Red Hat Bugzilla – Bug 1034538
Packstack puppet module firewall for Quickstack: newer version needed to support resilient iptables rules
Last modified: 2014-03-04 14:12:47 EST
The current puppet firewall module (dev847) implementation uses iptables-save to store the rules which doesn't properly support firewall/iptables resilient rules especially in regards of Openstack. For instance neutron rules come and go along the creation of objects, it doesn't make sense to have a rule saved when neutron might not need it at next iptables restart. Current versin: https://github.com/lstanden/puppetlabs-firewall/tree/6106fb5404480ac7c883bddd503e0fc9f2698750 Quickstack needs to implement resilient firewall rules (see related issue: https://bugzilla.redhat.com/show_bug.cgi?id=1034532) which is going to depend on newer puppet firewall modules from upstream: https://github.com/puppetlabs/puppetlabs-firewall#upgrading-from-version-020-and-newer
Gilles, could you please check whether the system is booting in the right runlevel? As far as I remember it ought to be 3 to get the iptables rules restored. Related bug. Please check it out: https://bugzilla.redhat.com/show_bug.cgi?id=1023955
Alvaro, Unfortunately this isn't the case. The purpose of this BZ is to get upstream firewall module 0.2.0+ version in order to have support for fw rules resiliency. The implementation is different then current one which does it via iptables-save.
Hi Gilles, the problem with the new version of puppetlabs-firewall is that the parser is kinda broken for our needs, it's generating broken rules that will make packstack unusable as in: https://github.com/puppetlabs/puppetlabs-firewall/issues/141 Anyway i'm trying to fix it to have it done, but due to the 'queue' that pull requests have in puppetlabs even if I fix in time, i'm skeptic gonna be in time for our release.
The lack of resilient firewall rules ended up not having anything to do with this Puppet module (but the iptable's service runlevel are saved/restored). This would impact many different pieces of code in our puppet modules, and thus this change should be considered a high-risk update. At this stage, and due the circumstances, I believe we ought to delay this change until RHOS-5.0.
Francesco, how would I go and verify this bug? on which build was it fixed?
Waiting on the needinfo. -A.
About how to verify: For packstack: 1) Run an All-in-One installation 2) Run iptables-save and store in a file the output 3) Reboot the machine or [5] 4) Execute again the iptables-save and store in a new file, run a diff against the file on [2] to verify if the rules are persistent between reboots and that should be about it. 5) If you really want to be sure, you can execute few instances before rebooting[3], run iptables-save save the output and reboot and check that those rules at [2] have no differences. For Foreman, I have no clues but maybe Gilles could help there.
Firewall rules are preserved between reboots after a packstack run. Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0233.html