|Summary:||open ceph ports on ceph storage node|
|Product:||Red Hat OpenStack||Reporter:||Crag Wolfe <cwolfe>|
|Component:||openstack-foreman-installer||Assignee:||Crag Wolfe <cwolfe>|
|Status:||CLOSED ERRATA||QA Contact:||nlevinki <nlevinki>|
|Version:||5.0 (RHEL 7)||CC:||cwolfe, ddomingo, dnavale, jguiditt, mburns, morazi, rhos-maint, yeylon|
|Fixed In Version:||openstack-foreman-installer-2.0.31-1.el6ost||Doc Type:||Bug Fix|
Previously, Ceph ports were not open on the Ceph storage nodes, as a result, Ceph monitors could not write to the Ceph storage nodes even though they were monitoring correctly. With this update, a new puppet class is added, which opens the monitoring ports correctly resulting in the monitors being able to write to the storage nodes.
|:||1156184 (view as bug list)||Environment:|
|Last Closed:||2014-11-04 17:03:57 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Crag Wolfe 2014-10-23 18:21:33 UTC
Description of problem: The ceph storage node only includes puppet classes quickstack::ceph::config and quickstack::openstack_common -- osd-related ports are closed. Therefore, though the ceph-mons may be active and correctly configured on the HA controller, they are unable to write data to the ceph storage node(s).
Comment 2 Crag Wolfe 2014-10-23 18:43:36 UTC
Patch posted: https://github.com/redhat-openstack/astapor/pull/395
Comment 4 Jason Guiditta 2014-10-23 20:45:10 UTC
Comment 9 nlevinki 2014-10-29 12:56:53 UTC
From what I see you opened all tcp ports, see iptables. Please specify specific ports for ceph mon. this is a security issue. Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere multiport dports 6800:6810 /* 001 ceph osd incoming */ ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT)
Comment 10 Mike Orazi 2014-10-29 14:07:22 UTC
The patch referenced above only opens the ACCEPT 6800:6810 tcp ports.
Comment 11 Mike Burns 2014-10-29 22:13:03 UTC
The patch included for this bug added just the first rule in the output which opens 6800:6810 I agree that the open firewall otherwise needs to be fixed, though, so please file a new bz. I think, based on the comment, that this can be verified, though, since the right firewall rule is added.
Comment 12 nlevinki 2014-10-30 08:58:12 UTC
Comment 14 errata-xmlrpc 2014-11-04 17:03:57 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-1800.html