Bug 1767392

Summary: Support comma-delimited subnets in firewall
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Giulio Fidente <gfidente>
Component: Ceph-AnsibleAssignee: Dimitri Savineau <dsavinea>
Status: CLOSED ERRATA QA Contact: Vasishta <vashastr>
Severity: high Docs Contact:
Priority: high    
Version: 3.3CC: aschoen, atonner, ceph-eng-bugs, cjeanner, dsavinea, gmeno, kbader, kdreyer, mmurthy, nthomas, pasik, sunnagar, tserlin, ykaul
Target Milestone: z4Keywords: TestOnly
Target Release: 3.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-ansible-3.2.38-1.el7cp Ubuntu: ceph-ansible_3.2.38-2redhat1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-06 08:27:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1578730    
Attachments:
Description Flags
ceph-ansible.tar.xz none

Description Giulio Fidente 2019-10-31 11:14:54 UTC 
Description of problem:
Firewall setup fails when public_network or cluster_network are comma delimited lists

Version-Release number of selected component (if applicable):
ceph-ansible-3.2.33-1.el7cp.noarch

2019-10-30 14:10:21,966 p=28662 u=mistral |  Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/firewalld.py
2019-10-30 14:10:22,019 p=28662 u=mistral |  The full traceback is:
  File "/tmp/ansible_NDOOV4/ansible_modlib.zip/ansible/module_utils/firewalld.py", line 103, in action_handler
    return action_func(*action_func_args)
  File "/tmp/ansible_NDOOV4/ansible_module_firewalld.py", line 464, in set_enabled_permanent
    self.update_fw_settings(fw_zone, fw_settings)
  File "/tmp/ansible_NDOOV4/ansible_modlib.zip/ansible/module_utils/firewalld.py", line 134, in update_fw_settings
    fw_zone.update(fw_settings)
  File "<string>", line 2, in update
  File "/usr/lib/python2.7/site-packages/slip/dbus/polkit.py", line 103, in _enable_proxy
    return func(*p, **k)
  File "<string>", line 2, in update
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 53, in handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/firewall/client.py", line 441, in update
    self.fw_zone.update(tuple(settings.settings))
  File "/usr/lib/python2.7/site-packages/slip/dbus/proxies.py", line 50, in __call__
    return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)

2019-10-30 14:10:22,019 p=28662 u=mistral |  Escalation succeeded
2019-10-30 14:10:22,020 p=28662 u=mistral |  failed: [overcloud-controller-2] (item={u'service': u'ceph-mon', u'zone': u'public'}) => {
    "changed": false, 
    "invocation": {
        "module_args": {
            "immediate": true, 
            "interface": null, 
            "masquerade": null, 
            "offline": null, 
            "permanent": true, 
            "port": null, 
            "rich_rule": null, 
            "service": "ceph-mon", 
            "source": "172.120.3.0/24,172.117.3.0/24,172.118.3.0/24,172.119.3.0/24", 
            "state": "enabled", 
            "timeout": 0, 
            "zone": "public"
        }
    }, 
    "item": {
        "service": "ceph-mon", 
        "zone": "public"
    }, 
    "msg": "ERROR: Exception caught: org.fedoraproject.FirewallD1.Exception: INVALID_ADDR: 172.120.3.0/24,172.117.3.0/24,172.118.3.0/24,172.119.3.0/24 Permanent and Non-Permanent(immediate) operation"
}
Comment 1 RHEL Program Management 2019-10-31 11:15:01 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 2 Giulio Fidente 2019-10-31 11:16:11 UTC 
I think we need to backport [1] in stable-3

1. https://github.com/ceph/ceph-ansible/commit/d94229204d84fc27c5997d273dff577af0ab1684
Comment 4 Giulio Fidente 2019-10-31 11:25:22 UTC 
Created attachment 1631002 [details]
ceph-ansible.tar.xz

ceph-ansible logs, inventory and group_vars
Comment 6 Dimitri Savineau 2019-11-05 16:16:36 UTC 
*** Bug 1764860 has been marked as a duplicate of this bug. ***
Comment 12 errata-xmlrpc 2020-04-06 08:27:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1320