Bug 1274196

Summary: RFE: configure iptables rules on overcloud hosts
Product: Red Hat OpenStack Reporter: Ofer Blaut <oblaut>
Component: openstack-tripleo-heat-templatesAssignee: Ben Nemec <bnemec>
Status: CLOSED ERRATA QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: achernet, augol, dnavale, dsneddon, emacchi, jcoufal, jjoyce, jslagle, kbasil, mburns, oblaut, ohochman, rhel-osp-director-maint
Target Milestone: rcKeywords: FutureFeature, Reopened, Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-1.1.el7ost Doc Type: Enhancement
Doc Text:
With this update, the iptables firewall on the overcloud controller nodes are enabled to ensure better security. As a result, the necessary ports are opened so that overcloud services will continue to function as before.
 Story Points: ---
Clone Of:
: 1305123 (view as bug list) Environment:
Last Closed: 2016-12-14 15:16:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1305123, 1350510    

Description Ofer Blaut 2015-10-22 08:51:18 UTC 
Description of problem:

We should configure iptables rules on ospd overcloud hosts .

upstream patch - https://review.openstack.org/#/c/191195/

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.run sudo iptables  -S  on  controllers/computes/ceph 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Mike Burns 2015-11-23 12:48:53 UTC 
*** Bug 1284080 has been marked as a duplicate of this bug. ***
Comment 3 Dan Sneddon 2016-02-04 15:59:32 UTC 
(In reply to Ofer Blaut from comment #0)
> Description of problem:
> 
> We should configure iptables rules on ospd overcloud hosts .

Perhaps we should use iptables rules on OSPD overcloud hosts, but the stated reason for using iptables here is based on a faulty assumption.

The problem is that the system is accepting route advertisements from the router, and adding a route, even if there is no IP on the interface.

In order to turn this behavior on/off, you can edit /proc/sys/net/ipv6/conf/default/accept_ra to be "0" instead of "1".

You can also turn it on/off on a per-interface basis, e.g.:
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
Comment 4 Keith Basil 2016-02-05 16:22:55 UTC 
I would accept Dan Sneddon's suggestion as the fix here.  This doesn't seem like we need to take on iptables config work.   And, if we did, the specifications around what we need to solve are not presented here.

I would suggest we open a new BZ to solve for the route advertisement problem specifically.
Comment 8 Mike Burns 2016-04-07 20:54:03 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 10 Emilien Macchi 2016-06-16 19:49:51 UTC 
Ofer, yes, we're still working on it. I did initial work last year and now Ben is working on enabling the feature by default. I updated the list of patches that we need to make this feature really working.
Comment 13 Jaromir Coufal 2016-10-27 08:39:10 UTC 
Ack.
Comment 14 James Slagle 2016-10-27 10:01:05 UTC 
note the fix for the overcloud is in tripleo-heat-templates, not instack-undercloud
Comment 19 errata-xmlrpc 2016-12-14 15:16:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html
Comment 20 Amit Ugol 2018-05-02 10:36:21 UTC 
closed, no need for needinfo anymore.