Bug 1777140

Summary: Undercloud has iptables rule to allow traffic for horizon, which is not deployed
Product: Red Hat OpenStack Reporter: Takashi Kajinami <tkajinam>
Component: instack-undercloudAssignee: Takashi Kajinami <tkajinam>
Status: CLOSED ERRATA QA Contact: Arik Chernetsky <achernet>
Severity: low Docs Contact:
Priority: low    
Version: 13.0 (Queens)CC: apetrich, aschultz, mburns, ramishra
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-8.4.9-4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-10 11:23:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takashi Kajinami 2019-11-27 02:07:30 UTC 
Description of problem:

When we install undercloud by 'openstack undercloud install',
we see that the undercloud node has the following rule in iptables.
~~~
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment "126 horizon ipv4" -j ACCEPT
~~~

However, we don't have Horizon deployed/configured in undercloud node,
which means that this iptables rule is useless.
~~~
[stack@undercloud-0 ~]$ rpm -qa | grep horizon
puppet-horizon-12.4.0-1.el7ost.noarch
[stack@undercloud-0 ~]$ 
~~~

How reproducible:
Always

Steps to Reproduce:
1. Install undercloud 
2. See iptables-save to see configured rules

Actual results:
iptables-save has an ACCEPT rule about tcp/80 and tcp/443, which is used for horizon

Expected results:
iptables-save  doesn't have an ACCEPT rules about tcp/80 and tcp/443, which is used for horizon


Additional info:
Comment 1 Takashi Kajinami 2019-11-27 02:10:12 UTC 
I proposed a possible fix[1] for stable/rocky.

[1] https://review.opendev.org/#/c/696215/

However, I'm not sure whether I'm doing the correct thing
because I don't understand the reason why we have horizon configuration there.
(It seems that we had horizon deployed in undercloud node in old releases?)

It would be nice if I can ask eng to have a look about that.
Comment 4 errata-xmlrpc 2020-03-10 11:23:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0760