Bug 1701066

Summary: ip6tables service is not included in the puppet-firewall managed services
Product: Red Hat OpenStack Reporter: Andrew Mercer <amercer>
Component: puppet-firewallAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: dbecker, dprince, emacchi, jjoyce, jschluet, mburns, morazi, slinaber, tvignaud
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-firewall-1.8.1-5.e70157egit.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-10 08:59:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Mercer 2019-04-17 22:53:07 UTC 
Description of problem:

When the customer runs a stack update, there's new rules added to the iptables persistent and running configuration. When the node is rebooted, only the policies remain as the ip6tables services is not enabled and thus does not add the iptables rules at boot time.


Version-Release number of selected component (if applicable):

Red Hat OpenStack 10


How reproducible:

Always


Steps to Reproduce:
1. Issue a start/restart of ip6tables service, list the rules
2. Reboot, list the rules
3. Observe that the rules are not present

Actual results:


Expected results:


Additional info:

It looks like this is fixed in Red Hat OpenStack 10 and may just need to be backported. Here are the relevant commits:

https://bitbucket.intdigital.ee.co.uk/projects/PUPPET/repos/puppetlabs-firewall/commits/8b30e7fe05d0cb378f6cd33ee33ec3723745d2e3
https://bitbucket.intdigital.ee.co.uk/projects/PUPPET/repos/puppetlabs-firewall/commits/4178aefc333f6da806edbc89c6c3a0da658684b9
https://bitbucket.intdigital.ee.co.uk/projects/PUPPET/repos/puppetlabs-firewall/commits/ae40c5be9d2fe18b1867e940b33f2e006fe5e9ae

and here is a snippet of some working code that includes ipv6:

/usr/share/openstack-puppet/modules/firewall/manifests/params.pp

# Manifest containing module parameters
class firewall::params {
  $package_ensure = 'present'
  case $::osfamily {
    'RedHat': {
      $service_name = 'iptables'
      $service_name_v6 = 'ip6tables'
Comment 1 Cédric Jeanneret 2019-04-18 06:14:46 UTC 
Hello Andrew,

I've started cherry-picking the changes you pointed - they indeed seem to be the ones allowing to get the ip6tables service up'n'running.

Cheers,

C.
Comment 14 errata-xmlrpc 2019-07-10 08:59:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1716
Comment 15 Red Hat Bugzilla 2023-09-14 05:27:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days