Bug 1577364
Summary: | FFU: ironic-inspector firewall rule is missing on the undercloud after upgrade | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Marius Cornea <mcornea> | ||||||||
Component: | openstack-tripleo-heat-templates | Assignee: | Emilien Macchi <emacchi> | ||||||||
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Gurenko Alex <agurenko> | ||||||||
Severity: | urgent | Docs Contact: | |||||||||
Priority: | urgent | ||||||||||
Version: | 13.0 (Queens) | CC: | bfournie, dbecker, hjensas, lbezdick, mburns, morazi, sgolovat | ||||||||
Target Milestone: | --- | Keywords: | Triaged | ||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2018-05-24 14:18:24 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Marius Cornea
2018-05-11 19:30:05 UTC
Wokraround: add the rule manually by: sudo iptables -I INPUT -p tcp -m multiport --dports 5050 -m state --state NEW -m comment --comment "137 ironic-inspector ipv4" -j ACCEPT Created attachment 1435110 [details]
undercloud upgrade logs
Attaching undercloud upgrade outputs.
Created attachment 1435125 [details]
/etc/puppet/hieradata/puppet-stack-config.yaml
Attaching /etc/puppet/hieradata/puppet-stack-config.yaml
Created attachment 1435126 [details]
iptables
/etc/sysconfig/iptables
I was not able to reproduce this using upstream bits. Are we consistently seeing this downstream? (In reply to Harald Jensås from comment #6) > I was not able to reproduce this using upstream bits. > Are we consistently seeing this downstream? Yes, on an environment upgraded yesterday: [stack@undercloud-0 ~]$ sudo grep 5050 /etc/sysconfig/iptables [stack@undercloud-0 ~]$ sudo iptables -nL | grep 5050 [stack@undercloud-0 ~]$ Marius - next time you upgrade, can you check that rule before and after 11 upgrade, after 12 upgrade etc. so we can see if its getting dropped prior to 13 upgrade? (In reply to Bob Fournier from comment #8) > Marius - next time you upgrade, can you check that rule before and after 11 > upgrade, after 12 upgrade etc. so we can see if its getting dropped prior to > 13 upgrade? After upgrade to OSP12: [root@undercloud-0 stack]# grep 5050 /etc/sysconfig/iptables -A INPUT -p tcp -m multiport --dports 5050 -m comment --comment "137 ironic-inspector ipv4" -m state --state NEW -j ACCEPT [root@undercloud-0 stack]# iptables -nL | grep 5050 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5050 /* 137 ironic-inspector ipv4 */ state NEW After upgrade to OSP13: [root@undercloud-0 stack]# grep 5050 /etc/sysconfig/iptables [root@undercloud-0 stack]# iptables -nL | grep 5050 [root@undercloud-0 stack]# I have tried to reproduce the issue. However, I see the port on all release. I also got confirmation from Bob Fournier who cannot reproduce the bug either. Feel free to open it when issue appears again. |