RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1082188 - The firewall module used with Nova (Neutron) `will error after instance creation because of openvswitch interface
Summary: The firewall module used with Nova (Neutron) `will error after instance creat...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-puppet-modules
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: John Eckersberg
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-29 00:02 UTC by Andrew Lau
Modified: 2015-03-20 20:59 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-03-20 20:59:07 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrew Lau 2014-03-29 00:02:56 UTC 
Description of problem:
Post Nova (Neutron) deploy, the puppet module will execute successfully, however after an instance is created on the next puppet run the firewall module will complain because openvswitch has created some new rules:

Puppet Output:

Error: Could not prefetch firewall provider 'iptables': Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[001 nova compute incoming]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[001 RPC and gluster daemon incoming UDP]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[001 RPC and gluster daemon incoming]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[002 gluster bricks incoming]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11
Error: /Firewall[002 vxlan udp]: Could not evaluate: Invalid address from IPAddr.new: FA:16:3E:53:D1:11

iptables snippet:

Chain neutron-openvswi-s2c31f940-7 (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  10.0.0.25            0.0.0.0/0           MAC FA:16:3E:53:D1:11 
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain neutron-openvswi-sead94d3e-8 (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  10.0.0.26            0.0.0.0/0           MAC FA:16:3E:91:A9:77 
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           



Version-Release number of selected component (if applicable):
icehouse-3

How reproducible:
Always

Steps to Reproduce:
1. Deploy Nova (Neutron)
2. Create a new instance
3. Run puppet agent -tv

Actual results:
firewall provider will error

Expected results:
no error

Additional info:
Comment 1 Allan St. George 2014-03-31 11:38:25 UTC 
This also occurs with OpenStack Havana.
Comment 2 John Eckersberg 2014-04-03 20:16:30 UTC 
This is the upstream pull request to fix this problem - https://github.com/puppetlabs/puppetlabs-firewall/pull/337

Still a work in progress, but looks close to being done.  I'll help out upstream however I can to speed it along.
Comment 3 Edouard Bourguignon 2014-04-16 14:27:40 UTC 
same problem on icehouse
Comment 4 btaylor 2014-05-29 14:05:08 UTC 
just ran into this also after I updated the masquerade rule to use br-ex instead of eth0
Comment 5 Nilesh Patil 2014-07-18 10:48:55 UTC 
Is it still a open bug? I am seeing this issue on our production openstack instance. 

Willing to help in case you need access to box. 

Regards,
Nilesh
Comment 6 John Eckersberg 2014-07-18 12:57:06 UTC 
This is still waiting to be merged upstream, at which point the next rebase of the firewall module will pull it into RDO.  Alternatively we can carry the patch ourselves but I'd rather just get it upstreamed.  I have offered virtual cookies in the pull request as incentive to try and move it along.
Comment 7 Lars Kellogg-Stedman 2015-03-20 20:59:07 UTC 
https://github.com/puppetlabs/puppetlabs-firewall/pull/337 was merged on July 26, 2014, and the fix is included in the RDO Icehouse (and later) packages.
Note You need to log in before you can comment on or make changes to this bug.