Bug 1156183
Summary: | open ceph ports on ceph storage node | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Crag Wolfe <cwolfe> | |
Component: | openstack-foreman-installer | Assignee: | Crag Wolfe <cwolfe> | |
Status: | CLOSED ERRATA | QA Contact: | nlevinki <nlevinki> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 5.0 (RHEL 7) | CC: | cwolfe, ddomingo, dnavale, jguiditt, mburns, morazi, rhos-maint, yeylon | |
Target Milestone: | z2 | Keywords: | ZStream | |
Target Release: | Installer | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openstack-foreman-installer-2.0.31-1.el6ost | Doc Type: | Bug Fix | |
Doc Text: |
Previously, Ceph ports were not open on the Ceph storage nodes, as a result, Ceph monitors could not write to the Ceph storage nodes even though they were monitoring correctly.
With this update, a new puppet class is added, which opens the monitoring ports correctly resulting in the monitors being able to write to the storage nodes.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1156184 (view as bug list) | Environment: | ||
Last Closed: | 2014-11-04 17:03:57 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1156184 |
Description
Crag Wolfe
2014-10-23 18:21:33 UTC
Patch posted: https://github.com/redhat-openstack/astapor/pull/395 Merged From what I see you opened all tcp ports, see iptables. Please specify specific ports for ceph mon. this is a security issue. Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere multiport dports 6800:6810 /* 001 ceph osd incoming */ ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) The patch referenced above only opens the ACCEPT 6800:6810 tcp ports. The patch included for this bug added just the first rule in the output which opens 6800:6810 I agree that the open firewall otherwise needs to be fixed, though, so please file a new bz. I think, based on the comment, that this can be verified, though, since the right firewall rule is added. agree Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-1800.html |