Bug 1391860

Summary: Redis replication is broken due to missing firewall rule on controller nodes
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: openstack-tripleo-heat-templatesAssignee: Angus Thomas <athomas>
Status: CLOSED ERRATA QA Contact: Omri Hochman <ohochman>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: dbecker, dprince, emacchi, fbaudin, jschluet, jslagle, mburns, mkrcmari, morazi, pkilambi, rhel-osp-director-maint, sclewis
Target Milestone: rcKeywords: Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-1.4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 16:29:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1387290    

Description Marius Cornea 2016-11-04 09:23:31 UTC 
Description of problem:
Redis replication is broken due to missing firewall rule on controller nodes.

/var/log/redis/redis.log:
10987:S 04 Nov 09:20:17.778 * Connecting to MASTER overcloud-controller-0:6379
10987:S 04 Nov 09:20:17.778 * MASTER <-> SLAVE sync started
10987:S 04 Nov 09:20:17.778 # Error condition on socket for SYNC: No route to host

Workaround:
iptables -I INPUT -p tcp -m multiport --dports 6379 -m comment --comment "redis" -m state --state NEW -j ACCEPT

on controller nodes

Replication succeeds after running this.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-1.2.el7ost.noarch

How reproducible:
100%
Comment 1 Pradeep Kilambi 2016-11-04 12:30:24 UTC 
hmm we already have the firewall rule in the service templates:

https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/database/redis.yaml#L38-L42


are you sure you have the right code?
Comment 2 Dan Prince 2016-11-04 12:39:56 UTC 
I think this might have been fixed by upstream http://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3fa2ab420c2ba354fd709857e1ceaacf36a0f1b5

Perhaps we simply need to backport this fix to newton?
Comment 3 Pradeep Kilambi 2016-11-04 12:52:59 UTC 
 backport proposed already -> https://review.openstack.org/#/c/393318/

moving to on_dev
Comment 6 Marian Krcmarik 2016-11-09 13:46:34 UTC 
Verified
$ sudo iptables -L -n | grep 6379
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6379,26379 /* 108 redis */ state NEW
Comment 9 errata-xmlrpc 2016-12-14 16:29:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html