Bug 1393487

Summary: Manila port is not open in firewall when deploying the Manila API service on a different role than controller
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: openstack-tripleo-heat-templatesAssignee: Tom Barron <tbarron>
Status: CLOSED ERRATA QA Contact: Dustin Schoenbrun <dschoenb>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: dbecker, dmacpher, jschluet, mburns, morazi, pgrist, rhel-osp-director-maint, scohen, tbarron
Target Milestone: rcKeywords: Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-1.7.el7ost Doc Type: Bug Fix
Doc Text:
OpenStack Platform director did not update firewall when deploying OpenStack File Share API (manila-api). If you moved the manila-api service off controllers to its own role, the default firewall rules blocked the endpoints. This fix updates the manila-api firewall rules in the overcloud Heat template collection. You can now reach the endpoints even when manila-api is on a role separate from the controller nodes.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 16:31:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marius Cornea 2016-11-09 16:28:23 UTC
Description of problem:
Manila port is not open in firewall when deploying the service on a different role than controller:

Deploy command and environment files:
http://paste.openstack.org/show/588586/

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-1.4.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud with Manila on a different role than controller
2. Check iptables rules on role running Manila API

Actual results:
iptables -nL | grep 8786
There is no accept rule so access to Manila API from haproxy is blocked.

Expected results:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8786 /* 100 manila_haproxy */ state NEW

Additional info:
Workaround:
iptables -I INPUT -p tcp -m multiport --dports 8786 -m comment --comment "100 manila_haproxy" -m state --state NEW -j ACCEPT

Comment 3 Dustin Schoenbrun 2016-11-23 21:08:18 UTC
I tested this against the 2016-11-19.4 puddle and was able to modify the /usr/share/openstack-tripleo-heat-templates/roles_data.yaml file to move the Manila API service from the default location of the controller nodes to the compute nodes and then deploy my overcloud as such. At the end of the deployment I was able to call the Manila API successfully, verify that the correct iptables rules were set on the compute node, and that the service was started successfully on the compute node.

Comment 5 errata-xmlrpc 2016-12-14 16:31:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html