Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1080638

Summary: openshift-enterprise HA template egress rules block cloud-init metadata
Product: Red Hat OpenStack Reporter: Aaron Weitekamp <aweiteka>
Component: openstack-heat-templatesAssignee: Aaron Weitekamp <aweiteka>
Status: CLOSED ERRATA QA Contact: Amit Ugol <augol>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.0CC: ajeain, apevec, breeler, lhh, sclewis, sdake
Target Milestone: z4Keywords: ZStream
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The egress firewall rules blocked the essential cloud-init metadata from getting to the instance. Consequence; The heat template resources were provisioned but the cloud init script was not added from the host to complete configuration. Fix: Egress rules were considered non-essential to securing the environment and therefore removed from the heat template. Result:This allows the heat template to complete successfully.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-29 20:31:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aaron Weitekamp 2014-03-25 20:28:35 UTC 
Description of problem:
The openshift-enterprise HA template egress rules block cloud-init metadata

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. create stack
2. user_data is never run
/var/log/cloud-init.log reports error using metadata from http://169.254.169.254

Workaround:
Remove egress security group rules and vpcid

ose_ha_stack.yaml
resources:
  ose_broker_sec_grp:
    type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: broker firewall rules
      #VpcId: { get_param: private_net_id }
      SecurityGroupIngress:
      - {IpProtocol: tcp, FromPort: '22', ToPort: '22', CidrIp: 0.0.0.0/0}
      - {IpProtocol: udp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '80', ToPort: '80', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '443', ToPort: '443', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '27017', ToPort: '27017', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '61613', ToPort: '61613', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '61616', ToPort: '61616', CidrIp: 0.0.0.0/0}
      #SecurityGroupEgress:
      #- {IpProtocol: tcp, FromPort: '22', ToPort: '22', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: udp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '27017', ToPort: '27017', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '61613', ToPort: '61613', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '61616', ToPort: '61616', CidrIp: 0.0.0.0/0}

ose_node_stack.yaml
resources:
  ose_node_sec_grp:
    type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Node firewall rules
      #VpcId: { get_param: private_net_id }
      SecurityGroupIngress:
      - {IpProtocol: tcp, FromPort: '22', ToPort: '22', CidrIp: 0.0.0.0/0}
      - {IpProtocol: udp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '80', ToPort: '80', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '443', ToPort: '443', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '8000', ToPort: '8000', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '8443', ToPort: '8443', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '2303', ToPort: '2308', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '35531', ToPort: '65535', CidrIp: 0.0.0.0/0}
      - {IpProtocol: tcp, FromPort: '27017', ToPort: '27017', CidrIp: 0.0.0.0/0}
      #SecurityGroupEgress:
      #- {IpProtocol: udp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '53', ToPort: '53', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '443', ToPort: '443', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '35531', ToPort: '65535', CidrIp: 0.0.0.0/0}
      #- {IpProtocol: tcp, FromPort: '61613', ToPort: '61613', CidrIp: 0.0.0.0/0}
Comment 2 Aaron Weitekamp 2014-04-07 19:19:04 UTC 
Fixed in https://github.com/openstack/heat-templates/commit/45602bf9980d9dd791de7ce181cac699d5fbace6
Comment 3 Amit Ugol 2014-04-24 05:30:49 UTC 
If deleting the issue that causes the problem is a fix here, then this is verified
Comment 6 errata-xmlrpc 2014-05-29 20:31:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-0517.html