Bug 2272006

Summary: iptables on the undercloud not starting due to neutron rules
Product: Red Hat OpenStack Reporter: Luca Miccini <lmiccini>
Component: tripleo-ansibleAssignee: Luca Miccini <lmiccini>
Status: CLOSED ERRATA QA Contact: Archana Singh <arcsingh>
Severity: high Docs Contact:
Priority: medium    
Version: 17.1 (Wallaby)CC: astupnik, jpretori, mariel, mciecier, pgrist, sgolovat
Target Milestone: z3Keywords: Triaged
Target Release: 17.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: tripleo-ansible-3.3.1-17.1.20231101230829.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-22 20:42:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luca Miccini 2024-03-28 06:17:08 UTC 
This bug was initially created as a copy of Bug #2264884

I am copying this bug because: 

with rhbz#2264884 we addressed the overcloud side, this bz is targeting the undercloud.

Description of problem:

After upgrading from RHOSP 16.2.4 to 17.1.2 iptables do not start automatically on the undercloud after reboot.
Iptables service is not starting due to presence of neutron rules in startup config.

Version-Release number of selected component (if applicable):

RHOSP 17.1
tripleo-ansible-3.3.1-17.1.20231101230827.el9ost
Comment 2 Luca Miccini 2024-03-28 06:20:29 UTC 
undercloud /etc/sysconfig/iptables still contains lines like:

-A neutron-openvswi-FORWARD -m physdev --physdev-out tape44bd7aa-b1 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tape44bd7aa-b1 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP


in tripleo_firewall we have these tasks:

    - name: Find non-persistent rules
      shell: grep -El 'comment.*(neutron-|ironic-inspector)' /etc/sysconfig/iptables* /etc/sysconfig/ip6tables*
      failed_when: false
      changed_when: false
      register: neutron_rules

    - name: Remove non-persistent line(s)
      lineinfile:
        path: "{{ item }}"
        state: absent
        regexp: '^((?!.*comment)(?=.*(ironic-inspector|neutron-)))'
      when:
        - not ansible_check_mode|bool
        - item.find('v=' ~ '^/') == -1
      loop: "{{ neutron_rules.stdout_lines }}"

unfortunately these only catch the rules with comments, so we either need to relax the regexes like:

shell: grep -El '*(neutron-|ironic-inspector)' /root/iptables*
regexp: '(?=.*(ironic-inspector|neutron-))' 

or add additional tasks that only remove the aforementioned entries.
Comment 4 Luca Miccini 2024-03-28 10:44:02 UTC 
workaround:

sudo sed -i '/neutron-openvswi/d' /etc/sysconfig/iptables; sudo systemctl restart iptables
Comment 18 errata-xmlrpc 2024-05-22 20:42:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openstack-tripleo-heat-templates and tripleo-ansible update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:2736