should be considered a high-risk update. At this stage, and due the circumstances, I believe we ought to delay this change until RHOS-5.0. Francesco, how would I go and verify this bug? on which build was it fixed? Waiting on the needinfo. -A. About how to verify: For packstack: 1) Run an All-in-One installation 2) Run iptables-save and store in a file the output 3) Reboot the machine or [5] 4) Execute again the iptables-save and store in a new file, run a diff against the file on [2] to verify if the rules are persistent between reboots and that should be about it. 5) If you really want to be sure, you can execute few instances before rebooting[3], run iptables-save save the output and reboot and check that those rules at [2] have no differences. For Foreman, I have no clues but maybe Gilles could help there. Firewall rules are preserved between reboots after a packstack run. Verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0233.html |