Bug 1156183

Summary: open ceph ports on ceph storage node
Product: Red Hat OpenStack Reporter: Crag Wolfe <cwolfe>
Component: openstack-foreman-installerAssignee: Crag Wolfe <cwolfe>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: cwolfe, ddomingo, dnavale, jguiditt, mburns, morazi, rhos-maint, yeylon
Target Milestone: z2Keywords: ZStream
Target Release: Installer   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-foreman-installer-2.0.31-1.el6ost Doc Type: Bug Fix
Doc Text:
Previously, Ceph ports were not open on the Ceph storage nodes, as a result, Ceph monitors could not write to the Ceph storage nodes even though they were monitoring correctly. With this update, a new puppet class is added, which opens the monitoring ports correctly resulting in the monitors being able to write to the storage nodes.
 Story Points: ---
Clone Of:
: 1156184 (view as bug list) Environment:
Last Closed: 2014-11-04 17:03:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1156184    

Description Crag Wolfe 2014-10-23 18:21:33 UTC 
Description of problem:

The ceph storage node only includes puppet classes quickstack::ceph::config and quickstack::openstack_common -- osd-related ports are closed.  Therefore, though the ceph-mons may be active and correctly configured on the HA controller, they are unable to write data to the ceph storage node(s).
Comment 2 Crag Wolfe 2014-10-23 18:43:36 UTC 
Patch posted: https://github.com/redhat-openstack/astapor/pull/395
Comment 4 Jason Guiditta 2014-10-23 20:45:10 UTC 
Merged
Comment 9 nlevinki 2014-10-29 12:56:53 UTC 
From what I see you opened all tcp ports, see iptables.
Please specify specific ports for ceph mon.
this is a security issue.


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6800:6810 /* 001 ceph osd incoming */
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
Comment 10 Mike Orazi 2014-10-29 14:07:22 UTC 
The patch referenced above only opens the ACCEPT 6800:6810 tcp ports.
Comment 11 Mike Burns 2014-10-29 22:13:03 UTC 
The patch included for this bug added just the first rule in the output which opens 6800:6810

I agree that the open firewall otherwise needs to be fixed, though, so please file a new bz.  

I think, based on the comment, that this can be verified, though, since the right firewall rule is added.
Comment 12 nlevinki 2014-10-30 08:58:12 UTC 
agree
Comment 14 errata-xmlrpc 2014-11-04 17:03:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1800.html