Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1055450

Summary: Packstack fails with iptables provider can not handle attribute dport
Product: Red Hat OpenStack Reporter: Pavel Sedlák <psedlak>
Component: openstack-packstackAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Daniel Korn <dkorn>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.0CC: ajeain, aortega, derekh, jthomas, yeylon
Target Milestone: ---   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-24 20:42:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
packstack log
none
neutron puppet file
none
neutron puppet log
none
answer file none

Description Pavel Sedlák 2014-01-20 09:54:06 UTC 
Created attachment 852666 [details]
packstack log

When trying to do upgrade of RHOS 4.0, after yum upgrade,
packstack --answer-file=answerfile_used_for_installation fails with

> INFO - Testing if puppet apply is finished : 172.16.0.14_neutron.pp [ \ ]
> INFO - Testing if puppet apply is finished : 172.16.0.14_neutron.pp [ - ]
> INFO - Testing if puppet apply is finished : 172.16.0.14_neutron.pp [ / ]
> INFO - Testing if puppet apply is finished : 172.16.0.14_neutron.pp [ | ]
> INFO -             [ ERROR ]
> INFO - 
> INFO - ERROR : Error appeared during Puppet run: 172.16.0.14_neutron.pp
> INFO - Error: The iptables provider can not handle attribute dport
> INFO - You will find full trace in log /var/tmp/packstack/20140117-180409-VH2uyH/manifests/172.16.0.14_neutron.pp.log
> INFO - Please check log file /var/tmp/packstack/20140117-180409-VH2uyH/openstack-setup.log for more information
> INFO - 

Upgrade from:
> openstack-packstack-2013.2.1-0.20.dev936.el6ost.noarch
to
> openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch

Iptables version:
> iptables-1.4.7-11.el6.x86_64

From neutron.pp.log:
> Error: /Firewall[001 neutron incoming 172.16.0.14]/dport: change from 9696 to 9696,67,68 failed: The iptables provider can not handle attribute dport
but the command actually executed is not logged there.
Comment 1 Pavel Sedlák 2014-01-20 09:54:40 UTC 
Created attachment 852667 [details]
neutron puppet file
Comment 2 Pavel Sedlák 2014-01-20 09:55:19 UTC 
Created attachment 852668 [details]
neutron puppet log
Comment 4 Jon Thomas 2014-01-21 15:50:24 UTC 
A workaround that has worked for a couple people is to wipe iptables and rerun packstack.
Comment 5 Pavel Sedlák 2014-01-21 15:52:58 UTC 
Created attachment 853328 [details]
answer file
Comment 6 Martin Magr 2014-01-21 15:53:27 UTC 
This is known bug. Current iptables provider from puppetlabs-firewall provider is not able to change rules when multiple ports are given (change from 9696 to 9696,67,68). Workaround is to delete all packstack-created iptables rules in case you are testing different versions of packstack on the same host.

BTW there's a puppetlabs-firewall update waiting in que, which might fix those issues.
Comment 7 Alvaro Lopez Ortega 2014-06-24 20:42:46 UTC 
Firewall module was already updated. It works okay now.